heise PlusAbo
Anzeige

BSI studies reveal patchy IT security in healthcare

BSI studies uncover significant security flaws in practice, hospital, and nursing software. Patient data is inadequately protected.

listen Print view
Hands of a person on a laptop, surrounded by security and health icons.

(Image: Nan_Got / Shutterstock.com)

12 min. read
Security
By
Contents

While the pressure for digitalization due to legal requirements is constantly increasing, IT security of central software products in the healthcare sector is lagging behind. This is the conclusion reached by the Federal Office for Information Security (BSI) after evaluating several commissioned studies aimed at better assessing the established state of IT security and developing concrete recommendations for improvement.

The mandatory connection to the telematics infrastructure (TI), now also for nursing care and the electronic patient record, will further increase the attack surface, according to the BSI. Therefore, the authority advocates for further investigations, while the German Nursing Council calls for legal regulations on cybersecurity with binding manufacturer standards. The BSI also clarifies, using the investigation results, that IT security in healthcare should not remain a niche topic but is understood as a shared responsibility of manufacturers, operators, and regulators.

Deficiencies in encryption, cryptography, authentication, and architecture

In the projects SiKIS (Security Properties of Hospital Information Systems), SiPra (Security of Practice Management Systems), and DiPS (Study on the Security of Digital Nursing Documentation Systems), a total of nine penetration tests were carried out on behalf of the BSI. The three studies, presumably conducted between 2024 and early 2025, collectively provide a comprehensive picture of the IT security status of central software products in the German healthcare system. In earlier investigations such as the CyberPraxMed project, the BSI had already identified serious security vulnerabilities in medical practices, including insufficient protection against malware, inadequate patch management, and missing backups. The current projects now go a step further and focus not on the practices themselves but on the software used there.

According to the BSI, missing encryption, outdated cryptographic methods, insecure authentication, and architectural weaknesses are a common thread running through practice management systems (PVS), hospital information systems (KIS), and digital nursing documentation systems. In several cases, testers were able to construct attacks from the internet by chaining individual vulnerabilities.

The BSI commissioned ERNW Enno Rey Netzwerke GmbH to test four PVS that were not named. The results are sobering: although the four systems are based on different technologies, comparable vulnerability classes occurred in all of them. According to the SiPra final report (PDF), testers were able to construct attack chains for three of the four tested products by chaining individual vulnerabilities, allowing access from the internet – with varying criticality but consistently concerning.

Insecure file attachments, outdated cryptographic methods, and more

According to the report, there are, among other things, architectural and conceptual problems, including insecure assumptions about the trustworthiness of the practice network instead of zero-trust security and granular protection. In some cases, the PVS servers were directly accessible via online connections on the internet, and authentication could be bypassed. Furthermore, transport encryption was missing in several PVS. Communication within the local practice network was transmitted unencrypted, including medical patient data, password hashes, and configuration data. Other deficiencies include missing password policies, outdated cryptographic methods, and insecure assumptions about the trustworthiness of, for example, Wi-Fi or employees instead of zero trust.

While manufacturers argue that the practice network is considered trustworthy, earlier BSI investigations have shown that this is often not the case in reality. Unsecured Wi-Fi networks, open LAN ports in treatment rooms, or practice PCs infected with malware can lead to third parties eavesdropping on network traffic. Files could be attached at various points – from patient records to communication systems – which, in several cases, were executed directly by the operating system's default program when opened. In some systems, the displayed file name could also be obscured, so that even technically trained personnel could not recognize malware disguised as an image file.

The publication of the results was delayed. In response to an inquiry from heise online at the end of 2025, the BSI stated that the final version of the report was being worked on in coordination with the affected manufacturers: “From the BSI's perspective, the manufacturers' feedback on the identifiability of the products has delayed the publication, but further increased the quality of the report.” In June 2025, a BSI employee had already given a presentation on the project. Since the tested products are not named for neutrality reasons by the BSI, it had to be ensured that the anonymized results did not allow any conclusions to be drawn about individual manufacturers.

Weaknesses in Hospital Information Systems

On behalf of the BSI, the Fraunhofer Institute for Secure Information Technology (SIT) and Open-Source Security GmbH tested two representative hospital information systems (KIS). For the tests, two hospitals provided test environments with anonymized data.

  • Missing Encryption: Connections from the KIS client to the KIS server and to third-party systems such as the database were often not or only inadequately encrypted. Even where TLS was used, clients often did not properly verify the server certificate – active attackers could thus intercept communication.
  • Outdated Algorithms: Passwords were stored with outdated hash algorithms that allowed them to be cracked within a few hours or days. In one KIS, login credentials were encrypted with the RC4 algorithm, considered insecure, with the same key used for all entries.
  • Insecure Maintenance Access: KIS access with trivial passwords allowed comprehensive database access. The passwords suggested that they were identical in several hospitals.
  • Missing integrity protection for updates: Software updates were distributed without code signatures. An attacker could replace the update files with malware, which was then executed by the clients without verification.

One of the tested KIS also used a single database access for all users. An attacker with any access, even low-privileged, could read and write all data, including creating new administrator accounts.

Significant deficiencies in data exchange formats

The project on security properties of hospital information systems, SiKIS for short, (PDF) also examined common medical data exchange formats. Established protocols such as HL7, the de facto standard for data exchange between KIS and subsystems since the 1980s, define no security features whatsoever, according to the BSI. Even DICOM, which specifies comprehensive security extensions, is used in hospitals almost exclusively without security features. Researchers have repeatedly shown in the past how DICOM connections can be manipulated. Newer formats like FHIR and the ISiK standard based on it perform better, according to the BSI, as they rely on established web technologies and enable TLS encryption and OAuth authentication. However, implementation errors are also documented here.

Lack of security in nursing documentation systems

For the first time, the BSI investigated the security of digital nursing documentation systems with the DiPS project (PDF). The Fraunhofer SIT tested three widely used systems provided by manufacturers as on-premise installations. Despite different technologies, all three products exhibited vulnerabilities, a total of 13 with high or critical severity. These include, for example, insecure communication channels where man-in-the-middle attacks were possible, weak authentication, installation packages with database passwords, architectural weaknesses, missing verification mechanisms in update processes, and weak key management.

The survey of 52 nursing services showed that 43 nursing services regularly access the system while on the go, with 16 doing so directly over the internet without a VPN. 25 confirmed that manufacturers or IT service providers have permanent remote access to their network. Not only in medical practices and hospitals, but also in nursing services, experts criticized a lack of transport encryption, outdated cryptographic methods, insufficient access controls, and the architectural problem. Missing password policies were also found in PVS and KIS, insecure software updates in KIS and nursing software, hard-coded credentials, especially in nursing software. The BSI emphasizes, however, that a penetration test can only prove the existence of vulnerabilities, not their absence. If a vulnerability class did not occur in a project, it simply means it was not identified within the limited test period.

Manufacturers were cooperative, according to BSI

In all three projects, manufacturers responded cooperatively, according to the BSI. In the SiPra project, they showed “great openness to suggestions for improvement.” The KIS manufacturers were also able to “already fix or mitigate most vulnerabilities” by the time the study was published. The publication of the results was significantly delayed. In response to an inquiry from heise online at the end of 2025, the BSI stated: “The BSI is currently working on the final version of the report in coordination with the affected manufacturers. From the BSI's perspective, the manufacturers' feedback on the identifiability of the products has delayed the publication but further increased the quality of the report.” In June 2025, a BSI employee had already given a public presentation on the project, but the full publication only occurred in spring 2026. Since the tested products are not named for neutrality reasons by the BSI, it had to be ensured that the anonymized results did not allow any conclusions to be drawn about individual manufacturers.

Nevertheless, the manufacturer survey reveals structural deficits, with security standards varying widely. “Not all manufacturers have a designated point of contact where customers can report vulnerabilities or security incidents,” the report states. Only about two-thirds of the responding PVS manufacturers regularly conduct penetration tests. No manufacturer has a bug bounty program. Tracking vulnerabilities in third-party libraries is sometimes done manually. No one operates a bug bounty program. When asked about considered security standards, the answers were very diverse – and often nonexistent. IT security is rarely mentioned on the websites; instead, manufacturers advertise features such as video consultations, voice control, or AI-assisted billing suggestions.

Videos by heise

IT security of PVS is non-binding

A central finding of all three studies is the lack of binding security requirements. The KBV certification of PVS only checks functional requirements. IT security criteria are not checked. Manufacturers can voluntarily enter into a framework agreement with the KBV according to § 332b SGB V. The BSI comments: “Furthermore, despite the enormous relevance of the topic, there are surprisingly few explicit or binding guidelines on IT security for PVS.”

There is also no mandatory approval for nursing documentation systems. Only for KIS does a certain minimum standard apply via ISiK certification; however, this primarily concerns interoperability. The German Nursing Council had therefore repeatedly called for clear rules on cybersecurity.

BSI's recommendations for action

The BSI has published recommendations for action for all three projects and made them available for comment. The BSI addresses demands to manufacturers for improving security architecture and consistent use of TLS. It also calls for the use of modern cryptography and the signing of software updates. Furthermore, the BSI requires the enforcement of configurable password policies and the introduction of a whitelist of permissible file attachments. Finally, hardening guidelines and interface documentation should be created and provided. Service providers should be “supported in increasing the IT security of their medical practice.”

Recommendations for operators include network segmentation in larger facilities, regular audits of all user accounts including maintenance access, device encryption and secure unlock codes for mobile devices, timely installation of updates, and actively requesting hardening guidelines from the manufacturer. For outpatient care, the DiPS recommendation for action contains a concrete checklist with numerous checkpoints – from TLS configuration to the offboarding process. In addition, the BSI recommends proactively concluding contracts with qualified incident response service providers.

Read also

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten