Cybersecurity vulnerabilities exist at one-third of all German hospitals. If these are systematically abused by cybercriminals, it can become a national security risk. This is the conclusion of a study conducted by three IT security experts from Germany and Austria for NATO’s CyCon conference, which will be held virtually for pandemic reasons. Johannes Klick of Alpha Strike Labs, Robert Koch of the University of the Federal Armed Forces and Thomas Brandstetter of Limes Security have now published the results under the title Epidemic? The Attack Surface of German Hospitals during the COVID-19 Pandemic. The study is in the review process and examined the security situation of systems and information publicly accessible on the Internet from more than 1500 German hospitals. 32 percent of the services analyzed were found to be vulnerable to varying degrees. 36 percent of all hospitals examined had points of attack. In total, more than 900 critical vulnerabilities were identified.
High number of vulnerabilities at large hospitals
It is striking that hospitals, which belong to the critical infrastructure (CRITIS) according to the classification of the German Federal Office for Information Security (BSI), have a recognizably higher number of vulnerabilities than smaller hospitals. Contrary to expectations, IT security is apparently not handled more professionally at hospitals belonging to KRITIS with more than 30,000 full inpatient treatments/year.
The distribution of the most frequently detected service banners, grouped by the most important service applications.
A total of 1,483 GB of data from 89 different global internet scans were analyzed using the Distributed Cyber Recon System (DCS) from Alpha Strike Labs, which was already presented at CCCamp 2019. This enabled the detection of 1,555 German hospitals. The attack surface analysis examined more than 13,000 hospital service banners for version identification and subsequent CVE-based vulnerability identification. 32 percent of all accessible network services were vulnerable. Among other things, very old Windows 2003 servers are still in use that have not received security updates from Microsoft since 2015.
Number of vulnerabilities in hospitals in relation to the number of beds.
“German hospitals are facing key challenges in the area of critical IT infrastructure. There is still a high number of outdated, sometimes proprietary systems, which are difficult to patch, whether due to required re-certifications or the end of support for software. This contrasts with very limited resources for IT security,” said co-author Robert Koch. “The German healthcare sector offers numerous visible attack surfaces in 2020, despite increased criticality and heightened regulatory efforts. From a national risk management perspective, there needs to be a significant increase in IT security education for CRITIS organizations.” Johannes Klick adds, “Through penetration tests at our customers, we know that hospitals are often not adequately protected against cyberattacks, often simply lacking budget, personnel and, above all, risk awareness. Therefore, the question arises whether the state should not take the search for vulnerabilities into its own hands.” Thomas Brandstetter adds: “In other regions of the world, the protection of critical infrastructures has been a state issue for much longer and more intensively, with corresponding regulations and budgets. There is a clear need to catch up. Both the healthcare sector and the state must position themselves more effectively to ensure the protection of important critical infrastructures such as hospitals, including from the digital side.”
Johannes Klick, M.Sc. (Informatik) is managing director of Alpha Strike Labs GmbH and is pursuing a doctorate on the topic of “Large-Scale Internet Scanning and Global Vulnerability Detection” at Freie Universität Berlin.