Cyber ​​attacks on hospitals: “the question is not whether it will happen, but when”

Cybersecurity is gradually integrating the mores of hospitals; best practices yet. This sums up the International Forum on Cybersecurity (FIC) conference, organized on Tuesday, January 24, in Paris and entitled: “Hospitals: how to strengthen cybersecurity preparedness?”

Vincent Treley, President and Founder of Apssis (Association for the Safety of Health Systems); André Zafiratos, Director of Information Systems, Cognac Jay Foundation, working for social solidarity (old age, health, education, palliative care, autism, Alzheimer’s disease); and Guillaume Gingouinet, engineer at OneTrust, a risk management and health data protection company.

If cyberattacks targeting hospitals dotted 2022 — the latest to date was targeting the André Mignot hospital in Yvelines — hackers have little desire to take it out on them, says Vincent Trelee: “They fall into the cracks of the attacks, often by accident.” Medical institutions, however, are an easy target, where there are still “tens of thousands of Windows XP workstations, medical devices purchased in the 90s or 2000s …”, the expert lists.

The latest report from the National Information Systems Security Agency (Anssi) published on January 24 also notes that hospitals are the third most preferred hacker target (10% of ransomware processed or registered in Anssi in 2022), after VSE, SMEs and ETI (40%) and local authorities (23%).

Dax Hospital still has ‘65% of its computer equipment’ not repaired

However, a cyber attack for a hospital is not an easy task, recalls Vincent Trelee. “In the event of a cyberattack, there are big decisions to be made, such as “which patients should be resuscitated”?” Then the hospital must work for several days in a degraded mode, refusing all emergencies. “The surgery center has to cancel a whole series of elective surgeries because there are no radiographs. Without pictures, there are no exams in biology. Everything that is sensitive is completely disorganized,” the president of Apsis regrets.

It is also not enough to press a button to reboot the system. Nearly two years after the massive cyberattack “65% of computer equipment [du CHU de Dax, dans les Landes] still not repaired,” the expert illustrates. All patient data is also lost, forcing caregivers to re-save everything, and not all programs have returned to normal operation. “Requesting a biology exam takes four hours. , compared to 45 minutes earlier,” complains Vincent Trelee.

“Human error” at the root of failure

Therefore, after the 2019 cyber attack on the University of Rouen (Seine-Maritime) hospital, which was the first to affect a hospital of this size, medical facilities were forced to adapt. “The question is not if it will happen, but when will it happen?” summarizes Guillaume Guiguenet. Hospitals now provide backups or distribute data so they don’t lose everything in the event of an attack. “You also need to provide encryption so that the data is not readable even from the outside,” adds the OneTrust engineer.

Experts are calling not only for improved technology, but also for a change in culture within the hospital. “Each time, failures are based on human errors,” emphasizes Andre Zafiratos. “In the event of an attack, leaders need to know how to manage crisis communication and make decisions very quickly: which service goes into oblivion?”, return to paper format, cancel x-rays … » According to the Cognac Jay Foundation’s DSI, “the gap remains horrendous” between the practice of some hospitals and that recommended by Anssi.

In its annual report, the agency deplored the “uncontrolled use of digital technologies, weaknesses in data protection” and the lack of commitment by organizations to adapt, even warning of the threat. “The use of the cloud and the outsourcing of services to digital service companies, when not accompanied by appropriate cybersecurity regulations, poses a serious threat,” Anssi wrote.

Funds for cybersecurity software, but few hands to run them

According to three experts, the government took the initiative in this regard immediately after the cyber attack on the University Hospital of Rouen. “Therefore, faced with the risks of cyberattacks on the healthcare system, cybersecurity at the level of each healthcare facility has become a national priority,” then Health Minister Agnès Buzyn said in 2019. A national caregiver awareness plan was launched, followed by the establishment of the Permanent Observatory on Healthcare Information Systems Security (Opssies) in 2021. “This is not just another institution: it serves to map the practice of various hospitals, because there is a lot of heterogeneity,” Vincent Trelee justifies.

Yet the issue of resources allocated to cybersecurity remains a war tendon. In December 2021, at least one billion euros were allocated to the entire sector with the aim of bringing the French champions to the field. Following the attack on the Sud-Francilien hospital center in Corbeil-Essonne (Essonne) in August 2022, Anssi was also given an additional 20 million euros to improve support for hospitals.

In December last year, anti-crisis exercises were announced in institutions considered a priority, and a digital white plan should appear early this year. This means that Vincent Trelee is calling for pooling across hospitals, not dispersal between institutions. “Let’s combine management, roadmap, RSSI [le responsable de la sécurité des systèmes d’information]… The worst thing would be to say: we are going to give everyone some money, because then everyone will have weak protection, 50,000 euros each, not very effective.”

It is still necessary that the required RSSIs be available. “Weapons are missing more than skills,” says Andre Zaphyratos. “The people I see are talented, but the problem is with remuneration. Even when you’re working for the “common good.” In addition to higher pay, the private sector has the advantage of being much more responsive and stimulating to younger employees. “In a hospital, when the director of information security requests a system audit for 15,000 euros, sometimes it takes four months. Some people throw in the towel,” sighs Vincent Trelee. However, computer engineers are still required to sort out warnings from cybersecurity software that is primarily related to detection. Another reason for the hospital to adapt as quickly as possible.

Selected for you

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.