Cyber attacks can pose a critical threat to hospitals

Hospitals in Canton Zurich are often the target of cyber attacks. Experts and politicians are therefore concerned about security and patient data. By Pascal Wiederkehr. Translation by Ruth Turin.

During the coronavirus pandemic, hospitals are taking special measures to prevent any suspected cases from coming into contact with unprotected patients. The Department of Health of Canton Zurich even issued a visitor ban. However, a problem that can be solved on-site with security personnel or closed doors is more difficult to monitor in the internet, where umpteen digital doors provide access to hospitals. Companies are not the only popular targets of cyber attacks, hospitals have long been the focus of criminal schemes.

In 2019, Wetzikon Hospital was attacked by the Emotet trojan. A trojan is malware that infiltrates computers and performs unwanted functions, such as the siphoning off of data and passwords. The attack was widely covered in the media at the time, including by Neue Zürcher Zeitung. Research carried out by Rundschau, a program by SRF (Swiss Radio and Television) revealed that other healthcare providers, such as Limmattal Hospital and the Zentrallabor Zürich had also been affected. The attacks had no serious consequences, however, and no patient data were lost.

Minimum standards are needed
Bettina Balmer (Free Democratic Party) and Benjamin Walder (Green Party), both cantonal councillors, submitted a motion on the topic. “Especially in light of increasing digitalization in healthcare, the problem of cyber attacks cannot be underestimated,” they write in their motion. They would like to know, for instance, how many cyber attacks have occurred in hospitals in Canton Zurich in the last few years. They are also asking the Council of State why there are no minimum standards

“Compulsory minimum standards would be a step in the right direction.”

Hernâni Marques, Chaos Computer Club Switzerland

While minimum standards for information and communication strategies (IKT) have been defined by the federal government, they are only recommendations and not specifically intended for hospitals. “If somebody is really bent on launching a malicious attack, it will be extremely difficult to avert it,” says Hernâni Marques. “Compulsory minimum standards would be a step in the right direction” according to the computer linguist who studies encryption software professionally. Indeed, there are even different IT systems being used within hospitals. “In order for systems to be kept up to date, more staff and financial resources are needed,” says Marques, spokesperson for the Chaos Computer Club Switzerland. The hacker organization opposes oversight and advocates data protection in the internet. What is needed, they say, is training for users, as they are a major weak point.

Total security is an illusion
According to Radio Prague, it was only last March that a cyber attack temporarily brought the Brno University Hospital in the Czech Republic to a halt. The hospital became a victim of ransomware. This is where hackers attempt to encrypt data on computers using ransomware and subsequently extort money for decryption. “Typically, ransomware is sent in a mail attachment,” explains Marques. Unsuspecting users open the attachment and the software installs itself independently. “If it is well-designed malware, it always looks for additional devices, jumping from one to the next,” says the IT specialist. The question then is how well the individual systems are separated from one another. “In the worst case, if life-support machines are affected by hacker attacks, even human lives could be at risk,” Marques warns. There is no general reporting obligation for cyber attacks. Wetzikon Hospital set a good example and reported the trojan attack to MELANI, the Reporting and Analysis Centre for Information Assurance. Many companies fear for their reputation, however. “Total security is an illusion, but we have to make systems as secure as possible,” Marques points out. Cyber attacks can pose a critical threat to primary care. 

Hospitals are frequently the target of cyber attacks. “Attempted attacks on the IT infrastructure of the City of Zurich happen all the time and therefore also on the Waid and Triemli City Hospitals,” their media relations offices explain. This is not only commonplace in the city administration. “So far, the attacks could be averted by our defense systems and security experts,” the city hospitals report.

Attempted attacks on Bülach Hospital occur mainly via mail. So-called port scanner attacks that probe networks for open ports were also discovered. “According to current knowledge, all attacks on our systems could so far be averted,” says Urs P. Kilchenmann, media spokesperson. In 2019, external specialists conducted a comprehensive investigation confirming that there had been no infection by malware. “Security measures at Bülach Hospital have thus far been sufficient to ensure protection, including patient data,” says Kilchenmann.

Zollikerberg Hospital reports similar experiences, saying that their network has not been hacked in the past two years. Untargeted attacks often attempt to obtain information via phishing mails, i.e. false mails, so as to subsequently conduct a targeted attack. The hospital receives multiple such mails every day, of which roughly 90 percent are caught by the spam filter and not delivered to the recipient. The majority of staff are aware of the problem and recognize and delete phishing mails.

However, Zollikerberg Hospital did experience an incident, albeit indirectly. It is co-operator of the Zentrallabor Zürich, which was hacked by the Emotet trojan. “No sensitive data was affected at the Zentrallabor either,” stresses Anke Schramm, who is responsible for marketing and communications at the hospital. “We adhere to the government’s IKT minimum standards and are grateful that such standards exist,” says Schramm.

Owing to the pending motion in the Cantonal Council, the University Hospital Zurich declined to answer any questions.

The English version is a translation of the original in German for information purposes only. In case of a discrepancy, the German original will prevail.