In publica commoda

Press release: Making hospital staff fit to fight cyber-attacks

No. 18 - 11.02.2022

Research team led by the University of Göttingen designs customized training courses


Cyber-attacks to hospitals pose an increasing threat to data security and healthcare in German hospitals. Simple human error is often the way that hackers trick their way into the system. The project “KISK: Kompetenzorientierte und stellenspezifische IT-Sicherheit für MitarbeiterInnen in Krankenhäusern” (Competence-oriented and job-specific IT security for hospital staff) aims to achieve a more considered handling of technology in critical infrastructures. The University of Göttingen – together with the University Medical Center Göttingen (UMG), the University of Hohenheim and 13 German hospitals – is developing a staff-specific strategy for greater cyber security in German hospitals. The German Federal Ministry of Health has awarded the project €609,000 over three years.  


Cyberattacks such as "WannaCry" or "Emotet" have shown that hospitals have also now become the focus of cybercriminals. "This has devastating consequences," explains Kristin Masuch, KISK project manager and staff member at the University of Göttingen's research group for Information Security and Compliance. Manuel Trenz, Professor of Information Systems, explains: "Cyber attacks do not only involve the theft of highly sensitive, personal data about patients. In fact, past incidents have shown that computerised processes in affected hospitals can be disrupted to such an extent that health care can be affected."


It is clear that attackers' methods are becoming increasingly sophisticated. "We see our staff being targeted by cybercriminals," explains Dr Holger Beck, the UMG’s Information Security Officer. "In the past, a typical attack consisted of easily recognizable phishing emails. Today, we see that attackers increasingly have precise information about their targets, the type of work they are carrying out and their IT usage. They can then launch a targeted attack tailored to their victim. This means that we need to make sure our staff receive training designed to meet their needs according to their job role and the realistic threat they face."


KISK will enable scientists to develop a blueprint for cyber security in German hospitals. In the first step, they will identify where skills in cyber security are lacking. They will then develop job-specific skills profiles for cyber-secure work behaviour. In each case, the researchers will take into account the different staffing groups, including staff working in patient care, administration, or medical technicians. Based on this, the team can design training and evaluate whether these courses meet the actual threats facing their staff. "The results from KISK will serve as a template for German hospitals to train their employees in a tailored way focussing on delivering skills to meet their needs. One-size-fits-all approaches, where everyone receives the same cyber security training, have had their day," explains Professor Simon Trang, Junior Professor of Information Security and Compliance at the University of Göttingen.



Kristin Masuch

University of Göttingen

Information Management, Smart Mobility Research Group

Tel: +49 (0)551 39-29914