Digitization: Hospitals as Popular Targets?

It’s safe to say that patients and their prompt medical care take center stage at any hospital. Digitization of the healthcare sector is quickly advancing to make this a reality: data is stored in a digital medium, devices are linked together. But how safe are hospitals in the age of innovation?

At MEDICA 2018, Dr. Tilman Frosch and other experts will discuss the "functional safety of hospitals in the digital age (“Funktionssicherheit von Krankenhäusern vor dem Hintergrund der Digitalisierung"). In this MEDICA.de interview, he talks about the opportunities and challenges of electronic health records, illustrates the seriousness of a cyber attack and reveals why highly trained security personnel play an indispensable role.

What does functional safety of hospitals mean? What areas are affected by this?

Dr. Tilman Frosch: A hospital’s primary role is to provide care to patients. Given that more and more processes are based on information technology systems, functional safety of hospitals is now primarily a question of reliability and availability of hospital IT.

This affects all aspects of a hospital: from the backend system to connected devices. Many things work without central IT systems, though not for long and not very well. In these cases, functional safety is severely affected by a lack of functional capability.

Countries like the US or Austria already have them. Germany is soon to follow suit in introducing the electronic health record. In doing so, hospitals take another leap into digitization. What is your stance on this development?

Frosch: I would welcome a functional and secure health record in electronic format since the seamless documentation of medication, treatment programs and symptomatology can drastically improve patient care, while simultaneously closing knowledge gaps for all stakeholders. Having said that, communication protocols in hospitals have not been developed with “safety” in mind and yet all views on electronic health records are based on these protocols.

Do you predict a security threat?

Frosch: Implementing security is very effective if you integrate it right from the start. Things get difficult if you attempt to implement it after the fact and retouch if you will. In the design phase of the aforesaid communication protocols, nobody was concerned about attacks against the system. It’s a major task to make all data for every relevant application context secure. That's why I see the electronic health record both as a great opportunity and a necessity, but also as a big challenge for each hospital, medical practitioners and the overall health care system.

Your company G DATA Advanced Analytics GmbH is committed to data security. How would you ensure the data security of a major network like a hospital?

Frosch: Needless to say, there are major medical centers with highly complex systems, but in many cases, hospitals can be compared to small and medium-sized businesses in terms of their size. This also applies to the size of their network. The difference is that humans take center stage in this case and a system failure might endanger their lives.

That's why you should install more technical safeguards. In general, it would be wonderful to propel hospital IT close to what we can achieve today. Having said that, it is vital to not only invest in technology but also in employees. Security is a continuous process and seldom completed once you buy or install a system or software to comply with guidelines and please the legislator. In reality, you are not really improving things because you still need someone who can operate and configure the system, and constantly monitors and responds to the messages. Technically, this is not a job that should be handled by regular employees, though unfortunately, this is often the case. Typically, the hospital staff is busy with day-to-day operations, which does not involve any security processes.

How vulnerable are digital hospital systems to security attacks?

Frosch: You can’t generalize it because you also don’t want to step on anyone’s toes. The debate revolves around the idea of an external attack. However, sometimes it might only be a tiny step to go from an external attack to one that is committed by an insider. “External” might mean that an invader gains or buys remote desktop access. And just like that, an external attack has become an internal attack. The impact is the same if a nurse, hospital attendant, doctor, or system administrator opens a well-made, yet malicious email for example. Securing the hospital network perimeter is simply not enough. Being tough on the outside is great, but you shouldn’t be soft on the inside.

Our responsibility as an IT service provider is to build cyber defense capabilities because an attack is likely to happen. As a result, the internal infrastructure must be stronger. This specifically applies to medical devices, such as a CT scan machine. Repair technicians service the machine every six months or so. Generally, endpoint protection for the devices will be updated and operating system security patches will be imported. Useful for comparison: updates to endpoint protection are typically made every one to eight hours, and operating system security patches are updated on a monthly basis as a minimum. Although every system should be a hard target regardless of how deep it is located in the infrastructure, it is apparent that you have to defend it differently - there is not just one network perimeter, there are many of them, and you have to protect each one of them.

Let’s assume there has been a successful cyber attack on a hospital network. What is the first step that people in charge should take?

Frosch: Consult a security expert. Even an incident that was caught immediately is still a security incident. An expert needs to assess whether it can be caught immediately or if there is further impact. Quick, right decisions and actions are crucial in this setting.

How can functional safety be restored in this case?

Frosch: It takes hard work. It is essential to detect an incident, assess it appropriately and respond accordingly. The issue and its cause must be totally eliminated. If that doesn’t happen, you might have repeated incidents. Nobody wants that, but there have already been instances in some hospitals.

As the leading trade fair for medical technology, why is MEDICA also the right platform for you, since you are actually not directly part of this industry sector?

Frosch: We are a producer and service provider that primarily services the German market and is engaged in the healthcare sector. MEDICA is Germany’s major trade fair for medical technology. The best way to reach your target audience is to meet them where they feel at home.