Health, a sector under high (cyber) tension

First observation: cyberattacks against hospitals already under extreme pressure. While they have left their mark on people’s minds because of their barbaric and unscrupulous nature in the face of heroic teams of caregivers, they have also highlighted—as in the case of the Dax and Villefranche-sur-Saône hospitals (see Box 1)—the extreme vulnerability of health information systems to ‘classic’ attacks (which have been known about for years) and the obsolescence and lack of resilience of these systems, which has been denounced loudly for years by the CISOs of hospital and medical establishments. According to the 2021 Public Report of the Observatory of information system security incidents for the health sector, published in spring 2022 by the French Ministry of Health and Solidarity, « in 2021, 582 establishments reported 733 incidents, i.e. almost double the number in 2020 […]. An increase in attacks has indeed taken place, but it must also be attributed to the incident reporting obligations and the specific health policy implemented in 2021. »

Major attacks on health care institutions in France

In 2020, no less than 27 attacks affected French hospitals. Since the beginning of 2021, the health sector has been experiencing one cyberattack per week.

• • • • On the night of 8-9 February 2021, the Dax hospital fell victim to ransomware. Malicious software encrypted the institution’s data, paralysed its computer system, and cut off all electronic devices, including telephones and computers. This has had an impact on healthcare services.
      • On 16 February 2021 at 4.30am, the Villeneuve-sur-Saône hospital fell victim to the RIUK ransomware, which affected the Villefranche, Tarare, and Trévoux sites. The perpetrators of the attack demanded a ransom to unlock the system’s data. To prevent the virus from spreading, access to the information system and the Internet was cut off and surgical operations were postponed…
      • On 21 December 2020, the Albertville-Moutiers hospital was the victim of a ransomware attack, which forced staff to work in downgraded mode for several weeks. Due to the encryption of the data and as a precautionary measure, almost the entire IS had to be shut down, affecting many essential services.
      • On 15 November 2019, the Rouen university hospital was the victim of a large-scale attack that paralysed all its services for several days, necessitated the transfer of some patients to other establishments, and caused the postponement of all scheduled interventions. The attacker had deployed malicious software that encrypted the information system’s data.
      • On 10 August 2019, the French healthcare group Ramsay was the victim of a large-scale cyberattack, with 120 sites affected but with no consequences for patient care or management. No data was misappropriated or destroyed.

The attacks are not new: « it’s mostly ransomware attacks, operational incidents, and an attack on the IP addresses of bio-medical equipment. There is nothing new under the sun, » sighs this expert in public health. According to the above-mentioned 2021 Report, the 733 incidents reported by the 582 health establishments gave rise to interventions for 37 establishments, carried out by the Health CERT (see Box 2), Anssi and the FSSI. Anssi worked with 29 public health establishments, including 18 OESs (operators of essential services). « These incidents were linked to ransomware attacks, Trojan horse compromises, account compromises (AD, VPN, or messaging systems), the sale of login details on the Internet, the exploitation of vulnerabilities in security equipment, or serious malfunctions of critical systems. »

Guillaume Deraedt, former CISO of the Lille university hospital and (since March 2022) CISO of the Côte d’Opale GHT—a group of hospitals that comprises the 3 establishments of Boulogne-sur-Mer, Calais, and Camiers)—notes « a rise in cyberattacks using phishing, ransomware, and encryption software against health establishments, with a development that consists, not in threatening to encrypt data, but in showing data that has already been exfiltrated and encrypted as proof of the attack, and in demanding a ransom to be able to recover it. » However, it is the official state doctrine transmitted to any public or private organisation to never pay the ransom—so as to not encourage these attacks—and to immediately lodge a complaint. Furthermore, as Guillaume Deraedt explains, « there is no guarantee that the data has not already been duplicated and sold elsewhere to other hackers who will do the same. »

Especially since, as he points out, « the multiplication of measures to combat Covid has generalised the use of IT by individuals and doctors, but also increased the circulation of data between general practitioners, health insurance, government platforms, and health establishments. » Although there have been no notable incidents or leaks of such sensitive data as the contraction or otherwise of various forms of Covid (serious or not)—which ultimately shows the robustness of the solutions deployed in record time and the adaptation of the entire population, including senior citizens, to these processes—this pandemic has also considerably increased the potential surface area for attack through the increase in the volume of data exchanges and the interoperability of systems.

Beyond the pandemic, the geopolitical context (with the outbreak of war in Ukraine) has also raised—if it were still necessary—the level of extreme sensitivity on this issue: Anssi has issued a certain number of recommendations, and it is clear that health establishments—which handle data qualified as very sensitive—have increased their vigilance in this field. For instance, Russian anti-virus systems have been changed in several hospitals for a Western, or even European, solution, even though this is never officially stated.

However, as Guillaume Deraedt points out, « health data is sensitive and critical by nature. It is of interest to governments, insurance companies, banking organisations, etc. » In the dark web, you can find bank card numbers on the fly for a few handfuls of euros, dollars or bitcoins to usurp a bank identity for online commerce, but health data are up for sale for a few hundred euros, or even more if it is really critical. If citizens’ health data are roaming around and can be exploited by malicious individuals or organisations, this is enough to cause fear and to fuel serious panic.

Though hospital practices and tools have evolved, and though the pandemic has led to an awareness of the urgent and absolute need to take into account the risk of cyberattacks in health establishments and motivated a public policy that is very proactive in this area (see Box 2), the observation shared by professionals in the sector is chilling: the Observatory’s 2021 Report (already cited) clearly identified, in the attacks recorded, « serious malfunctions of critical systems. » These can create what is called in the medical field—with a consummate art of periphrasis—a risk of « loss of chance » for a patient. In other words, a patient’s life can be put at risk…by a computer flaw or malfunction. Unfortunately, this observation does not surprise the CISOs who live with it every day, complain about the obsolescence and state of disrepair of their systems, their lack of resources, the inanity of public policies that have followed one another for decades without any logic other than financial, and shudder to see that their systems are on the brink of collapse every day, for lack of an appropriate policy that—as in the entire medical sector—is in fact reactive rather than proactive. Especially since, with the need to « catch up » on acts delayed because of the pandemic and an ever-present virus, priority is given to operations and not necessarily to the inevitable constraints generated by IS security: « It’s so tense in this context that systems security is seen perceived by the healthcare teams as a stone in the shoe and an additional constraint, » sighs Jean-Sylvain Chavanne, CISO of the Brest university hospital. « Priority is often given to operations and systems security is too often the adjustment variable, » adds Cédric Cartau, CISO and DPO of GHT44.

The pandemic, a real policy for accelerating cyber health?

Since 1 October 2017, health establishments have the obligation to report their information system security incidents (Art. L 1111-8-2 of the French Public Health Code). This duty has been extended to medico-social establishments by an order of 18 November 2020. These incidents must be reported through a portal on « adverse health events » on a dedicated section of the website of the Ministry of Health and Solidarity. Any data breach must be reported to the Cnil within 72 hours.

The pandemic has accelerated public policies in this area. The programme entitled « Ségur du Numérique en Santé, » launched in July 2020, provides for an investment of €2 billion to support the development of digital health in France, including in particular the SUN-ES programme (for « Ségur Usage Numérique en Établissements de Santé »), which aims to bring all health establishments to a greater level of maturity in their information systems through the secure sharing of their data. The amount allocated to finance this programme is €210m financed by the National Recovery and Resilience Plan (in French, ‘PNRR’).

A Health CERT was set up in the second quarter of 2021, announced in May 2021 by Olivier Véran—then Minister for Health and Solidarity. Similarly, Emmanuel Macron, in his « national cybersecurity strategy, » presented on 18 February 2021, which devotes one billion euros and the doubling of jobs in this strategic sector by 2025, « [invites] health structures to systematically devote 5 to 10% of the budget to cybersecurity, in particular to maintaining the security of IS over time. » The answer from those concerned: what budget?

The 2021 Report of the French Ministry of Health and Solidarity’s Observatory, in its dry objectivity, notes that « the proportion of non-malicious incidents linked to a malfunction of the infrastructure is 60%. » In other words, it is the majority…

A word to the wise.