In my previous blog post, I described how many German hospitals are not yet sufficiently protecting their IT systems and how they need to implement a holistic cyber defense strategy. Here, in part two, I explain how hospitals can secure the surgical area and prevent data leakage.

The known attacks on clinics in the past had the primary goal to encrypt internal data and blackmail with the help of so-called ransomware. The risk is becoming greater though, with hackers attacking critical equipment such as infusion pumps and sabotaging these by incorrect data or values. Since the processes in a modern clinic are similar to other industries from a security point of view, the established security measures can be adopted.

This includes network segmentation in areas for classical office IT, the patient management system and the surgical area to prevent the spreading of attacks. In addition, hospitals should address weaknesses in interfaces for remote maintenance of hospital systems and medical devices.

To protect the data, best practices for email and web security should be applied. It makes sense to monitor contents by permitted channels such as email systems by using a Data Loss Prevention (DLP) solution in order to make sure that confidential data leaves the clinic only in a controlled way. Hospitals should generally lock unauthorized channels as external storage or media.

The human factor is also very important. A modern cyber defense strategy only works if employees are properly trained. Clinics have to sensitize doctors, nurses and administrative staff for potential threats and encourage a responsibility for handling data.

To comply with the legal requirements, hospitals should also implement an Information Security Management System (ISMS) based on ISO 27001, which defines policies, measures and processes for the implementation of safety objectives. In addition, they have to comply with the DIN EN 80001-1 for medical IT networks and ensure trouble-free operation and interoperability between medical and IT networks.

Hospitals should also be prepared for the worst case scenario. An incident response plan describes and tests the steps and measures in the event of a cyberattack in detail. Now is the time to bring the cybersecurity strategies to a modern state in the healthcare system.