Of course, a health care company handles a great deal of sensitive data. What risks is it exposed to as a result? What can be done to safeguard production sites and clinics? Is cybersecurity as exciting as it sounds? The Group Cybersecurity Office (GCSO) team protects the Fresenius Group against cyber risks. Ralf Garrecht, Group Head of Cybersecurity, and Marius Fetzberger, Head of GCSO, tell us about their day-to-day work.
Cybersecurity is a term many people know from crime thrillers and associate with hackers and suspense. How exciting is your job?
Ralf Garrecht: At times – for example if there is a specific threat or attack – it can be pretty stressful, especially when we have to work night shifts. But in our day-to-day work the focus is on identifying risks, deriving measures, and then implementing them.
Marius Fetzberger: Thinking of cybersecurity from the perspective of patients and using the necessary structures and technologies to address these challenges in a large company like Fresenius is exciting in principle. A large part of our work involves establishing a culture of awareness of cyber risks in the company. That requires a great deal of experience and creativity, as well as a desire to learn new things and adapt to constant change. Apart from that, we must continuously update and expand our knowledge and be extremely flexible and prepared in the case of an attack. What is fascinating about the job is the many different challenges we face that are demanding, both personally and professionally, but also allow us to grow.
What exactly are the dangers Fresenius is exposed to through cyberattacks?
Ralf Garrecht: We are the largest clinic operator in Europe and treat the most patients worldwide, which means that we also handle a huge amount of sensitive patient data. On top of that, we make medical products. And of course, our job is also about protecting intellectual property. That means we have to keep an eye on the entire value chain.
Marius Fetzberger: The predominant threat is from so-called ransomware attacks – cases that you often see in the media that target mainly large, attractive companies with a critical infrastructure. The hackers try to disable processes or steal data in order to blackmail the companies.
Have these threats increased in recent years? How do you defend the company against them?
Marius Fetzberger: It has become more lucrative for the attackers. For example, in their latest assault, the REvil ransomware operation demanded 70 million USD from its victims. There are plenty of tools available for this, e.g., in the darknet, which has fueled the trend. The GDPR has compounded the issue because awareness of data protection has increased, and victims of such attacks are even fined. That means hackers can use the pressure on organizations to boost their chances of getting the money.
Ralf Garrecht: When it comes to defense, it is important that we work together and learn from best practice how to protect each other.
What does that mean exactly? How do you go about it?
Ralf Garrecht: We are in close contact with colleagues at other DAX-listed companies and exchange information regularly. We also talk to the authorities, such as the BKA or the BSI. For example, at Fresenius we have an expert on the team with a military background.
Marius Fetzberger: We analyze the risks along the value chain. Then we decide what measures we must take and monitor to safeguard our hospitals, medical equipment, production sites and employees. We can only do that together as a company. It is essential that we work closely with all cyber experts and decision-makers in the Fresenius Group. Only then can we provide a strong basic protection for our digital backbone (such as IT, OT and IoT) at Fresenius.
"It is essential that we work closely with all cyber experts and decision-makers in the Fresenius Group. Only then can we provide a strong basic protection for our digital backbone at Fresenius."
Isn’t it also part of your job to raise awareness among employees?
Ralf Garrecht: Yes of course! The human factor is always extremely important when it comes to security. We have a comprehensive training concept in place that raises awareness of cybersecurity in all areas of the company – starting with the simplest things like phishing mails, because they can be a way of getting into the company. But we also train groups in the company that require special measures, such as IT officers in production. We make sure that everything is programmed and documented clearly. And we train the staff who operate medical equipment in the clinics.
Marius Fetzberger: Collaborating closely with the operating units is essential because that is where the security measures are put into effect in practical terms. We work with other cybersecurity experts throughout the group. At the same time, we use technologies that allow us to support employees in this area in the best possible way. With the help of artificial intelligence and automation, we can increasingly improve the interaction between humans and technology to address cyber threats comprehensively and quickly.
“The human factor is always extremely important when it comes to security. We have a comprehensive training concept in place that raises awareness of cybersecurity in all areas of the company.”
What are your backgrounds and what brought you both to Fresenius?
Ralf Garrecht: I studied information systems and have always worked in IT. At the same time, the link to business is also important, in my mind. The focus in my career so far has been on information security. What I particularly like about Fresenius is the complexity and heterogeneity of the company. But even more than that, it is important to me personally that Fresenius has the mission to provide more and more people with increasingly better medicine.
Marius Fetzberger: I worked at two management consultancies on the topic of information security. I first came to Fresenius as an external consultant and then stayed here. I originally trained as an IT specialist, and then added a degree in information systems. I find it very exciting to work in cybersecurity in a company that supplies important and critical products that fulfill a purpose. I draw a lot of motivation from implementing cybersecurity for the wellbeing of our patients.
What skills do you expect future colleagues to have?
Ralf Garrecht: Of course, they need a certain technical understanding. Information systems, data science – those are the basic skills we are looking for. But what is most important is something you won’t find in a CV: curiosity, perseverance, and an interest in cybersecurity. This blend of technical expertise and passion is what we need. In other words, the indispensable foundation for candidates is enthusiasm for the topics we deal with.