Many doctors in private practice are overwhelmed with the practice IT and thus offer hackers a target. They then have access to thousands of patient files. The Federal Data Protection Commissioner Ulrich Kelber pleads for greater liability for the manufacturers of practice software.
Without medical confidentiality there is no relationship of trust between physicians and patients, it is enshrined in law. But in many cases doctors in private practice unknowingly disclose sensitive data to third parties. The reason is their practice IT, some of which can be cracked by hackers.
The practice software Medistar, according to the manufacturer Compugroup with 15,000 medical practices the market leader in Germany, is currently under criticism. According to IT specialist Cedric Fischer, it is relatively easy to hack. “There are glaring security flaws in the on-site networks and in the software.”
Access to administrator rights is “admin” during installation, the password “1234”, reports a user. The data are “uniformly defined for all practices,” says Fischer. If they were not changed by the user, “the probability that unauthorized persons could gain unauthorized access to practice and patient data is very high.”
A major security risk is access to the server from outside. The network release is not part of the software and according to Medistar, it gives configuration instructions that exclude third-party access. But in practice, gaps remain. Fischer, who examines the IT for weak points on behalf of practices, managed to hack into a network.
“I was able to access a practice server running Medistar from my computer without any problems. I could have viewed around 30,000 patient data with it.” No special IT knowledge was even required for this. “Anyone else could have done that by getting the server’s IP address, for example, from the freely accessible search engine Shodan.”
The case was some time ago, but according to Fischer’s assessment, it could still occur today. The databases also contained unencrypted patient data. The password in the “Medistar” document management system “Moviestar” can be “read out immediately and in a few milliseconds with a simple tool”.
The manufacturer Compugroup Medical rejects the representation. “The operational responsibility lies with the customer”. He can and should change access data. The environment in which the “Moviestar” document management system is operated must follow clear security and configuration specifications. This means that only authorized users can access it. In general, the network must be secured with a firewall, among other things, before the practice software is installed. All USB ports are to be deactivated, the server must be in a locked room.
But is that realistic? Large data packets, including medical reports, are often stored on USB. Having your own server room can be a challenge for cramped medical practices. Not only Fischer, but also Michael Wiesner, a renowned expert for critical infrastructures, discovered a lot of security gaps in medical practices in an earlier study for the insurance industry. Software vulnerabilities and human negligence often result in an explosive mixture. Nine out of ten doctors would use very easy-to-guess passwords like “treatment,” Wiesner said.
Last year, the hacker collective “Zerforschung” succeeded in proving security gaps in “Doc Cirrus”, another program. Around 60,000 patients are said to have been affected at the time. The vulnerabilities – among other things, the hackers were able to view patient data – were then fixed.
The risk of data breaches is borne by the medical practice, unless it is contractually passed on to a service provider or the manufacturer. In many cases, the doctors are simply overwhelmed by the topic. This could take revenge if criminals hijack your computers. Ransomware attacks are particularly conceivable, in which data is encrypted and only released after payment of a ransom. Medistar manufacturer Compugroup Medical was itself the victim of a cyber attack with ransomware at the end of 2021. According to “Apotheke Adhoc”, the damage was four million euros at the time.
The Federal Data Protection Commissioner Ulrich Kelber has long advocated an obligation for manufacturers to assume liability for data breaches caused by weak points in the software. The topic is in the coalition agreement of the traffic light. Nothing has happened so far. The subject of product liability law is currently being dealt with at European level,” says Manuel Höferlin, domestic policy spokesman for the FDP parliamentary group. “It is not yet clear when the legislative process in Europe will be completed.”
A PDF from FOCUS online – diseases of the cardiovascular system are among the most common in Germany. Even the simplest things can reduce the risk of a heart attack, for example. Our e-paper tells you how to keep your heart and circulation healthy.