Lives depend on cybersecurity in critical infrastructures
SECURITY INSIGHTS | 9 October 2020
The latest cyber attack on the University Hospital of Düsseldorf shows, in a rather depressing way, the great importance of IT security in the critical infrastructure of the healthcare sector. Digital processes at hospitals, medical practices, and associated service providers in the healthcare sector must be secured without compromise – as there is otherwise the risk of disastrous consequences.
On September 10, 2020, a serious IT security incident occurred at the University Hospital of Düsseldorf (UKD) following a ransomware attack. According to a report by Peter Biesenbach (CDU), the Minister of Justice of North Rhine-Westphalia, attackers encrypted 30 of the hospital’s servers overnight without being noticed. The cybercriminals demanded a ransom for the data stored on them. Only after payment of the ransom was the decryption key for recovering the data to be transmitted.
Due to the attack, emergency patients could no longer be admitted and treated. This turned out to be fatal for a patient suffering from a life-threatening injury who had to be transferred to a more distant hospital due to the IT failure. Medical treatment was delayed by about an hour and the patient died shortly afterward. For this reason, the perpetrators are also being investigated for negligent homicide.
According to information from the BSI (German Federal Office for Information Security), the attackers gained access to the hospital’s network through a vulnerability in Citrix VPN software known as “Shitrix” (CVE-2019-19781). Although the vulnerability was fixed shortly after the manufacturer released a patch for it in the spring, the cybercriminals had apparently already created their backdoors into the systems by then. The subsequent patch does not protect against any such backdoors. The BSI had warned of the vulnerability and the consequences of it being exploited back in January.
According to the Ministry of Justice, the actual attack by the “DoppelPaymer” ransomware Trojan followed in September. The malware was able to infiltrate the hospital’s network unnoticed via the previously installed backdoors using “loaders.” Due to the type of malware used, it is believed that a Russian hacker group specializing in ransomware attacks on companies and other organizations is behind the attack.
This tragic case once again underscores the crucial importance of IT security in the critical infrastructure environment, particularly in the healthcare sector. The security of digital processes is on the same level as other technical equipment and professional staff. Mistakes and omissions put human lives at risk just as much as negligence on the other primary levels. That is why the German IT Security Act sets out very strict regulatory requirements for securing digital processes for hospitals relevant to critical infrastructure. For example, digital hospital information systems (HIS) must be redundantly secured via emergency plans to enable access to essential patient and treatment data, even in the event of failure or attack. Critical infrastructure facilities must also regularly demonstrate that all available resources are available for the required protection of their systems. The security of their systems must always be kept up to date with the latest technology.
Based on the IT Security Act, the industry-specific security standard (B3S) defined by the German Hospital Association (DKG) for healthcare in hospitals provides more detailed specifications. BS3 comprises 168 measures for establishing resilient information technology that safeguards the medical care of patients. The B3S standard primarily affects hospitals with more than 30,000 inpatient treatment cases per year, but smaller hospitals are also expected to benefit from the catalog of measures. It also includes processes for business continuity management, which are intended to ensure that operations are maintained in the event of a complete IT failure.
The regulatory requirements for hospitals are clearly defined. However, there are obviously shortcomings in implementation in some areas. For example, in a recent study, the BSI assessed the level of protection of hospitals and laboratories relevant to critical infrastructure as basically good. As a rule, there were few complaints about the implementation of technical protection measures by operators, but the study revealed some deficits in organizational IT security measures, particularly in hospitals. In this context, the study specifically criticized inadequate employee training relating to IT risk management and IT security management, as the following paragraph of the study shows: “There is hardly any training of measures for coping with emergencies (e.g., for manual replacement procedures that would have to be used in the event of hourly or daily server failures).”
Against the backdrop of progressive digitization in the healthcare sector and the timely introduction of electronic patient files, continued focus on data security and data protection is absolutely essential. As the BSI study has shown, most hospitals are technically well organized. Specific attacks from the outside are addressed by a wide range of protective mechanisms, including firewalls, DMZ, routing, spam and malware protection, VPN, and encrypted internet connections.
However, there is room for improvement in technical protection measures, which require the active participation of employees. For example, the BSI sees acceptance problems in the encryption of mobile storage media and emails. In many hospitals, network segmentation is also incomplete. As a result, networks for medical technology, administration, applications, and patients and/or guests are not cleanly separated from one another. These deficiencies increase the risk of an uncontrolled outflow of data and the spread of malware within hospital IT systems. Only a few hospitals also use continuous network monitoring for detecting and responding to such incidents. The same picture emerges when it comes to centralized email scans for defense against malware or phishing attacks.
Despite all the technical protective measures, vulnerabilities in the tools used can never be completely ruled out, as the current case in Düsseldorf confirms. Likewise, even well-trained personnel make mistakes in the daily use of information technology. This makes it all the more important to take a holistic view of cybersecurity, which, in addition to preventive defense, also includes measures for maintaining essential processes and restarting the affected systems as quickly as possible. The basis for this is the structure and continuous development of an information security management system (ISMS). In such a system, hospitals administer and develop security-relevant guidelines and methods, which cover organizational elements such as IT risk management and IT emergency management in addition to technical protective measures.
In the long term, a needs-based level of protection in small and large hospitals alike can only be guaranteed by consistently evaluating and prioritizing all existing processes. The BSI recommends that the primary focus be on the critical services of inpatient medical care. Such an assessment clearly shows the mutual IT dependencies of essential processes, enabling a classification of criticality from individual processes. The result is state-of-the-art, threat-based security for hospital IT that also takes economic aspects into account.
Meanwhile, decryption of the compromised data is underway in Düsseldorf, which will take several more weeks according to information from the university hospital. After those responsible contacted the perpetrators and informed them of the seriousness of the situation, the hackers gave out the decryption key with no insistence on a ransom. The attack was most likely targeting Heinrich Heine University Düsseldorf, and the university’s hospital accidentally fell victim to the ransomware attack – at least that’s what the blackmail letter suggests, which was not addressed to the hospital. The hospital, the Ministry of Justice, and the BSI have not yet completed their detailed investigation of the cyber attack. So far, no information has been communicated on which level of the hospital network the backdoors were installed and how they escaped the controls of outside security specialists.
Myra secures government websites and the online portals of government agencies such as Infektionsschutz.de belonging to the German Federal Center for Health Education (BZgA) and the web portal of the German Federal Ministry of Health (BMG). Through the websites of the BZgA and the BMG, the Federal Ministry of Health provides the public with essential information about the coronavirus, for example.