IT security requires a cultural shift in people's minds


Is critical health infrastructure protected?

"The health authorities: With paper, pen and fax against Corona", headlined the press in 2021. The digital connection and thus the networking of general practitioners and specialists, hospitals and laboratories with the health authorities were criticized. The health authorities in Germany should have long since reached their highest level of digital maturity, according to the plan. In the end, a sensitive gap opened up during the pandemic. But not only the fast, networked data transfer got into the discussion; IT security in the critical healthcare infrastructure has also been put to the test since then. How secure is patient data in the hospital? Is information and data security guaranteed at all times by those involved in healthcare? And are IT security solutions really as robust and reliably protective as they claim?

The digital hospital

Optional quote:

"The more digitization in the critical health infrastructure, the more important security becomes, so simple and at the same time highly complex is the whole thing."

CISO establishes security architecture

IT security is not a niche, but a necessity that permeates everything. Critical healthcare infrastructure is no exception. The number of hospitals that have to meet the requirements of the IT Security Act will increase in the future, regardless of the legal obligation. The requirements and necessities of digitization have resulted in new positions and departments responsible for information and data security throughout the company. Clinics are increasingly setting up Security Operation Centers (SOC) operated by their own experts, which should enable the hospitals to analyze hacker attacks from outside in order to keep their own IT systems and IT infrastructures stable and protected from damage in the face of increasingly complex attack technologies.

With the SOC, IT security is not only taken into account in patient care, but also with regard to medical and building technology. The Chief Information Security Officer (CISO, all genders) is responsible for all corporate and cyber security. His area of ​​responsibility for security is far greater than that of the Chief Security Officer (CSO, all genders) or a department head. A CISO, whether working in a hospital or in the health department, develops a holistic overall strategy for information security, but is not anchored in IT organizationally, but usually reports directly to the CEO or CIO.

Convince of the need

Based on an interdisciplinary strategy, a CISO creates an individual analysis of all systems and processes to ensure a protected and robust security architecture. The CISO optimizes security guidelines, controls identity management and conducts training and awareness courses for employees. Communication skills and a high level of assertiveness are essential, especially when a CISO has to convince them of the need for IT security and adjustments to process flows in the company. The discussion about the relevance of the function ends at the latest when the CISO manager intervenes in a security-relevant incident as the rescuer "Superman" or "Superwoman". Anyone who underestimates such incidents or IT gaps and cyber attacks blatantly misunderstands the role of the CISO.

Safety where threads come together

A lot of work awaits the IT security experts in the critical infrastructure. They often find IT systems and software applications in hospitals that run parallel to each other like a patchwork and are not always compatible, which represents a gateway for sensitive data to be spied out. In addition, these experts must strategically consider the clinics as interfaces for the networking of practices and health insurance companies - the multisectoral networking beyond the borders of the hospital, from nursing to outpatient care in the doctor's practices, is also formulated by politics sustainability goal.

Processes and responsibilities will continue to change in digitalization, there is no going back and that would speak against any progress. HAGER Executive Consulting, which has focused on digitization and networked technologies since it was founded more than 25 years ago, has been observing the challenges for a long time: The more technology and AI are used in therapy and diagnostics, the more complex the IT requirements become -Security in critical healthcare infrastructure.

Managing the latter and always finding the balance between data security and entrepreneurial effectiveness is the task of specifically trained IT security experts, wherever the threads have to come together quickly and transparently, whether in laboratories or in health authorities or clinics. However, the prerequisite for this is a changed mindset and a culture of urgency among those responsible. Again: IT security is not a niche, but permeates all areas of healthcare. Politicians should not always have to demand or even force measures to be taken. Personal responsibility is required.

The message of optimal IT security has not yet reached everyone, but ignoring it would mean exposing yourself to avoidable risks and, above all, an enormous loss of trust on the part of patients.

Lesen Sie auch: Two steps ahead: How leadership succeeds in digital transformation

The authors: Dright medical Markus Neumann, Business Unit Manager Life Sciences & Healthcare and Michaela Bender, Healthcare Manager

Other interesting articles



We look back with pleasure on a successful and enriching weekend that took place from January 20th to 22nd, 2023 in Dresden. The annual kickoff event brought the entire team together to share, learn and celebrate.

No transformation without women

No transformation without women

Sometimes a step back is the best move forward. Daniel Kutschenko has followed an unusual career path. After positions at Procter & Gamble and a strategy consultancy, he now heads the IT Services & Operations business unit at Hager Executive Search. A conversation about the love of people's business, the GenZ value compass and why we won't be able to cope with the shortage of skilled workers without women