Ransomware: cyberattacks on large German hospitals on the decline

Cyber attacks on hospitals and care institutions can not only cause significant economic damage, but can also cost lives. According to media reports, the number of such attacks has risen significantly in recent years. However, this does not actually apply to particularly large hospitals in Germany. The official statistics for hospitals covered by the Ordinance on the Determination of Critical Infrastructures (Kritis) under the Federal Office for Information Security Act (BSI) show a total of 61 such incidents in 2019. This was a significant increase compared to 2018, but the numbers have been declining since then.

This is according to a recently published answer from the German government to a question from the CDU/CSU parliamentary group in the Bundestag. According to the answer, 35 IT attacks on very large hospitals were registered in 2021 and 2022 and 21 in 2023. There have been three such incidents so far in 2024. A hospital with over 30,000 full inpatient cases per year is considered a relevant critical facility. Hospitals that do not fall under the Kritis Ordinance are not subject to any federal reporting requirements for cyberattacks. According to the executive, "no overall patterns can be identified from the figures that go beyond this area".

All hospitals have had to strengthen IT security since 2022

According to the BSI Situation Report 2023, the general cyber threat level is currently high, writes the Federal Ministry of Health, which is responsible for the report. The various groups of perpetrators do not differentiate between actors in the economy and the healthcare system. In principle, cyberattacks "target the basic values of IT security: confidentiality, integrity and availability." The encryption of data by ransomware usually disrupts the ability of hospitals to work and compromises the confidentiality of patient information. In 2020, a cyberattack on Düsseldorf University Hospital made headlines. The perpetrators actually wanted to hit Heinrich Heine University on site. They handed over the keys to unlock the data. Nevertheless, a patient with a life-threatening illness had to be admitted to another hospital, where she died shortly afterwards.

According to the government, the Patient Data Protection Act has also obliged all hospitals below the critical threshold to take appropriate precautions to improve cyber security in line with the state of the art since the beginning of 2022. Since then, there has been a minimum security level for all hospitals in Germany. The facilities are supported in implementing these requirements by the Hospital Future Fund, for example. Only recently, the regulations for all clinics were tightened with the Digital Act to include the important aspect of increasing the "security awareness" of employees. The BSI also uses the available regulatory instruments to support critical operators in improving their IT security and to identify, prevent and ward off potential attack attempts. The office also helps associations to create "industry-specific security standards".

(vbr)