University Hospital Zurich: With hackers to more IT security

Hospitals are particularly exposed and are among Switzerland’s critical infrastructures. The USZ is now setting a new security standard with its Bug Bounty program.

Von , Veröffentlicht am 5. March 2022 min Lesezeit

Every month, the University Hospital Zurich (USZ), like other companies, experiences tens of thousands of attempted attacks by cybercriminals from the Internet. To ensure that these attacks remain unsuccessful, the USZ relies on a variety of precautions – recently also on cooperation with the «ethical hackers» from Bug Bounty Switzerland.

=> View Case Study

News coverage on SRF 10vor10

It sounds a bit strange: To protect itself from hacker attacks, the USZ, as first Swiss hospital to do so, has been working with hackers since 2021. Of course, these are not criminal hackers. The USZ’s partners are «ethical hackers», i.e. specialists who use their skills to improve IT security. However, their work is comparable to that of a criminal hacker: In bug bounty, ethical hackers, like their criminal counterparts, look for loopholes to penetrate the IT system.

With hackers against hackers

«The big advantage of Bug Bounty is that it simulates a real situation» describes Erik Dinkel, Chief Information Security Officer of the USZ. «Technical checks of potential vulnerabilities with security software are right and important. But only real people think like hackers. Bug Bounty is thus an optimal complement to technical testing.» In a pilot project, the USZ worked with hackers to check USZ systems and actually found potential vulnerabilities that had not been found by the previous tests. These vulnerabilities were quickly closed thanks to the hackers. And time is a key factor in the fast-moving world of cybercrime.

«Because the experience has been so positive and we see a significant gain for the USZ’s cyber security, we are introducing Bug Bounty as a continuous process of the information security strategy at the USZ. This also makes sense in terms of cost. After all, repairing potentially major damage caused by a cyber attack is many times more expensive than preventive measures.»

Erik Dinkel, Chief Information Security Officer at the USZ

Hospitals under attack

Erik Dinkel is not addressing a distant, unrealistic scenario, but an acute problem in healthcare. Hospitals are grateful targets for cyber criminals because access to their data is essential for patient safety. At the same time, advancing digitization increases hospitals’ IT dependence and thus their vulnerability to a cyber attack. Thus, fraudsters promise themselves quick ransom payments from healthcare institutions in case of an attack.

The USZ is also permanently under attack and must arm itself accordingly. «In recent years, we have steadily expanded our technical IT security infrastructure and established a Security Operation Center», explains Erik Dinkel, Chief Information Security Officer at the USZ. In addition, the team together with the technical specialists, continuously adapts the security measures against a potential successful cyber attack. «Even the best protection can be breached. It is crucial how quickly we can react to a cyber attack to avoid far-reaching consequences. Technologies and threats are constantly evolving. We have to be prepared for this, both preventively and reactively», specifies Erik Dinkel.

«Bug Bounty is one of the most efficient ways to protect against cyberattacks. That’s because it’s the best method for stress testing in real-world conditions. It’s also cost-effective because you don’t pay until you find something, compared to traditional penetration testing.»

Erik Dinkel, Chief Information Security Officer (CISO) at the University Hospital Zurich (USZ)

Stay up to date with our newsletter!

Looking for bug bounty news, hacker portraits, corporate success stories? Stay up to date with our newsletter!

We'll help you, let's chat about how!

Let's meet for a virtual coffee. Via calendly you can book yourself directly into our calendar. Try it out.

Schedule meeting