Does that mean that some of the systems in the hospitals are still not updated with the latest software updates?
Häußler: That is certainly the case. But that's also because hospitals are not always allowed to update such systems themselves. Even if a hospital's IT department knows about an IT security problem with a heart-lung machine, for example, it can't simply download an update from the Internet and install it. Such updates usually have to go through the manufacturer, because otherwise the safe functioning of the machine may no longer be guaranteed, and this should certainly be guaranteed in a hospital. But an "outdated" software version does not necessarily have to have dire consequences. Such older systems often run in secure areas so that no one can access them from the outside. In this case, there is no reason why an older operating system or an older software version cannot be used. It just has to be ensured that no one can gain access to this system. A hopefully illustrative example: You can leave expensive diamond jewelry in the living room if you make sure that no one can get into the room from the outside. However, if you have open doors, then a safe would perhaps be a better place to store the jewelry.
Can hospitals rely on medical technology companies to provide regular updates for the machines?
Häußler: The major manufacturers usually offer the necessary updates for their software, even if it sometimes takes longer than one would like. But there are also manufacturers who pass the risk on to the operator. In this case, the operator himself must ensure that the device is so well secured that nothing can happen. In a hospital, not all devices necessarily have to be integrated into a network. But if a device is integrated into a network, the operator must ensure that the interface is secured.
Is it possible to protect the software of various medical technology manufacturers together? Or does each device have to be protected individually by the companies?
Häußler: From a security point of view, it would of course be nice if a hospital could get all its devices from just one manufacturer. That would simplify a lot of things. But even if this were possible, there would always be different generations of devices and software. Perhaps we will get to the point where there are defined interfaces for the devices that make it easier to integrate them into the "safety architecture". But even if this were possible in the future, we need to secure hospitals now. That's why there's still a lot to be done in the next few years - for the IT managers in the hospitals and for us.