Analyzing medical device connectivity and its effect on cyber security in german hospitals
Tóm tắt
Modern healthcare devices can be connected to computer networks and many western healthcare institutions run those devices in networks. At the same time, cyber attacks are on the rise and there is evidence that cybercriminals do not spare critical infrastructure such as major hospitals, even if they endanger patients. Intuitively, the more and closer connected healthcare devices are to public networks, the higher the risk of getting attacked. To asses the current connectivity status of healthcare devices, we surveyed the field of German hospitals and especially University Medical Center UMCs. The results show a strong correlation between the networking degree and the number of medical devices. The average number of medical devices is 25.150, with a median of networked medical devices of 3.600. Actual key users of networked medical devices are the departments Radiology, Intensive Care, Radio-Oncology RO, Nuclear Medicine NUC, and Anaesthesiology in the group of UMCs. In the next five years, the usage of networked medical devices will increase significantly in the departments of Surgery, Intensive Care, and Radiology. We detected a strong correlation between the degree of connectivity and the likelihood of being attacked.The survey answers regarding the cyber security status reveal a lack of security basics in some of the inquired hospitals. We did discover successful attacks in hospitals with separated or subsidiary departments. A fusion of competencies on an organizational level facilitates the right behavior here. Most hospitals rated themselves predominantly positively in the self-assessment but also stated the usefulness of IT security insurance. Concluding our results, hospitals are already facing the consequences of omitted measures within their growing pool of medical devices. Continuously relying on historically grown structures without adaption and trusting manufactures to solve vectors is a critical behavior that could seriously endanger patients.
Tài liệu tham khảo
Beavers J, Pournouri S. In: Jahankhani H, Kendzierskyj S, Jamal A, Epiphaniou G, Al-Khateeb H, (eds).Recent Cyber Attacks and Vulnerabilities in Medical Devices and Healthcare Institutions. Cham: Springer; 2019, pp. 249–267. https://doi.org/10.1007/978-3-030-11289-9\_11.
Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we?BMJ. 2017; 358. https://doi.org/10.1136/bmj.j3179.
Chinthapalli K. The hackers holding hospitals to ransom. BMJ. 2017; 357. https://doi.org/10.1136/bmj.j2214.
Dyer O. Hackers demand ransom to release encrypted us medical records. BMJ. 2016; 353. https://doi.org/10.1136/bmj.i1876.
Statistisches Bundesamt. Gesundheit: Grunddaten der Krankenhäuser 2017. 2018. https://www.destatis.de/DE/Themen/Gesellschaft-Umwelt/Gesundheit/Krankenhaeuser/Publikationen/ Downloads-Krankenhaeuser/grunddaten-krankenhaeuser-2120611177004.pdf;jsessionid= 0CAA26E928B3E074ECE37B118AAA064D.internet742?\__blob=publicationFile. Accessed 15 Jan 2020.
Federal Republic of Germany. Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz). 2015. https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl115s1324.pdfAccessed 14 Nov 2019.
Gerlof H. It-sicherheitsgesetz wird scharf geschaltet. 2017. https://www.aerztezeitung.de/praxis_wirtschaft/klinikmanagement/article/937004/kritis-kliniken-zugzwang.html. Accessed 17 Oct 2019.
Statistisches Bundesamt. Krankenhäuser: Einrichtungen. Betten und Patientenbewegung. 2019. https://www.destatis.de/DE/Themen/Gesellschaft-Umwelt/Gesundheit/Krankenhaeuser/Tabellen/gd-krankenhaeuser-jahre. html?view=main. Accessed 15 Jan 2020.
Gesundheitsberichterstattung des Bundes. Krankenhäuser und Vorsorge- oder Rehabilitationseinrichtungen (Anzahl und je 100.000 Einwohner) sowie Aufenthalte (Fallzahl, Berechnungs-/Belegungstage und Verweildauer). Gliederungsmerkmale: Jahre, Deutschland, Einrichtungsmerkmale (Einrichtungsart / Bettenzahl / Träger / Art der Zulassung). 2019. http://www.gbe-bund.de/oowa921-install/servlet/oowa/aw92/WS0100/_XWD_FORMPROC?TARGET=&PAGE. _XWD_2&OPINDEX=2&HANDLER=_XWD_CUBE.SETPGS&DATACUBE=_XWD_30&D.922=11802. Accessed 09 Oct 2019.
Eckert C. IT-Sicherheit. Berlin, Boston: De Gruyter Oldenbourg; 2014. https://www.degruyter.com/view/title/310256.
Anderson R. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Cambridge: Wiley Publishing; 2008.
Darms M, Haßfeld S, Fedtke S. Medizintechnik und medizinische Geräte als potenzielle Schwachstelle. Wiesbaden: Springer; 2019, pp. 109–28.
Williams P, Woodward A. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices (Auckl). 2015; 8:305–16.
Brandom R. UK hospitals hit with massive ransomware attack. 2017. https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin. Accessed 14 Nov 2019.
Berger R. Krankenhausstudie 2017. 2017. http://e-health-com.de/fileadmin/user_upload/dateien/News/roland_berger_krankenhausstudie_2017.pdf. Accessed 15 Jan 2020.
Halperin D, Heydt-Benjamin TS, Ransford B, Clark SS, Defend B, Morgan W, Fu K, Kohno T, Maisel WH. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In: 2008 IEEE Symposium on Security and Privacy (sp 2008). Oakland: IEEE: 2008. p. 129–42. https://doi.org/10.1109/SP.2008.31.
Zetter K. It’s Insanely Easy to Hack Hospital Equipment. 2014. https://www.wired.com/2014/04/hospital-equipment-vulnerable/. Accessed 14 Nov 2019.
of the european communities C. Directive 93/42 EWG. 1993. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1993L0042:20071011:de:PDF. Accessed 14 Jan 2020.
Verband der Universitätsklinika Deutschlands e. V. (VUD). Politikbrief 1|2018. 2018. https://www.uniklinika.de/fileadmin/user_upload/VUD_PB_01_2018_v2.pdf. Accessed 18 Oct 2019.
Charité Universitätsmedizin Berlin. Anual report 2018. 2019. https://www.charite.de/fileadmin/user_upload/portal_relaunch/Mediathek/publikationen/jahresberichte/ Charite-Jahresbericht_2018.pdf. Accessed 14 Jan 2020.
Ulrike Lechner SR. Monitor 2.0: IT-Sicherheit. 2018. https://monitor.itskritis.de/monitor2/. Accessed 15 Jan 2020.
Mewis D. Investitionsstau: Helfer in der not. kma - Das Gesundheitswirtschaftsmagazin. 2017; 22:20–2. https://doi.org/10.1055/s-0036-1594694.
Stephani V, Busse R, Geissler A. In: Klauber J, Geraedts M, Friedrich J, Wasem J, (eds).Benchmarking der Krankenhaus-IT: Deutschland im internationalen Vergleich. Berlin, Heidelberg: Springer; 2019, pp. 17–32. https://doi.org/10.1007/978-3-662-58225-1\_2 https://doi.org/10.1007/978-3-662-58225-1\_2.
Federal Republic of Germany. Medizinproduktegesetz - MPG. 1994. https://www.gesetze-im-internet.de/mpg/MPG.pdf. Accessed 13 Jan 2020.
Wehrle T, Dujat C. Der verschmelzungsprozess läuft: It- und medizintechnikplanung wachsen bei komplexen neubauvorhaben sukzessive zusamm. Krankenhaustechnik-Management. 2012; 1-2:24.
Peter Sedlmeier F. Forschungsmethoden und Statistik Für Psychologen und Sozialwissenschaftler. Sozial, Erziehung (Pearson Studium - Psychologie). München: Pearson Studium; 2013.
Krankenhausgesellschaft D. Branchenspezifischer Sicherheitsstandard für die Gesundheitsversorgung im Krankenhaus. 2019. https://www.dkgev.de/fileadmin/default/Mediapool/2_Themen/2.1_Digitalisierung_Daten/2.1.4._IT-Sicherheit_und_ technischer_Datenschutz/2.1.4.1._IT-Sicherheit_im_Krankenhaus/B3S_KH_v1.1_8a_geprueft.pdf. Accessed 07 Jan 2020.
Krüger-Brand HE. Medizinische IT-Netzwerke: Wenn Medizintechnik auf IT trifft...Dtsch Arztebl Int. 2010; 107(11):480. http://arxiv.org/abs/https://www.aerzteblatt.de/pdf.asp?id=70010 https://www.aerzteblatt.de/pdf.asp?id=70010.
Blackwell G, Blackwell G. The future of it in healthcare. Inform Health Soc Care. 2008; 33(4):211–326. https://doi.org/10.1080/17538150802598860 http://arxiv.org/abs/https://doi.org/10.1080/17538150802598860.
Lesh K, Weininger S, Goldman JM, Wilson B, Himes G. Medical device interoperability-assessing the environment. In: 2007 Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability (HCMDSS-MDPnP 2007). Boston: IEEE: 2007. p. 3–12. https://doi.org/10.1109/HCMDSS-MDPnP.2007.22.
Tanck H. In: Kramme R, (ed).Fusion von Medizintechnik und Informationstechnologie. Berlin, Heidelberg: Springer; 2016, pp. 1–10. https://doi.org/10.1007/978-3-662-45538-8\_39-1.
Moses V, Korah I. Am J Roentgenol. 2019; 204(2):343–53. https://doi.org/10.2214/ajr.14.12882.
Adhikari N, E.Lapinsky S. Medical informatics in the intensive care unit: Overview of technology assessment. J Crit Care. 2003; 18(1):41–7. https://doi.org/10.1053/jcrc.2003.yjcrc9.
Craft R. Trends in technology and the future intensive care unit. Crit Care Med. 2001; 29(8).
Siegel E. Ahead of the curve or out of the loop? ten challenges to nuclear medicine interconnectivity. J Nucl Med. 2003; 44(10).
Koeny M, Czaplik M, Walter M, Rossiant R, Leonhardt S. A new telesupervision system integrated in an intelligent networked operating room. In: EMERGING 2011: The Third International Conference on Emerging Network Intelligen. Lisbon: The Third International Conference on Emerging Network Intelligence: 2011.
Kucera M. Operationssaal der zukunft: Alles ist vernetzt. kma. 2019; 24(04):70–3.
Hoeckelmann M, Rudas I, Fiorini P, Kirchner F, Haidegger T. Current capabilities and development potential in surgical robotics. Int J Adv Robot Syst. 2015; 12(5):61. https://doi.org/10.5772/60133 http://arxiv.org/abs/https://doi.org/10.5772/60133.
Honigmann P, Sharma N, Okolo B, Popp U, Msallem B, Thieringer FM. Patient-Specific Surgical Implants Made of 3D Printed PEEK: Material, Technology, and Scope of Surgical Application. 2018. https://doi.org/10.1155/2018/4520636.
Braunwald E. Tensions between academic cardiology and internal medicine. Int J Cardiol. 1984; 5:223–8.
Hills A, Farpour-Lambert NJ, Byrne NM. Precision medicine and healthy living: The importance of the built environment. Prog Cardiovasc Dis. 2019; 62(1):34–8. https://doi.org/10.1016/j.pcad.2018.12.013 Merging Precision and Healthy Living Medicine: Tailored Approaches for Chronic Disease Prevention and Treatment.
Fregni F, Pascual-Leone A. Technology insight: noninvasive brain stimulation in neurology–perspectives on the therapeutic potential of rtms and tdcs. Nat Clin Pract Neurol. 2007; 3(7):383–93.
In: Sub’ıas P, Ribas V, (eds).Big Data for Critical Care vol. 1. Barcelona: Big Data CoE: Barcelona; 2018. https://www.bigdatabcn.com/wp-content/uploads/2019/01/Big-Data-for-Critical-Care.pdfeurecat.
Wechsler L. Advantages and Limitations of Teleneurology. JAMA Neurology. 2015; 72(3):349–54. https://doi.org/10.1001/jamaneurol.2014.3844 https://jamanetwork.com/journals/jamaneurology/articlepdf/2089220/nrv140010.pdf.
Plecko T, Pfeiffer A, Wieland E. Laborautomation im krankenhaus: Systeme, it, potenziale und perspektiven / hospital laboratory automation: systems, it, potentials, and perspectives. J Lab Med. 2007. https://doi.org/10.1515/JLM.2007.033.
Vergados D, Kavvadias C, Bigalke O, Eppler A, Jerabek B, Alevizos A, Caragiozidis M, Biniaris C, Robert E. An intelligent interactive healthcare services environment for assisted living at home. In: 2008 Second International Conference on Pervasive Computing Technologies for Healthcare. Tampere: 2008. p. 329. https://doi.org/10.4108/ICST.PERVASIVEHEALTH2008.4056.
Williams F. Collins J, Allen J, Huster KA, Riley C, Glidewell P, Irvin J. Vanderpohl I, Schuman RJ, Howell BE, Wildman T. Hospital bed having wired and wireless network connectivity. 2019. https://patentimages.storage.googleapis.com/97/44/9e/230e8ef0695df2/US10278582.pdf. Accessed 25 Oct 2019.
Albahri Os, Zaidan A, Bahaa B, Hashim M, Albahri As, Alsalem M. Real-time remote health-monitoring systems in a medical centre: A review of the provision of healthcare services-based body sensor information, open challenges and methodological aspects. J Med Syst. 2018; 42. https://doi.org/10.1007/s10916-018-1006-6.
Ludwick D, Doucette J. Adopting electronic medical records in primary care: Lessons learned from health information systems implementation experience in seven countries. Int J Med Inform. 2009; 78(1):22–31. https://doi.org/10.1016/j.ijmedinf.2008.06.005.
Beneker C. Psychotherapie braucht dringend stärkere Vernetzung. ÄrzteZeitung. 2014. https://www.aerztezeitung.de/Politik/Psychotherapie-braucht-dringend-staerkere-Vernetzung-233623.html.
Lake A. Dermatology - here and now. J Vis Commun Med. 2005; 28(2):63–7. https://doi.org/10.1080/01405110500079765.
Greis C, Meier Zürcher C, Djamei V, Moser A, Lautenschlager S, Navarini A. Unmet digital health service needs in dermatology patients. J Dermatol Treat. 2018; 29(7):643–7. https://doi.org/10.1080/09546634.2018.1441488.
Cáceres C, Rosário JM, Amaya D. Towards health 4.0: e-hospital proposal based industry 4.0 and artificial intelligence concepts In: Riaño D, Wilk S, ten Teije A, editors. Artificial Intelligence in Medicine. Cham: Springer: 2019. p. 84–89.
Hubertus F, Adrian P. Surgery 4.0: the Natural Culmination of the Industrial Revolution? 2019; 3. https://www.degruyter.com/view/j/iss.2017.2.issue-3/iss-2017-0036/iss-2017-0036.xml.
Savino J, Latifi R. In: Latifi R, (ed).The Hospital of the Future: Evidence-Based, Data-Driven. Cham: Springer; 2019, pp. 375–387. https://doi.org/10.1007/978-3-030-01394-3\_35.
Cavusoglu H, Mishra B, Raghunathan S. A model for evaluating it security investments. Commun ACM. 2004; 47(7):87–92. https://doi.org/10.1145/1005817.1005828.