Security flaws in hospital information systems – rts.ch

Hospital information systems (HIS) constitute the heart of modern hospitals. They manage the flow of information, process sensitive patient data and ensure the proper functioning of the hospital environment, the NTC recalled on Thursday.

According to the latter, three to five HIS solutions are mainly used in Switzerland. They are specially designed to meet the requirements and specificities of the Swiss health system and are used by almost all major Swiss hospitals. The NTC examined three.

Complete overhaul of the software architecture

Significant flaws were found in all systems examined. Solutions based on outdated architectures are particularly vulnerable. Fundamental architectural issues, lack of or incorrect implementation of encryption, vulnerable related systems, and insufficient separation between test and production environments, among other things, threaten system security.

Some of the vulnerabilities identified allow full access to patient data and systems within hours. While most significant flaws have been fixed or mitigated through measures, some fundamental issues require a complete overhaul of the software architecture. According to the manufacturers, this will take several years.

Technical recommendations

Additionally, the analysis detected several significant vulnerabilities in related systems that were not within the scope of control, but were discovered incidentally due to their egregious nature.

The report deliberately does not give details on the flaws. But the NTC made technical and organizational recommendations for those responsible for cybersecurity in hospitals.

These should in particular control the cybersecurity of the systems as soon as they are acquired. Additionally, vulnerability scans and updates should be performed regularly. Finally, responsibilities must be clearly defined.

ats/ther