Interview with Alexander Häußler, Dipl.-Winf. (DH) Alexander Häußler, Global Product Performance Manager IT, TÜV SÜD Management Service GmbH
Hospitals collect a great deal of patient data, whether in admissions or when using medical technology equipment such as MRI or ultrasound. Unfortunately, it has been shown time and again that this data is not as well protected as it should be - hacker attacks sometimes paralyze entire hospitals. To counter such attacks, hospitals are required by law to protect their IT. But independent audits show that there are still significant deficiencies to be found in some cases. We spoke to Alexander Häußler from TÜV SÜD, which advises hospitals in Germany on the subject of IT.
Mr. Häußler, in Germany, servers at the University Hospital in Düsseldorf were hacked, and in Barcelona (Spain), one of the region's largest hospitals was recently hacked. In both cases, many patients were left out in the cold, as treatments and operations were cancelled. Whether patient data was accessed has yet to be clarified. In Germany, at least, the Patient Data Protection Act has made it mandatory for every hospital to ensure IT security since the beginning of 2022. Does that mean everything is fine now and our hospital IT is protected?
Alexander Häußler: You can't say that. Some hospitals have data protection at the top of their priority list, while others are a bit more lax. This may also be due to the strain caused by the pandemic and the fact that hospitals have a few other projects at the moment - but that is the reality. Unfortunately, the requirements for hospitals in Section 75c of the German Social Code V: "IT Security in Hospitals" have also not been specified very precisely. The smaller hospitals that are not "critical infrastructure" are indeed asked to check for themselves where they currently stand and which criteria they meet according to the current status. However, there is no requirement for an independent audit. Stricter requirements apply to large hospitals. They are formulated in Section 8a of the BSI Act (BSI = Federal Office for Information Security, in German: Bundesamt für Sicherheit in der Informationstechnik), which deals with security in the information technology of critical infrastructures. According to this, large clinics must send at least one independent assessment certificate to the German Federal Office for Information Security. However, these verifications are provided by different testing bodies using different testing methods. The German Hospital Association (in German: Deutsche Krankenhaus Gesellschaft) has defined uniform criteria with its B3S standard for hospitals, but I cannot judge the extent to which those responsible for IT in the smaller hospitals actually follow them.
You mention the industry-specific security standard (B3S) as defined in Section 8a of the BSI Act, which will apply in the future. What exactly do the small hospitals have to observe now?
Häußler: Essentially, they should observe what the larger hospitals must also observe - so that the security of their IT is guaranteed and no one can access it without authorization or paralyze it. In this respect, the small hospitals have to contend with exactly the same problems as the large ones: They have to check the security of individual systems and determine exactly who is authorized to access certain systems and areas. However, smaller hospitals usually don't have quite as many devices from different manufacturers, so the assessment effort may be less. And, of course, the topic of "backup and recovery" also plays a major role. How do I store patient data and how can I restore it if necessary - for example, after a hacker attack?
How do you advise hospitals that come to you for support?
Häußler: TÜV SÜD Management Service GmbH is a subsidiary of TÜV SÜD that specializes in auditing processes and management systems in a wide range of industries. Through our audits of large hospitals, we have already gained extensive experience in this area, which we can also use to assess IT security in smaller hospitals. To do this, we go to the hospitals and ask impartial questions to see where there may still be gaps. In doing so, we don't point the finger at people, but we look at the processes. We evaluate the processes, analyze the current state and compare the current state with the requirements of the B3S already mentioned. On the basis of this comparison, hospitals can very clearly state what still needs to be done to achieve the required state of the art in IT security.
Does that mean that some of the systems in the hospitals are still not updated with the latest software updates?
Häußler: That is certainly the case. But that's also because hospitals are not always allowed to update such systems themselves. Even if a hospital's IT department knows about an IT security problem with a heart-lung machine, for example, it can't simply download an update from the Internet and install it. Such updates usually have to go through the manufacturer, because otherwise the safe functioning of the machine may no longer be guaranteed, and this should certainly be guaranteed in a hospital. But an "outdated" software version does not necessarily have to have dire consequences. Such older systems often run in secure areas so that no one can access them from the outside. In this case, there is no reason why an older operating system or an older software version cannot be used. It just has to be ensured that no one can gain access to this system. A hopefully illustrative example: You can leave expensive diamond jewelry in the living room if you make sure that no one can get into the room from the outside. However, if you have open doors, then a safe would perhaps be a better place to store the jewelry.
Can hospitals rely on medical technology companies to provide regular updates for the machines?
Häußler: The major manufacturers usually offer the necessary updates for their software, even if it sometimes takes longer than one would like. But there are also manufacturers who pass the risk on to the operator. In this case, the operator himself must ensure that the device is so well secured that nothing can happen. In a hospital, not all devices necessarily have to be integrated into a network. But if a device is integrated into a network, the operator must ensure that the interface is secured.
Is it possible to protect the software of various medical technology manufacturers together? Or does each device have to be protected individually by the companies?
Häußler: From a security point of view, it would of course be nice if a hospital could get all its devices from just one manufacturer. That would simplify a lot of things. But even if this were possible, there would always be different generations of devices and software. Perhaps we will get to the point where there are defined interfaces for the devices that make it easier to integrate them into the "safety architecture". But even if this were possible in the future, we need to secure hospitals now. That's why there's still a lot to be done in the next few years - for the IT managers in the hospitals and for us.
Further articles on this topic from the COMPAMED-tradefair.com editorial team: