Serious security gaps discovered in hospital information systems
According to a report by the National Cyber Security Test Institute (NTC), serious security gaps have been identified in hospital information systems. The report makes recommendations on how cyber security in Swiss hospitals can be sustainably improved.
Hospital information systems are at the heart of modern hospitals. They control the flow of information, process sensitive patient data and ensure smooth processes in the hospital environment. An investigation by the National Cyber Security Test Institute (NTC) has now revealed that the cyber security of these essential systems is inadequate in many cases.
Results of the analysis
According to the report, serious security vulnerabilities were found in all the systems examined. In total, the report identifies more than 40 medium to severe vulnerabilities. Three of these are of the highest criticality. Solutions based on outdated architectures were found to be particularly vulnerable. The main problems include fundamental architectural issues, missing or improperly implemented encryption, vulnerable peripheral systems and insufficient separation between test and production environments, according to the report.
Tests have shown that some of the identified vulnerabilities allow full access to patient data and systems within a few hours. While most of the relevant vulnerabilities have now been resolved or mitigated, some fundamental problems require a comprehensive redesign of the software architecture, which according to the manufacturers will take several years. In addition, several critical vulnerabilities in peripheral systems were discovered during the analysis that were not part of the defined scope of the audit, but were recognized as incidental findings due to their conspicuous nature.
The report deliberately refrains from giving details of the weaknesses. Instead, it provides general information about the NTC Vulnerability Hub as well as targeted notification of affected hospitals via the Cyber Security Hub (CSH) of the Federal Office for Cyber Security (BACS).
Recommendations for hospitals
The report contains eight key recommendations for the sustainable improvement of cyber security in Swiss hospitals. These include taking cyber security requirements into account as early as the IT procurement stage and carrying out regular vulnerability analyses for ongoing monitoring. In smaller hospitals in particular, responsibilities with regard to cyber security must be clearly defined and the necessary resources made available. In addition, increased networking between hospitals and access to the Cyber Security Hub (CSH) of the Federal Office for Cyber Security (BACS) is recommended.
Source and further information: www.ntc.swiss
