In May, 40 British hospitals were hit by a global ransomware attack. Individual German hospitals have also suffered cyber attacks. At the Lukas Hospital in Neuss, malware blocked access to the hard drives in IT systems. Operations had to be canceled and patient data recorded by hand. Lab results were carried manually from one department to another.
Two thirds of German hospitals have been victim to such attacks, according to a new study by Roland Berger, which questioned 75 chief executives and directors of German hospitals.
“We were surprised by the managers’ honesty,” says Oliver Rong, who heads Roland Berger’s health section for Germany, Austria and Switzerland. “Companies are loath to acknowledge having been the target of a cyber attack.”
Germany has been spared widespread attacks like that on the British National Health Service, largely because, with 2,000 hospitals run by various organizations, its hospital landscape is extremely decentralized.
Nevertheless, hospitals are fortifying their cyber security — mostly by improving firewalls, developing emergency plans and training employees, according to the Berger study. In the meantime, access to external websites is limited at many hospitals, and external storage media such as USB sticks forbidden.
With more and more medical treatment networked and digitally controlled, cyber attacks on hospitals are a frightening prospect. But experts say the threat shouldn’t be overplayed. “Networking doesn’t mean medical equipment in the hospital is linked to the internet and can be accessed by outsiders,” says Hannes Molsen, responsible for global product security at medical technology company Dräger.
Mr. Molsen expects hospitals, like any other sector, to remain the target of Trojan attacks but says the threat is mainly to administration. Despite headlines claiming infusion pumps or pacemakers could be hacked, he believes patients on the operating table are largely safe from cyber attacks. Still, he advises hospitals not to force the pace of digitalization to the point where security is neglected.
“Hospitals often go in too many directions at once. It isn’t unusual for 50 different IT projects to be running simultaneously.”
In any case, large hospitals are now obliged to up their cyber security, since they are legally classified as critical infrastructure. Around 110 hospitals with more than 30,000 in-patients per year must undergo a special risk analysis and cyber attacks must be reported.
But all this will cost money and hospital IT budgets tend to be limited. The Roland Berger says hospitals spend less than 2 percent of their revenue on IT. A study by IT market research institute Gartner found that in the financial sector the figure was 8 percent, and in transport more than 4 percent. According to the Institut für Krankenhauswesen, hospitals in the United States spend as much as 10 percent of their revenue on IT.
With many hospitals already under financial pressure, their IT departments can’t hope for much more from current revenue. The Berger survey found that less than 59 percent of hospitals earned a surplus in 2016. Only 47 percent expect surplus for the current year.
Yet hospital managers are planning new digital projects. Of those surveyed, 90 percent said they had a strategy in place. Experts say limited budgets mean it’s important to prioritize.
“Hospitals often go in too many directions at once,” Peter Magunia, German health sector researcher at Roland Berger said. “In large hospitals, it isn’t unusual for 50 different IT projects to be running simultaneously.” He advises hospitals concentrate on completing fewer projects more quickly.
But ultimately, even new technology means hospitals can boost efficiency, Mr. Rong says they will need more public funding. “The German states need to increase their investment. Funding is already insufficient, and digitization will require even more money.”
Maike Telgheder is an editor at Handelsblatt, covering the health economy, pharmaceutical companies and chemistry. To contact the author: email@example.com