Cyber defense in a hospital: a case study

Woman using an analysis device

Cyber defense in a hospital: a case study

Hackers are increasingly setting their sights on hospitals. These are becoming increasingly digitized and networked, while at the same time working with highly sensitive data. Added to this is the fact that, in hospital, things are often literally a matter of life and death. Unexpected outages can therefore have far-reaching consequences.
Digitization offers enormous opportunities – and this is also true in the healthcare sector. At the same time, however, new challenges and risks are created – for hospitals, for example. They are particularly vulnerable to cyber extortion, and this risk has been exacerbated by their strategic position in the pandemic.

Cyberattack on Wetzikon Hospital

The fact that hospitals are an attractive target group for hackers was experienced by Wetzikon Hospital first-hand. In October 2019, the hospital, which provides primary health care to about 55,000 people in the Zürcher Oberland, was the victim of a hacking attack. A computer was infected with the Emotet Trojan via a fake email. The software spread across the network and downloaded more malware. 

Successfully averted thanks to good preparation

The attack on Wetzikon Hospital was fortunately mitigated, as Matthias Spielmann, CEO of Wetzikon Hospital reports: "IT security is a high priority for us and we have put various measures in place to protect ourselves from hackers." Among other things, regular backups of all important data are created and stored separately from the network. Employees’ prudent behavior also played a major role in this regard: "Our attentive employees discovered the attack quickly, enabling us to promptly clean up our system. Our extensive backups meant that the data was not lost and we were able to restore it."

Attacks with devastating consequences

The devastating consequences that cyberattacks can have on healthcare facilities are illustrated by the example of a German university hospital. During the attack on the hospital, it was no longer possible to perform operations, the emergency room had to be closed and ambulances could no longer access the university hospital. Regular daily operation was massively affected and even ambulances had to be diverted.

Hackers zoom in on hospitals

Not quite as dramatic, but with equally grave consequences, are incidents in which hackers attack patients' sensitive health data and threaten to publish them. This type of cyber-extortion can also cause a lot of damage and command a correspondingly high ransom. According to the "Cyber Security Report 2021" by IT security firm Check Point, cyberattacks on hospitals worldwide increased by 45 % in the fourth quarter of 2020. Check Point summarized this with the words: "Attacks on healthcare sector become an epidemic." Swiss hospitals are also feeling the effects of this, making it all the more important for them to protect themselves effectively.

The legal situation is also becoming stricter

Inadequate cybersecurity is also facing the threat of increasingly severe legal consequences: Following the alignment of the Swiss Federal Action Data Protection (FADP) with the EU Data Protection Regulation, hospitals, like all other companies, are subject to much stricter sanctions, expanded obligations to provide information and are also required to create a processing directory. The rights of data subjects are also set to be strengthened. It is not yet known on what date the Federal Council will bring the new data protection law into force. 

Cyber Security is more than IT

It is critical for hospitals to understand their cyber-risks in a holistic manner. When it comes to significantly reducing the risk of damage, modern technical security measures can indeed help. However, it is impossible to provide comprehensive security if one sees the protection of data and IT systems as a purely IT and technology problem. Attackers use a multitude of ways to gain access, and they ofter also exploit the "human factor", as it is the weakest link in the security chain. The risk of falling prey to a cyberattack is significantly increased by ignorance. This makes cybersecurity awareness training an important component of any security concept. The aim of these training courses is to make employees aware of the dangers and to show them how to behave in the event of an attack. 

Good preparation is the best protection

The example of Wetzikon Hospital shows that good preparation against cyberattacks can enable hospitals to fend off many of them or at least greatly reduce the extent of the damage. It is therefore essential to strengthen the resilience of internal systems against attacks and to identify threats at an early stage. After all, cyberattacks are not only becoming increasingly sophisticated, but also increasingly inconspicuous: several weeks or even months can lapse between first attack and the final deployment of the encryption software. During this time, criminals can move more or less without restriction in the network. Regularly checking the company network is the only way to detect early signs of infiltrations by hackers. 

Better handle cyberattacks with an IT contingency plan

In addition to good precautions, it is imperative that every hospital has an IT contingency plan. This is because urgency is required as soon as important IT systems have been attacked and compromised. Such a plan includes practicing recovery processes and simulating the scenario of an IT crisis to see how elementary functions can continue to run in emergency mode and how long periods of interruption can be prevented for important processes.The hospital in Wetzikon has also strengthened its security precautions following the hacker attack, as Matthias Spielmann reports: "We were already cautious before, but now we’ve strengthened our security measures even further. This includes regular training for employees, security updates and an even more sophisticated backup system."

Matthias Spielmann
Matthias P. Spielmann, CEO GZO Spital Wetzikon

Interview: Matthias P. Spielmann, CEO GZO Spital Wetzikon

Why did GZO Spital Wetzikon escape comparably unscathed following a hacker attack in October 2019?
The GZO Spital Wetzikon carried out an extensive IT security audit before the hacker attack. Its purpose was to obtain clarity on potential security deficiencies and to remedy them. Fortunately, thanks to this good preparation, the hospital got off lightly. The "Emotet" Trojan sneaked in via a fake internal e-mail message that looked deceptively real. When the attachment was opened, the Trojan spread across our IT network and loaded further malware programs. Thanks to attentive employees, we discovered the attack quickly and were able to clean up our system straight away.

How important was the time factor in this situation?
It was extremely important that we discovered the attack as quickly as we did and were able to respond immediately. Despite the attack, we were able to continue operations at the Wetzikon Hospital as normal and no encryption or loss of patient data occurred. However, a team of experts was busy for several weeks checking and cleaning up devices. Nevertheless, it was a time-consuming and costly exercise.

What have you learned from the attack? What have you changed?
The attack has made us aware that cybercrime is moving to a new level - we are now experiencing a completely new dimension of threats. Cybercrime affects us all and in addition to good prevention, every hospital should have an IT emergency plan. Constant monitoring and fast response times are also critical to success in fighting such attacks. The attack showed us that well-prepared hospitals can fend off attacks or at least greatly reduce the extent of the damage. Nevertheless, we have once again strengthened our security measures following the attack and invested in new IT protection measures. An important part of our security concept is training and raising our employees’ awareness on a regular basis. 

More articles

Customer story: Planted – meat re-imagined

The start-up Planted is causing a stir with its innovative plant-based foods.
doctor talking to patient

Professional indemnity insurance for medical and healthcare professions

In the medical field, small mistakes can have serious consequences. This is how to protect yourself if the worst comes to the worst.