The Covid-19 health crisis has seen hospitals on the front line like never before in terms of their exposure to cyber risks. A combination of phishing campaigns, Trojans and ransomware has created a constantly shifting cyber risk. But what’s behind the digital weakness of the hospital sector?
Between February and March 2020 – the months that marked the start of the pandemic in Europe – malicious attacks against hospitals have risen by 475% – a figure five times higher than in normal times (according to another cybersecurity player). So much so, in fact, that Interpol has become involved, publicly stating its concern at the proliferation of cyberattacks in health establishments. This warning message was echoed in late May by an opinion column signed by the likes of ex-heads of state and government, former leaders of international organisations, companies and lawyers – Ban Ki-moon, Desmond Tutu, Mikhaïl Gorbachev, with Brad Smith as its principal signatory. The article called for concerted action by governments in the face of the cyber threat.
INTERPOL has also warned of the #cyberthreat to the #healthcare industry during these troubled times. With #ransomware attacks against hospitals increasing, #INTERPOL is working with police worldwide to mitigate and investigate these threats https://t.co/Zv6T7m6riE https://t.co/Dbcd8HQqXZ
— INTERPOL_Cyber (@INTERPOL_Cyber) April 21, 2020
The Covid-19 crisis has been a depressing confirmation that systems in hospital environments are hypersensitive to cyber attacks. But is this situation purely a product of current circumstances... or is it a public demonstration of digital weaknesses and issues that have been affecting the health sector for a number of years?
Covid-19 and hospitals: “Operation Hacker” begins
When asked about his daily work as CISO for a regional hospital group (GHT), Charles Blanc-Rolin confirms that in addition to the considerable work the sector has faced in dealing with the crisis and the creation of new dedicated technology units, hospitals are indeed being targeted by malicious attacks themed around the Covid-19 issue. These malicious attacks range from traditional phishing attempts, targeting hospital staff with requests to install false webmail updates, through to more sophisticated CEO fraud. “Some cyberattackers have claimed to have stocks of FFP2 masks in their attempts to conduct bank transfer fraud against a number of health establishments,” he explains. In France, university hospitals in Paris have fallen victim to a denial-of-service attack (DDoS) aimed at disrupting access to hospital staff email accounts. According to a press release from France’s ANSSI cybersecurity agency, the incident was “handled quickly and efficiently by hospital teams, without any critical impact”.
Operations may not have been disrupted in this case; but for other hospitals, the impact of such cyberattacks has been greater: there have been numerous occurrences of this kind in recent months, with cyber attacks in the United Kingdom, the Czech Republic and in Romania.
A lack of cyber maturity
But what sense can we make of the motivations behind cyber attacks? The evidence shows that hospitals have always been a target of choice for cyber attackers. “There are two main types of financially-motivated attacks against hospitals: health data extraction, and ransomware. Health data is information of ultra-sensitive, strategic value in the running of hospital services – which makes it a target of choice for cyberattackers, being of greater value than ordinary personal data. And when dealing with ransomware, hospitals are unfortunately more likely than other organisations to pay out because of their obligation to ensure continuity of care,” points out Raphaël Granger, Account Manager at Stormshield. “And let’s not forget, either, that just like any other company or organisation dealing with this sudden health crisis, hospitals were unprepared for this double blow,” Charles Blanc-Rolin continues.
In comparison to other strategic sectors such as industry or the banking system, it also appears that health systems generally suffer from a lack of maturity in terms of digital sensitivity and cybersecurity. For example, the widespread adoption of teleworking among some health staff has not made matters easier for already overworked hospital CISOs. For more information on this subject, Charles Blanc-Rolin’s opinion piece (in French) on the issue of controlling data in a teleworking environment offers an abundance of advice and resources. Similarly, the remote appointments solutions implemented to deal with the influx of patients have increased the attack surfaces presented by hospitals.
The truth is that the suddenness of the crisis has compounded an already difficult situation. And initial flashes of optimism at the start of the crisis – with some hackers such as DoppelPaymer and Maze having stated that they would not attack hospitals – have quickly evaporated, highlighting the underlying structural problems.
Chronic underinvestment in IT
As an example, “the French health system’s IT systems have been compromised by chronic underinvestment”, according to a stark warning issued by French senators Olivier Cadic and Rachel Mazuir in an opinion piece published in early May. “In French regional hospital groups, only 1% of the overall budget is assigned to digital technology in general (including security), compared to 5-6% in Northern European countries,” warns Charles Blanc-Rolin. And this issue is made all the more critical by the policy of grouping hospitals together (which has led to the creation of France’s GHT regional hospital clusters). “The need to link and interconnect hospitals, and to make use of various types of smart equipment, has resulted in an increase in the attack surface, and thus in the vulnerability of hospital IT infrastructure. At the same time, inadequate IT budgets and security in the healthcare sector is a limiting factor for such organisations, which are not sufficiently well equipped to face such threats,” explains Raphaël Granger.
In French regional hospital groups, only 1% of the overall budget is assigned to digital technology in general (including security), compared to 5-6% in Northern European countries
Charles Blanc-Rolin, CISO for GHT15
This underinvestment is particularly visible in the area of healthcare equipment, which is frequently automated. With its coverage of domains such as medical imaging (MRI, scanners), probes and blood and genetic analysis, the ecosystem of automated devices is a particularly varied one. And although some hospitals have the resources to afford the latest equipment, most have to make do with old machinery. “We’re talking about 6-digit invoices for these devices. They’re extremely costly, which means that hospital investments are in the 15-20-year timeframe. In most cases, the control stations that operate such equipment are running obsolete operating systems such as Windows XP or Windows 2000,” explains Raphaël Granger. So when there’s a problem, or a machine breaks down, CISOs find themselves stuck: the devices are very often subject to medical certification which prevents the application of security patches. “The only solution is to isolate these devices within specific networks, avoiding connections with the outside world as far as possible and controlling any necessary data transactions,” says Charles Blanc-Rolin. But such precautions obviously come at a cost. In the face of dwindling public funding and ever-increasing demands for return on investment, cybersecurity for medical devices seems to have become an issue of secondary importance.
CTM / BMS: a question of operational cybersecurity
As hospitals are transformed into connected, automated systems, we need to bear in mind the role of cybersecurity in operational technology (OT) networks if we are to understand its vulnerabilities. Within a hospital building, this covers energy and fluids, such as air conditioning, air pressure levels and fire safety – factors which lie at the heart of smart buildings and their connected infrastructure. And all the more so considering that sensitive hospital environments such as operating theatres, MRI machines and resuscitation rooms require constant air pressures and temperatures. These systems are encompassed within the terms “centralised technical management” (CTM) and “building management systems” (BMS). “Because of the configuration of hospital buildings and certain spaces, air handling is vitally important, and the health risks obvious. Sadly, it’s all too easy to imagine the importance of air renewal in operating theatres, and even in rooms, to avoid the spread of bacteria or viruses. Temperature and humidity management are equally crucial; for example, in neonatal and burns departments. And we also need to remember that there can be financial risks, too; for example, when controlling an MRI’s cooling system to avoid damaging it,” points out Vincent Nicaise, Industrial Partnership and Ecosystem Manager at Stormshield.
The prospect of a cyberattack capable of disrupting the air handling system in an operating theatre constitutes an immediate critical health risk
Vincent Nicaise, Industrial Partnership and Ecosystem Manager at Stormshield
And in a more general sense, “some medical activities performed by a hospital – such as resuscitation, A&E and intensive care – are sufficiently critical to warrant the use of specific installations that provide a continuous power supply,” Vincent continues. “This is an aspect covered by French legislation in public and private health establishments, which demonstrates a clear need to maintain a secure supply of energy at such facilities.” Such a vulnerability was highlighted by the attack on Rouen’s University Hospital in France, recalls Rémi Heym, the hospital’s director of communication, writing in France’s Le Monde newspaper (in French): “Shutting down the entire system is no trivial matter for a hospital, where everything is computerised: prescriptions, analyses, reports, etc.”
Hospitals are vital infrastructure, yet vulnerable, and subject to very specific threats. They have shown their resilience during the recent crisis... but for how much longer? How many more weeks before another hospital finds itself in the eye of the storm? In addition to the enormous challenges that accompany the “return to normality”, we predict that the cybersecurity issue will be a central feature of discussions regarding hospital administration. Will the topic of an increase in ring-fenced budgets be on the agenda?