Every month, the University Hospital Zurich (USZ), like other companies, experiences tens of thousands of attempted attacks by cybercriminals from the Internet. To ensure that these attacks remain unsuccessful, the USZ relies on a variety of precautions – recently also on cooperation with the «ethical hackers» from Bug Bounty Switzerland.
News coverage on SRF 10vor10
It sounds a bit strange: To protect itself from hacker attacks, the USZ, as first Swiss hospital to do so, has been working with hackers since 2021. Of course, these are not criminal hackers. The USZ’s partners are «ethical hackers», i.e. specialists who use their skills to improve IT security. However, their work is comparable to that of a criminal hacker: In bug bounty, ethical hackers, like their criminal counterparts, look for loopholes to penetrate the IT system.
With hackers against hackers
«The big advantage of Bug Bounty is that it simulates a real situation» describes Erik Dinkel, Chief Information Security Officer of the USZ. «Technical checks of potential vulnerabilities with security software are right and important. But only real people think like hackers. Bug Bounty is thus an optimal complement to technical testing.» In a pilot project, the USZ worked with hackers to check USZ systems and actually found potential vulnerabilities that had not been found by the previous tests. These vulnerabilities were quickly closed thanks to the hackers. And time is a key factor in the fast-moving world of cybercrime.
«Because the experience has been so positive and we see a significant gain for the USZ’s cyber security, we are introducing Bug Bounty as a continuous process of the information security strategy at the USZ. This also makes sense in terms of cost. After all, repairing potentially major damage caused by a cyber attack is many times more expensive than preventive measures.»
Erik Dinkel, Chief Information Security Officer at the USZ
Hospitals under attack
Erik Dinkel is not addressing a distant, unrealistic scenario, but an acute problem in healthcare. Hospitals are grateful targets for cyber criminals because access to their data is essential for patient safety. At the same time, advancing digitization increases hospitals’ IT dependence and thus their vulnerability to a cyber attack. Thus, fraudsters promise themselves quick ransom payments from healthcare institutions in case of an attack.
The USZ is also permanently under attack and must arm itself accordingly. «In recent years, we have steadily expanded our technical IT security infrastructure and established a Security Operation Center», explains Erik Dinkel, Chief Information Security Officer at the USZ. In addition, the team together with the technical specialists, continuously adapts the security measures against a potential successful cyber attack. «Even the best protection can be breached. It is crucial how quickly we can react to a cyber attack to avoid far-reaching consequences. Technologies and threats are constantly evolving. We have to be prepared for this, both preventively and reactively», specifies Erik Dinkel.
«Bug Bounty is one of the most efficient ways to protect against cyberattacks. That’s because it’s the best method for stress testing in real-world conditions. It’s also cost-effective because you don’t pay until you find something, compared to traditional penetration testing.»
Erik Dinkel, Chief Information Security Officer (CISO) at the University Hospital Zurich (USZ)