European Union of Private Hospitals

Cybercrime attacks on hospitals


Targeted hacker attacks on critical infrastructure – including medical devices in hospitals – are causing IT experts more and more concern.

Innumerable attacks on hospitals have been reported in the last two years, not only in Austria, but also in Germany and the USA and there is a strong increasing trend.
It is often enough to just open an attachment to an email from an unknown sender or to click on a link within such an email. Unfortunately, virus scanners cannot always provide protection.

In these cyber-attacks, rather than targeting the software itself, it is entire data sets that are now being put out of operation – so as to then extort large amounts of ransom money in exchange for deactivating the virus or decrypting the data.

Victims who refuse to pay either face a completely encrypted data world or at the best  an expensive and time-consuming delay while the system is recovered using (hopefully) available backups (ransomware). This type of malicious software has in the course of the last few years become the most frequent IT security problem for companies and accounts for some 40 % of incidents in Austria (Source: Cyber Security Report 2016 – Republic of Austria). The number of unreported cases (also from employees within the organization) or unnoticed safety incidents is likely to be many times higher.

In most cases the amount of damage is enormous and especially detrimental to the organization’s image, because hospitals use their IT systems to manage not only the entire historical patient data, but also their building services, highly sensitive medical devices, and communication services including telephony.  In addition in the event of such an attack it must be assumed that patient data will fall into unauthorized hands.

It takes very little in order to enable a Trojan or even a hacker access to the organization’s network. There is currently no 100% protection against cyber- attacks, but increased attention by  hospital management for heightening their employees’ sensitivity for IT security issues should be planned and regularly trained. Robert Sonnleitner, of base-camp IT-Security & Solutions GmbH in Vienna, is an expert on measures that help to provide effective protection: “Comprehensive and efficient protection addresses the following issues:

  • IT security strategy as part of management responsibility
  • Implementation of concrete security processes and security guidelines (e.g. passwords, employee training, authorizations, etc.)
  • Intelligent backup strategy (e.g. separation of backups from operating systems)
  • Consistent system update management
  • Technological protection (e.g. anti-virus protection, firewalls, email encryption, etc.)
  • Continuous monitoring of the measures taken (e.g. security audits, vulnerability analyses, network traffic analysis, etc.)
What is especially important here is the interplay of all components and a meaningful coordination between people and technology.

By Robert Sonnleitner, CEO Go4market GmbH