On 30 June 2023, “Anonymous Sudan”, a group of African hackers, claimed responsibility for a cyberattack affecting several hospitals in France. The attack was in response to the death of Nahel, the teenager who died in Nanterre on 27 June 2023 after refusing to comply with a traffic stop.
The DDoS attack knocked out access to some Paris University Hospitals Trust websites for between one and three hours, including those of the Pitié-Salpêtrière hospital, the Saint-Antoine hospital and the American Hospital in Paris. The websites of Marseille University Hospitals Trust and of Lyon University Hospital were also affected.
Although attempts are ongoing in the search for any connection between these care facilities and the tragedy that befell the young man, the incident illustrates a grim reality: hospitals are prime targets for all kinds of cybercriminals. In 2021, healthcare institutions reported 733 cybersecurity incidents.
The National Conference on the Security of Health Information Systems is therefore more relevant than ever. More than 230 professionals from the healthcare sector took part in workshops, talks and debates at what was the 11th edition of the conference, held in Le Mans from 13 to 15 June. The recent DDoS attack by Sudanese hackers will have had only a limited impact, especially when compared with the myriad ransomware attacks that have hit – and are still hitting – hospitals.
The good news is that things are looking up for hospitals on the cyber front. The French Digital Health Agency (ANS) recorded just 522 reports of cyber incidents in 2022, down almost 29% compared with 2021, as Marc Loutrel pointed out during his speech at the conference.
Cyber incidents down in hospitals
This fall is set to continue in 2023, according to the former head of the ANS’s expertise, innovation and international department: “The trend is positive, and we can see that our joint efforts are starting to pay off.” The bad news is that the French National Cybersecurity Agency (ANSSI) has confirmed “the trends first seen in 2021, with ever more sophisticated attacks and attacker profiles that are increasingly difficult to distinguish between state-sponsored attackers and cybercriminals”, said Laure Duhesme, ANSSI’s health sector coordinator.
It is when faced with these most serious incidents that the wide-ranging experiences shared at the APSSIS conference really come into their own. These include not only procedures that need to be implemented, staff training, incident response training and the technical solutions deployed, but also legal and regulatory requirements. Not all facilities have the same level of cyber risk maturity, but they can all benefit from sharing the lessons learned from sometimes extreme situations.
“In three years, I’ve had to deal with nine incidents, two of them quite serious,” said Vincent Genot, CISO at Dordogne Regional Hospitals Group (RHG), as he set the scene before explaining his response to a ransomware attack in 2022. With around thirty of the RHG’s servers already encrypted by the hackers when he got involved, Vincent Genot had little time to limit the damage. Anticipating incidents and preparing the response to them in advance therefore played a crucial role at the height of the crisis, but also during the systems recovery phase after the attack.
Making people “the strong link in cyber defence”
The speakers and participants at the round tables addressed a wide range of technical, organisational and managerial concerns, not to mention educational ones, such as Arnaud Meunier’s presentation. The CISO at the Union Hospitalière de Cornouaille RHG explained how, working with François Machacek, head of SIGMA’s outsourcing services, he has succeeded in involving all staff in day-to-day cybersecurity. Using comic strips, online and offline materials, and an educational approach that is both fun and non-judgemental, the initiative has, according to its sponsors, helped turn people into “the strong link in cyber defence” at the Union Hospitalière de Cornouaille RHG.
Other round tables focused on the extremely sensitive subject of data management. Data is the new gold mine for healthcare organisations. Making the best use of this data will not only ensure effective patient follow-up, but also drive future medical progress, particularly with AI-assisted diagnosis. Representatives from Alcatel-Lucent and Keenturtle explained how data can be shared effectively and securely.
Coralie Lemke, author of My Health, My Data (published by Premier Parallèle), gave an overview of how health data use has evolved, from the first clinical trials to medical AI, not forgetting the blunders, like when the UK’s National Health Service (NHS) sold health data to private-sector companies.
AI and blockchain to tackle cyber risks
In addition to specialised lectures on technical aspects of hospital cybersecurity, such as IoT security, AI and blockchain in healthcare, vulnerabilities in Microsoft products, Cyber Threat Intelligence and the best ways of securing web applications and other APIs, participants had the opportunity to gain some completely new insights.
This was certainly the case with astronaut Jean-François Clervoy’s talk entitled “Preparing for the Worst, Hoping for the Best”, but the opening and closing sessions of the conference also offered different perspectives. The first session outlined the changing environment for cybersecurity managers in the medical sector, while the second focused on the changing nature of the CISO profession itself. Because in this field too, “there is no wealth except in men”, as Jean Bodin pointed out back in the 16th century.