According to analysis by the National Testing Institute for Cybersecurity, clinical systems used in Swiss hospitals have security vulnerabilities and are not sufficiently tested, even though they process sensitive information and support critical processes.
The National Test Institute for Cybersecurity (NTC) examined clinical systems used in Swiss hospitals. And the results are not good. The specialists discovered around forty vulnerabilities in the three systems evaluated, namely the KISIM software from the German-speaking publisher Cistec, the German solution inesKIS and the system from the American Epic, used by the Island Hospital in Bern. and favorite in the ongoing purchasing procedures of the CHUV and the University Hospital of Zurich.
The NTC underlines the pivotal nature of these systems in hospitals, used to process sensitive patient data as well as laboratory results and even communication between departments. “A breakdown of the system would have considerable repercussions on both medical care and organizational processes,” warn the report’s authors.
Despite their critical nature, the cybersecurity of clinical systems is rarely tested, notes the NTC. The authors continue to point out, based on their interviews with hospitals, that the blame lies in cost pressure, lack of awareness in this area and poorly defined responsibilities.
During tests carried out in hospitals under real-world conditions, the NTC identified four types of vulnerabilities: fundamental problems related to architecture, absence or incorrect implementation of encryption of communications between affected systems, vulnerable related systems, and separation insufficient between test and production environments.
-Certain vulnerabilities have proven to be particularly critical. “Many of the vulnerabilities discovered are so egregious and easy to exploit that they allowed complete control of the system and contained patient data to be taken within hours of testing beginning,” the report said. It is specified that the vulnerabilities have been communicated to the publishers and that most of the significant flaws have been eliminated or defused by mitigation measures.
The NTC report, and this is the main thing, makes several recommendations to those responsible for hospital cybersecurity. The authors recommend in particular to clearly formulate cybersecurity requirements during calls for tender, to properly separate test and production environments, to regularly install updates including for networked medical devices and to operate regularly vulnerability analyses, even penetration tests and other bug bounty for the most critical applications.
They are also advised to clearly define responsibilities in terms of data protection and system continuity, to communicate regularly with other hospitals and not to sign confidentiality agreements that only preserve the interests of publishers.
Morocco
