2023-07-07 05:00:00
In August 2022, the Corbeil-Essonnes South Ile-de-France Hospital Center was the victim of an attack with serious consequences: computer systems shut down, preventing the registration of new patients in the emergency room, and the theft of personal data of many patients from the hospital with a ransom demand. Faced with the hospital’s refusal to pay, the attackers had uploaded 11 gigabytes of personal and medical data of patients, employees and partners. Among these data: reports of examinations, colonoscopies, deliveries or gynecological examinations.
Cyberattacks against local authorities: is the worst yet to come?
And the incident is far from isolated, since cyberattacks on hospitals have multiplied in recent years. In 2021, 730 cyberattacks on hospitals were recorded by the Digital Health Agency (ANS). According to Adrien Merveille, cybersecurity expert at CheckPoint “Visible attacks, reported by agencies or published by attackers, are definitely on the increase. “. Observations on a panel of customers of the company in France as proof: over the last six months, CheckPoint estimates the number of attacks on average 400 per month and per hospital and health organization in France. Dax, Villefranche, Versailles, Corbeil-Essonnes… Examples are legion.
Almost a year after the attack on the CHSF in Corbeil, if a collective awareness seems to have been recorded among the players in the health sector, the shortage of manpower and the lack of awareness are still weakening the ambition of a fight widespread against the cyber threat. And this despite a large budget released.
Vulnerable targets
Hospitals are obviously vulnerable and privileged structures for hackers: if ransomware attacks are the most frequent, hospitals are particularly exposed to the theft of personal data. Also, they often face an extortion which operates on two levels: with a demand for ransom on the one hand (although officially, no public hospital has ever paid), and with a theft of data which will then be used. The sale of medical records is indeed a very lucrative business for the attackers, the price of a file being estimated at around 350 dollars each. This data is in most cases reused for phishing.
Physical intrusions (with the introduction of a USB key into a computer), although never officially recorded, are also part of the risks for open spaces such as hospitals: surveillance is minimal in the premises, the security of the information system often obsolete… In addition, the use of interconnected medical objects, cameras and other surveillance systems, introduces more vulnerabilities, since all the devices are often connected to the same network sockets.
A large budget released
The problem is however taken seriously, as evidenced by the aid released for the various hospitals: in the past two years, the government has invested 25 million euros to have Anssi, the National Agency for the Security of Systems of information, the150 largest hospitals (out of more than 3,000 establishments, including 1,300 public) qualified as vitally important, as part of a security plan. After the attack on the CHSF in Corbeil, Jean-Noël Barrot, Minister Delegate in charge of the Digital Transition and Telecommunications, announced the injection of an additional 20 million euros for ” doubler » the number of beneficiaries of this support.
As part of the France Relance plan, the government had also invested 136 million euros in the form of calls for projects, allowing hospitals to buy new cybersecurity tools. If the means are there, the shortage of manpower and the lack of awareness in the hospital environment remains the heart of the problem.
A shortage of skills and a lack of awareness
In a now-deleted LinkedIn post, an information systems security officer (CISO) shared his distress in dealing with cyberattacks: Hospital security is terrible. […]. I am alone as CISO for ten establishments, with three people in operational security but who do not only do that “. The shortage of cybersecurity skills in hospitals remains a fundamental problem, regardless of the amounts injected. This is due to the lack of training, knowledge, and a tight budget for hospitals, which tend to prioritize their workforce of nursing staff over those of security.
At Campus Cyber, 160 experts trained in the worst-case scenario of a cyberattack
Moreover, if awareness tends to grow, cybersecurity is still not a central issue for many hospitals. Also, for Pierre-Antoine Failly Crawford, head of the incident response team at Varonis, it must urgently find its place ” at the heart of the strategic will of hospitals with the granting of greater responsibility to CISOs, for example, “ often barely consulted when it comes to purchasing cyber tools and software “. On the same level, the question of raising the awareness of healthcare personnel appears essential: cybersecurity experts deplore the lack of “ culture cyber » and pay attention to simple actions to protect yourself online: recognizing attachments and malicious emails, locking computers, etc.
AI to the rescue of hospitals?
The development of artificial intelligence in recent months has given hope to the hospital sector, which sees in machine learning in particular a way to overcome the shortage of skills in the sector. The idea is for an AI to learn recurring malware patterns to make it easier to detect and deal with later.
But the sword could be double-edged: the development of generative AI would benefit attackers as well. Always more efficient, chatbots like ChatGPT for example, are now able to write phishing emails to perfection. To monitor.
1688954967
#French #hospitals #vulnerable #cyberattacks