Weaknesses in medical technology
Similar to a blackout, viruses could disrupt hospital facilities and medical equipment - possibly causing failures. Prof. Ursula Sury, HSLU vice-director and SQS expert for data protection audits, explains in an interview with Management & Quality which potential weak points are circulating in medical technology and which laws and standards are being applied.
There is a self-sufficient power supply in every operating theatre. If the power fails, batteries automatically switch on. The "over-break" of vital devices is delayed perhaps a few milliseconds. But how serious could the situation be if a device system or the device service were once hacked and manipulated?
It seems increasingly real that globally organised extortionists are trying to cause damage in hospitals, as studies (see "Vulnerability of Swiss hospitals to cyber attacks") underline. Swiss hospitals and facilities have already been infected with DoS (Denial of Service) computer viruses.
Similar to a blackout, encryption viruses can block individual operating facilities or cause further disruptions. During the carnival in Neuss in the Rhineland, a hospital had to shut down its servers because they had been hacked. In addition to a six- to seven-figure loss, the hospital was unable to treat any more seriously injured patients - for days.
How could such cyber risks be avoided in Swiss institutions, and what legal countermeasures could be taken against them? Interview with Prof. Ursula Sury, data protection expert
Prof. Sury, how difficult is it to spy on or alter data about medical devices?
This would ultimately have to be asked of an IT expert. However, it is generally known that inappropriately secured networked devices in sensitive as well as public hospital areas can be siphoned off and manipulated. This can be prevented with rigorous IT protection measures, corresponding obligations in contracts with IT suppliers and providers and ensuring secure handling by employees.
Do you know of any cases where equipment has been tampered with in such a way as to cause a malfunction?
In general, yes, but not specifically. However, I think that wrong functionalities in me-dizinal devices bring the biggest problems. Furthermore, sensitive data could be passed on unencrypted for statistical (marketing) purposes.
Is liability fully assumed after an anonymous hacking attack?
Difficult. You have to document everything - the security concepts (see "dormant viruses") and all the processes and procedures. In the case of liability, the question of fault always arises, i.e. whether security gaps have occurred in a hospital as a result of a demonstrable failure to exercise due care.
What legal measures are useful to protect against unauthorized access?
The principle of consent applies primarily. Patients or nursing home residents must be made aware of their rights and obligations with regard to data protection law.
"You have to prove it," says Prof. Ursula Sury.
Do you think the storage of sensitive data in devices and in clouds is legally regulated today?
Yes, there are sufficient legal regulations such as the Swiss Data Protection Act (DSG 10a). Unfortunately, these legal requirements are not being complied with very much at the moment. - However, it is always a quintessential question of operational protective measures and data processing.
Is the networking of medical technology a curse or a blessing for the healthcare system?
A fact that must be blessedly shaped!
