On September 10, 2020, a serious IT security incident occurred at the University Hospital of Düsseldorf (UKD) following a ransomware attack. According to a report by Peter Biesenbach (CDU), the Minister of Justice of North Rhine-Westphalia, attackers encrypted 30 of the hospital’s servers overnight without being noticed. The cybercriminals demanded a ransom for the data stored on them. Only after payment of the ransom was the decryption key for recovering the data to be transmitted.
Critical IT failure due to ransomware
Healthcare is critical infrastructure
Difficulties in specifically implementing the regulatory framework
The regulatory requirements for hospitals are clearly defined. However, there are obviously shortcomings in implementation in some areas. For example, in a recent study, the BSI assessed the level of protection of hospitals and laboratories relevant to critical infrastructure as basically good. As a rule, there were few complaints about the implementation of technical protection measures by operators, but the study revealed some deficits in organizational IT security measures, particularly in hospitals. In this context, the study specifically criticized inadequate employee training relating to IT risk management and IT security management, as the following paragraph of the study shows: “There is hardly any training of measures for coping with emergencies (e.g., for manual replacement procedures that would have to be used in the event of hourly or daily server failures).”
Using existing protection technologies and closing bottlenecks
Despite all the technical protective measures, vulnerabilities in the tools used can never be completely ruled out, as the current case in Düsseldorf confirms. Likewise, even well-trained personnel make mistakes in the daily use of information technology. This makes it all the more important to take a holistic view of cybersecurity, which, in addition to preventive defense, also includes measures for maintaining essential processes and restarting the affected systems as quickly as possible. The basis for this is the structure and continuous development of an information security management system (ISMS). In such a system, hospitals administer and develop security-relevant guidelines and methods, which cover organizational elements such as IT risk management and IT emergency management in addition to technical protective measures.