Sensitive medical records are at risk!

M.Sc. Chris Wojzechowski

Sensitive medical records are at risk!

In mid-July of this year, a network was attacked that organizes the medical records of eleven hospitals and four geriatric care institutions from Rhineland-Palatinate and Saarland. Data security is a problem for many hospitals and comparable institutions.

Hacking attack on hospitals

Often sensitive data is not only stolen, but the attacker also tries to extort a ransom. The term Ransomware stands for a hacking attack that encrypts the databases and can thus build up blackmail.

The attackers proceeded similarly in mid-July. The network, which was hacked by a security hole, could be encrypted to a large extent after the data was stolen. Whether the attackers demanded a ransom has not been publicly disclosed.

Institutions that work with sensitive medical records are locative for attackers. This is because this data is particularly valuable on the black market because it cannot be altered. A credit card or password can be changed or blocked. Information from medical records, on the other hand, cannot be changed and are therefore very sensitive data that can potentially be used against you.

Security of my medical records

We already reported in detail on the safety of our own health data at the beginning of this year.

The sensitive data processed by large hospitals or smaller practices should be protected. However, it is often difficult for smaller institutions to keep IT security up to date due to a lack of capital. The capital that the various institutions are entitled to for data security depends on how many inpatient cases are treated in one year.

The threshold is 30,000 cases, because from this number on an institution is considered a critical infrastructure (KRITIS). Since this number only reaches 6% of all hospitals in Germany, 94% of the other institutions have less money available to keep data security up to date.

The Solution

The simplest solution would be to lower the brand so that a higher percentage is classified as critical infrastructure. Another option would be to remove the brand and classify any institution working with sensitive health data as a critical infrastructure.

This is exactly the approach the Marburger Bund is pursuing:

“It doesn’t matter in which hospital patients are treated – their highly sensitive disease-related data are equally well protected against unauthorized access everywhere,” demands Rudolf Henke, 1st Chairman of the Marburger Bund, in view of the recent hacker attacks on clinics in Rhineland-Palatinate and Saarland.

Since this possibility would take up considerably more money, it has not yet been possible to agree on how IT security in hospitals can be kept up to date.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.