Dusseldorf At the beginning of April, Federal Minister of Health Jens Spahn’s mailbox received an unmistakable email. The threatening letter with the subject “Attack on German hospitals”, which is in the Handelsblatt, should force the CDU politician to transfer 25 million euros to a Bitcoin account. If the money is not received by April 17, the aim is to paralyze the IT infrastructure of German hospitals with malware.
The Ministry of Health did not comment on this on request. The letter probably had a political background. It can be assigned to the right-wing extremist group “Staatsstreichorchester”, which has threatened politicians with attacks in the past.
To what extent the danger is to be taken seriously is questionable. But the letter shows how hospitals in the corona crisis are increasingly targeted by fraudsters, blackmailers and hackers. This is confirmed by internal documents from security authorities that are available to the Handelsblatt.
The exceptional situation caused by the pandemic makes the clinics vulnerable, stressed employees operate the hospital IT carelessly and poorly secured home office accesses become digital gateways to the systems. In addition, many hospitals may be poorly prepared for cyber attacks, which alarms politicians across parties.
For example, the Federal Office for Information Security (BSI) has been seeing an increase in cyberattacks related to the corona virus for several days. At the end of March, the agency reported attacks by the Chinese hacker group APT41, which has been increasingly targeting foreign targets, including health facilities, since the corona pandemic broke out. These would exploit vulnerabilities in software from manufacturers such as Citrix, Cisco and Zoho.
“APT41 is believed to be linked to the Chinese government, making information theft the most likely crime,” the BSI report said. Many facilities are particularly vulnerable in the current exceptional situation, since their digital infrastructure and work processes are not designed for numerous improvised home office workplaces.
At the beginning of April, the BSI warned in another report of the “Coronavirus” malware. The distribution takes place via email attachments or downloads. After an infection, the computer restarts and reports two options: “Delete virus” or “Help”.
With the first option there is no reaction, with “help” the operating system installed on the hard disk becomes unusable. The victim then receives a gray screen with the message: “Your Computer Has Been Trashed”. According to the report, the BSI cannot make any statements regarding the distribution.
Interpol deploys special team
The increased risk situation also calls for constitutional protection. In Hesse, the agency observed “increased attempts at fraud and attempts to spread malware in the context of the corona pandemic”. Successful attacks with malware could lead to “significant disruptions to medical operations,” according to a corresponding paper available to the Handelsblatt.
The international criminal police organization Interpol issued a warning to medical institutions. The organization “has seen a significant increase in the number of ransom attacks attempted against key organizations and infrastructures involved in virus control,” a statement said. “Cybercriminals are using ransom notes to hold hospitals digitally hostage.” Interpol has set up an observation team on cyber threats related to Covid-19.
Hackers had already placed a blackmail Trojan in the network of the Czech university clinic in Brno in mid-March and had almost completely shut down hospital operations, so that operations could not be carried out as planned. The clinic operates one of the largest Covid 19 test laboratories in the country.
In Germany, cyber attacks on hospitals had occurred repeatedly before the corona crisis. Most recently, hackers had infiltrated the Emotet Trojan into the Fürth Clinic’s system by email in December 2019. Thanks to the pollutant software, the hospital was unable to accept new patients for several days. The corona crisis now makes hospitals even more vulnerable.
The top organization of the German clinics, the Deutsche Krankenhausgesellschaft (DKG), is also alarmed. There is a risk that the sometimes precarious situation of the hospitals could be exploited fraudulently, said Markus Holzbrecher-Morys, DKG-IT managing director, Handelsblatt. The impact of a failure of the IT infrastructure on general hospital operations – especially in the intensive care units – would be even more serious at the moment than under normal circumstances.
Existing IT security measures would generally not be suspended by the pandemic. “However, the establishment of new treatment capacities in the field of intensive care medicine can lead to unplanned additional burdens on IT staff in the clinics. The human resources may then be missing elsewhere, ”says Holzbrecher-Morys.
German hospitals are already preparing for the heightened risk situation. The workforce must now be sensitized again, says Henning Schneider, CIO of the second largest German hospital group Asklepios. “We have significantly increased the rate of our information on IT security and are working hard to ensure that the topic is received more prominently by employees, not in spite of, but rather because of Corona.” The increased volume of requests for IT services also shows that the employees are aware of the particular current danger and “prefer to ask again”.
The Berlin Charité also said that in addition to additional technical checks and shorter update cycles of the IT systems, employees would be made more aware of how to deal with emails.
The new standard is not binding
One might have thought that, despite the crisis, German hospitals are well prepared for hacker attacks. It was only at the end of last year that the BSI and DKG set an IT security standard for the industry with 168 measures. However, the standard is not binding, but only the basis for checks according to the IT security law that take place every three years in hospitals.
And above all, the standard only applies to clinics with at least 30,000 fully inpatient cases per year, because only then will they be considered a critical infrastructure. The standard is only relevant for around every tenth hospital.
“I don’t understand how IT security can be delimited,” criticizes Asklepios-CIO Schneider: “Many smaller hospitals were unprepared. There is often a lack of funds here to implement the highest level of security. ”In many German hospitals, investments by the responsible countries have been missing for years. Flat rates per case that statutory health insurance actually pays to the clinics for ongoing operations are increasingly being misused for investments. IT security also suffers from this.
Now calls are being made to help the hospitals financially and to tighten the guidelines in order to prevent cyber attacks. “The federal government should set up an IT security fund for this, from which money can only be generated if it can be demonstrated that it improves IT security in the corresponding clinic,” says Schneider.
The faction vice of the Greens, Konstantin von Notz, calls on the German government to “put the extremely scarce resources fully into the hardening of the digital infrastructure”. That there is still no independent BSI and a new version of the IT security law are massive failures. “Those who are currently working at the absolute limit and are faced with an increased threat potential need independent advice and clear legal requirements as soon as possible,” said von Notz the Handelsblatt.
This contribution is an extract from the exclusive briefing Handelsblatt Inside Digital Health. We analyze the latest developments in digital health twice a week.
To register, click here.
The FDP digital spokesman, Manuel Höferlin, believes that additional security training for staff is necessary. “Especially in administration, which is usually the target of hackers,” he said. However, he fears that the capacities for this will not be available everywhere in the crisis. “It is therefore important that we finally systematically protect hospitals and medical practices against cyberattacks after the corona situation,” said Höferlin.
The digital political spokesman for the Union parliamentary group, Tankred Schipanski, assumes that the clinics have taken appropriate security measures. The corona crisis is making implementation of the new security standards more difficult, he said. The CDU politician rejected the demand to better equip hospitals financially against cyber attacks: “No additional funds from the federal government are planned.”
Crisis softens standards
During the corona crisis, so-called “DDoS attacks” on critical infrastructures such as hospitals in particular had increased significantly, reports Manuel Atug, managing director of IT security service provider HiSolutions and member of the Chaos Computer Club (CCC). Data networks and systems are overloaded by many distributed requests from attackers. This could specifically block websites for patient information or administration programs and shut down hospital operations.
He also sees medical devices as a gateway for hackers, as they are increasingly digital and integrated into networks so that doctors can control them over the Internet. As soon as they are certified according to the Medical Devices Act, they may no longer be changed. Security updates for MRT or CT also require certification so that they can be offered again.
“These are sometimes not offered at all or only after a considerable time delay in which these devices are vulnerable,” says Atug. “The risk could be further exacerbated because information security checks cannot always be taken into account when purchasing ventilators,” DKG-IT chief Holzbrecher-Morys also sees.
With other network-based devices such as computers, this risk is prevented with a so-called penetration test. All methods and means that an attacker could use to penetrate a system without authorization are simulated. However, penetration tests are often omitted for expensive medical devices, said Atug, “because afterwards they can no longer be used due to the liability and they are simply too expensive for this test method”.
Tilman Frosch, managing director of IT security service provider G DATA Advanced Analytics, sees a completely different problem. It is not only challenging to protect yourself from a cyber attack, but to discover it at all.
“In organizations without adequate technical and human resources, even off-the-shelf malware can go undetected for several hundred days,” he said. When dealing with cyberattacks in hospitals, he regularly finds traces of previous attacks that have so far “remained completely undetected”.
In addition, “undirected attacks could also have a massive impact on hospital operations,” he said, attacks that do not target the facility itself, but the devices of employees.
For a few weeks now he has been observing a large number of domain registrations under the term “Covid-19”. A stressed-out hospital employee could quickly click on a link to fake websites, which would have been noticed if carefully examined.
This allows identities and passwords to be stolen, giving hackers access to systems. Frog fears: “In times of crisis, the hour of the phishers strikes.”
More: The perfect bait – cyber criminals use the corona panic