The ax didn’t take long to fall. After demanding a $10 million ransom from the Corbeil-Essonnes hospital they had just breached, the cybercriminals decided to leak administrative and personal data. A few weeks later, it was the turn of the Versailles hospital to be hit by a cyber attack. These events highlight the intensification of cyber attacks against French hospitals, their fragility in the face of this type of threat, but also the lack of acculturation to cyber security among healthcare personnel and users.
Another case in the long list of cyber attacks
On December 3, the André-Mignot hospital in Versailles was hit by a cyber attack. Part of the computers has been completely blocked. This hospital combines examination and all short-term and outpatient services with 700 beds and 3,000 staff members. It is also an administrative, logistic and technical centre. In the face of this cyber attack, the management shut down their computer system. Reception was subsequently limited, particularly to emergencies. A crisis unit has been opened at the Regional Health Agency (ARS). The National Information Systems Security Agency (ANSSI) has also been contacted to manage this crisis.
In September, the Russian hacker group LockBit 3.0, which carried out a cyber attack against the Center hospitalier sud-francilien de Corbeil-Essonnes (CHSF), began leaking 11GB of sensitive content in the face of the hospital’s refusal to pay the ransom. This data concerns patients, staff and partners. Some data, such as examination reports, colonoscopy, childbirth, gynecological visits, are included in the disclosed data.
The hospital pays a high price for an acceleration of digitization even if its IT ecosystem is insecure. These new attacks add to the alarming figures: 730 attacks in 2021 [1] according to the Digital Health Agency (ANS), including that of Villefranche-sur-Saône (Rhône) with 3,000 computers shut down, or that of Dax (Landes) with the loss of patient data and an entire computer system revised to 2.4 million euros.
Hospitals: vulnerable targets
Cyber attacks, which hospitals fall victim to, are not new and the attack on the CHSF is unfortunately far from being an isolated incident, in France and abroad. The recovery plan even integrated a cyber-attack device to help hospitals deal with these threats. But nothing worked.
A recent study conducted by the American company Breach mission, analyzes the cyber attacks carried out against healthcare facilities. What emerges from this study? First, that ransomware is a classic means of attack. Then, the pirated files are resold for exorbitant prices. Indeed, health data is the most profitable data for cybercriminals. For example, the cost of a medical record can go up to $350 on the dark web, which is 50 times higher than going to a bank. [2]. The other interesting figure concerns the budget reserved for cybersecurity, which fluctuates between only 4 and 7% of the total budget reserved for information technologies.
However, this situation is all the more worrying as new equipment, telemedicine, interconnected health systems and services, but also the Internet of Things (IoT) are taking up more and more space in a large number of devices (pacemakers, insulin pumps, etc.) and generate huge amounts of data which are targets for hackers. Furthermore, the medical act is now connected to the various tools used by the medical profession for data transfer, thus increasing the vulnerability of hospitals.
Finally, and this is not the least of the dangers, these cyber attacks can block systems, leading to total paralysis of the hospital which is, let us remember, in a situation of strong dependence on the information system and IoT.
France: the cyber protection deficit
In addition to the year 2020, the year 2021 was also marked by numerous cyber attacks. According to ANSSI data, every week, an incident of this type occurred in a French health establishment. The phenomenon is therefore on a very large scale.
Complex and hospital infrastructures are all the more fragile. This facilitates entry for hackers who then spread viruses into systems. Within hospitals, but this also applies to a large number of SMEs in France, the fight against cyber threats requires a budget for the purchase of protection software, hardware, but also for human resources such as IT teams or services, to carry out acculturation actions, essential training or prevention plans. In this context, users and caregivers are not sufficiently acculturated to cybersecurity, especially when some healthcare facilities manage their own cybersecurity in an autonomous and non-homogeneous way.
Finally, many hospitals lack an information security officer, a position that has become critical, if not essential.
Current defense systems
In this tense context, it must be admitted that the defense system is particularly fragmented with numerous state services specialized in the issue of cyber security. Let us cite, for example, the organization Cybermalveillance.gouv.fr, launched in 2017 by ANSSI, which is a national assistance platform in support of victims, or the Cyberspace Gendarmerie Command (ComCyberGend), set up in 2021, which fights crime and brings together all the digital components of the gendarmerie [3].
On a more global level, ANSSI, since 2013, leads the defense and security strategy of French information systems and aims to strengthen the cyber security of strategic national infrastructures. In 2020, ANSSI granted the designation of Operators of Essential Services (OSE) to 100 hospitals and 13 hospitals received the designation of Operators of Vital Importance (OIV).
Finally, the Defense Cyber Campus has been operational since March 2022, bringing together public and private cybersecurity players (State Services, large groups, young businesses and digital service companies). The mission of this campus is to bring together French cybersecurity players and create synergies through the implementation of common projects.
French and European IT strategy
On April 18, 2021, the President of the Republic presented France’s new IT strategy. The IT security strategy for healthcare and medical-social structures has been strengthened with a budget of 350 million euros [4]. In addition, €25 million has been earmarked for IT security audits of healthcare facilities. Cybersecurity awareness has been integrated into all training courses for healthcare professionals to develop practices of ” digital hygiene “.
As part of the France Relance plan, however, ANSSI received a budget of 136 million euros to strengthen the IT security of the state and territories for the period 2021-2022.
At European level, the European Cybersecurity Agency (ENISA) has published a cybersecurity guide for European hospitals which provides recommendations and best practices. This guide thus joins the digital health roadmap of the Digital Health Agency (ANS) and the Digital Health Delegation (DNS). The goal is to establish governance among the 3,000 healthcare facilities in order to standardize digital uses and information security processes.
Strengthen cyber resilience
IT risk management mainly consists of four main areas:
· Prepare to prevent attacks or limit impacts: staff awareness and training, identification of the main vulnerabilities and design of a continuity plan both at a strategic and operational level;
· Protect targeted assets;
· Detect in real time and react quickly;
· Ensure business continuity both during the crisis period and to promote a return to normality as transparent as possible.
————————————————– ———–
[1] A 70% increase compared to 2020.
[2] https://www.ibm.com/downloads/cas/PJDB7AB8
[3] 7,000 cyberinvestigators with the goal of increasing to 10,000, distributed in eleven regional offices and three main centers.
[4] Cyber attacks: the urgent need to strengthen the cyber security of the 135 GHT (reseau-hopital-ght.fr)