An X-ray image disappears. Laboratory software goes haywire. A medication dispenser suddenly dispenses double the dose. What sounds like a movie scenario is a real danger for hospitals. The next cyberattack is sure to come.
A cyberattack on a hospital can cost lives. And the threat is growing. Hackers are no longer just trying to steal data – they are targeting systems that keep hospitals running. Like many large organizations, the University Hospital of Zurich (USZ) fends off tens of thousands of attack attempts every month. Cybercriminals act like burglars, repeatedly jiggling door handles and pressing window frames in the hope of finding a weak spot somewhere. But at the USZ, there aren't two or three break-in attempts, there are tens of thousands. Sophisticated cyberattacks no longer require in-depth IT knowledge: cybercriminals now sell their attack methods as a service – with ready-made malware, automated attack programs, and even technical support. Erik Dinkel, Chief Security Officer at the USZ, is well aware of the threat scenario. "We work around the clock. A hospital cannot go offline." But that is exactly what threatens to happen when cybercriminals penetrate the networks.
Cyberattacks: a profitable business
In recent years, cybercrime has evolved from sporadic hacker attacks to a billion-dollar industry. In addition to automated attacks, targeted attacks are also on the rise. Ransomware is particularly insidious: attackers infiltrate a system unnoticed, encrypt all data, and paralyze the entire IT system. Suddenly, nothing works anymore: patient records, appointment scheduling, lab data—everything is blocked. Then a message appears on the screens: Your data has been locked. Pay 5 million in Bitcoin to get it back. The only alternative? Weeks of rebuilding, major financial losses, and incalculable risks for patient care. Hospitals are particularly attractive targets because they are under a lot of pressure: an IT failure can cost lives. Cybercriminals know this – and resort to blackmail. It's not just about ransom money. Stolen patient data is particularly valuable on the dark web. Credit cards can be blocked – but medical data remains valid for a lifetime. Criminals use it for identity theft, insurance fraud, or the illegal trade in medicines. With real patient data, fraudsters submit fake medical bills or obtain expensive treatments under false names.
Even fake medical practices can be operated using stolen identities – including billing for services that were never provided. "Cybercrime is a threat that every organization must prepare for – whether it's a hospital or an SME," says Erik Dinkel. He would like to see more care taken in software development: "It's often small, avoidable errors in programs that later lead to security gaps."
"We are not a knight's castle with thick walls. Security must be intelligent and flexible, not rigid and isolating."
Erik Dinkel, Chief Security Officer
No protection behind thick walls
Modern cyberattacks disguise themselves as legitimate access and often go unnoticed for a long time. Only when it is too late, when data has been encrypted or stolen, does the attack become visible. By then, the damage is usually enormous. Erik Dinkel considers the idea of protecting IT systems like a medieval castle with thick walls to be outdated. “Our world today is more connected and complex – with mobile devices, cloud services, and home offices. There is no longer one big castle, but many small castles. It is crucial that we know what is happening in these castles and between them.” But how can a hospital protect itself when it cannot simply go offline?
Working together against cyber attacks
It starts with a suspicious movement in the system. Perhaps an atypical data retrieval at night or an unexpected login from the Bahamas. Such signs can be harmless - or the first indication of an attack. When attackers move through the system unnoticed, every second counts. That's why the USZ has invested in recent years to systematically and centrally identify cyber incidents and vulnerabilities and respond to them quickly. The hospital works with external partners to do this:
Swiss Post Cybersecurity supports the internal security team with state-of-the-art security technology and threat analyses. At its heart is the jointly operated Security Operations Center (SOC) - an operations center that monitors digital events around the clock and responds immediately in the event of an emergency. An important tool in the SOC is the Cyber Defense Platform, which, like an intelligent alarm system, detects suspicious movement patterns at an early stage and automatically triggers protective measures. But even the best technology cannot rule out human error.
"Security is not a state that is achieved once, but an ongoing process."
Erik Dinkel, Chief Security Officer
The human factor
Often all it takes is a single moment of carelessness. An employee receives an email that appears to come from the IT department. It contains a request to confirm the password. But the message is a trap. One click - and the attackers have found a first door into the system. 90 percent of all successful cyber attacks start with a human error. That's why the USZ relies on comprehensive sensitization of its employees.
Simulated phishing attacks and training are an integral part of the defense strategy. Dinkel speaks of a cultural change:
"It's not about stirring up fear, but about taking responsibility. Security starts with people, not with technology." Cybercrime is no longer an abstract threat. The University Hospital Zurich has adapted to this new situation. "Cyber attacks are constantly evolving - and so must our security measures," says Dinkel. "Security is not a state that you achieve once, but an ongoing process."
Erik Dinkel, Chief Security Officer, protects the University Hospital Zurich against cyber attacks.
Many thanks to Erik Dinkel, who made himself available for the interview in spring 2025.
Source:
Text — Diana Busch
Illustrations — Isabel Peterhans
Headerimage — image source USZ
