BSI: More Vulnerability Reports from Healthcare

There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.