BSI study: Numerous vulnerabilities in hospital information systems

IT security in hospitals is not in good shape. A penetration test of two frequently used hospital information systems (HIS) revealed that both had "significant vulnerabilities such as the insecure transmission of data, the insecure storage and management of accesses and passwords and the insecure distribution of software updates". This is an explosive issue, as particularly sensitive personal information such as patient health data is collected, processed and used for further diagnosis via HIS. Specific data formats such as HL7 (Health Level 7) or LIS01-A, a protocol for exchanging messages between laboratory instruments and computer systems, which define little or no security mechanisms, are used here and when exchanging data with doctors' surgeries and other medical facilities.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) commissioned the e-health team at the Fraunhofer Institute for Secure Information Technology (SIT) 2023 to investigate cyber security in the healthcare sector and in hospitals in particular. Part of the task was a detailed security analysis of two HISs selected based on their high installation figures. According to the final report that has now been published, the researchers discovered a lack of encryption in the HIS connections between client and server and to third-party systems. This made it possible to view or change data during transmission. Since administrative interventions and updates are also involved, the systems involved could be changed without authorization.

The experts also noticed an inadequate certificate check. It is true that the use of TLS transport encryption protects against being read by passive attackers at network level. However, without verification, it would still be possible to interfere with communication and read and manipulate the entire connection. The researchers also criticized the fact that in one of the two KISs, access data was encrypted with an outdated algorithm (RC4) and stored in the database. The hash algorithms used for passwords were also no longer state of the art. KIS accesses were also found to have trivial passwords that allowed extensive read and write access to the database.

Availability before confidentiality

The testers also complained about a lack of integrity protection for software and inadequate rights management for database queries. Attackers could also easily gain privileged access. In one HIS, malicious JavaScript code could be infiltrated and executed (cross-site scripting) due to insufficiently checked input. The problems identified "are exemplary for numerous potential vulnerabilities in these and other HISs", the researchers warn. The manufacturers had shown themselves to be very cooperative and had already sealed most of the gateways by the time the study was published. However, it has generally been shown "that in healthcare, the availability of systems usually takes precedence over the confidentiality of data". This is at the expense of the overall security of hospitals.

The authors urgently recommend taking action: A recent case of a ransomware attack in Romania showed initial evidence of an attack either through or on the central HIS. Twenty-six hospitals fell victim to this attack. Attackers had previously exploited a vulnerability in a hospital's Citrix access, for example. The researchers recommend the use of new modern standardized exchange formats such as the HL7 further development FHIR (Fast Healthcare Interoperability Resources). Based on the results, the BSI has published a comprehensive draft of recommendations for action to implement the findings. Interested parties can comment on this until the end of June.

(nen)