The volume of security incidents in healthcare institutions has soared between 2020 and 2021: a 35% increase in the US, 45% in Spain and up to 50% in Germany and France... This represents a critical situation, given that such sensitive environments require an average of 28 days to return to normal activity. Despite the aid and support provided by governments, why are hospitals still vulnerable today?
Experts analyse and react to a phenomenon that is worrying health professionals and the general public.
Initiatives to address the cyber threat
The fragility of health institutions was highlighted by the Covid-19 pandemic in early 2020. Hospitals are now being hit and paralysed by cyberattacks almost daily, regardless of their size or geographical location. The French list seems endless: hospitals in Paris in March 2020, Dax, Oloron-Sainte-Marie and Villefranche-sur-Saône in February 2021, Arles in August 2021, the GHT Cœur Grand-Est in April 2022, and Corbeil-Essonnes more recently in August 2022.
However, vulnerability in healthcare institutions is nothing new, and has been of concern to professionals for more than a decade. The first initiative to discuss cybersecurity in healthcare institutions was launched in France in 2011, in the city of Le Mans. Reflecting a desire to meet and share information, the first National Congress on Health Information Systems Security was created under the impetus of Vincent Trely, CISO of the Le Mans University Hospital. In 2013, again in France, the Military Programming Law (LPM) enshrined the concept of OIVs (operators of vital importance). This acronym refers to a set of companies and organisations that are essential to the survival of the nation. Although the list was not made public, major hospitals were included. In the same year, the American Hospital Association (AHA) began publishing alerts and reports on cyberattacks against healthcare facilities in the United States. A few years later, in July 2016, the NIS (Network and Information Security) Directive was adopted in Europe. This makes provision, first and foremost, for the tightening of cybersecurity for operators in key sectors, by creating the concept of ESOs (operators of essential services), another acronym to sit alongside OIVs. In 2017, the reorganisation of the Groupements de Coopération Sanitaire (GCS) of French health establishments was introduced to facilitate and increase interactions between CISOs of health groups.
Awareness therefore seems to have been in place for some time, at least among professionals in the health sector (such as CISOs, or France’s ANSSI cybersecurity agency). So will this provide some protection against cyber threats? Sadly, the health crisis and the explosion of cyber-attacks have undermined any such optimism. According to US analyst Brett Callow, nearly 170 ransomware attacks infected nearly 1,800 clinics and healthcare facilities in the US over the 2020-2021 period. In France, the ANSSI reported an average of one healthcare establishment incident per week in 2021, and announced that 27 establishments had been hit by cyberattacks over the same period: a sad record.
In response to these new attacks, the sector is once again mobilising its forces. As of February 2020, some private cybersecurity companies began to provide free support to healthcare institutions. At the same time, ENISA published a guide listing the 10 best practices to be implemented in healthcare institutions to deal with cyber threats. Then, in March 2020, more than 3,000 cybersecurity professionals came together as the COVID-19 Cyber Threat Coalition to share their analyses and indicators of compromise. Threat Intelligence feeds were then produced voluntarily and shared through the community. Then, in September 2020, the French government created a 136 million-euro fund with the France Relance plan, whose cybersecurity component aims to increase the security of critical infrastructures such as health establishments. A few months later, France's Ministry of Health increased this budget by 350 million euros for hospitals. In April and June 2021, the German government issued an ordinance aimed at forcing service providers using critical infrastructure, including hospitals, to comply with tighter cybersecurity restrictions, while the French authorities added 135 hospital groups to the list of essential service operators (ESOs). Lastly, in August 2022, the French government announced an additional budget of 20 million euros for the ANSSI in order to provide improved support for health establishments.
Clearly, hospitals are not facing the cyber threat alone. But is that really enough?
Why are hospitals still vulnerable?
In spite of such resources, support and initiatives, healthcare institutions remain vulnerable. But why? The main reason actually seems to be simple: hospitals present such a large attack surface.
IT equipment renewals in healthcare environments impose basic constraints. Whereas conventional IT equipment is renewed every 5 years, medical devices have business models that can last up to 15 years. As a result, systems today incorporate end-of-life technologies that are no longer being maintained. "Such investments of several tens or hundreds of thousands of euros are made over ten or fifteen years," explains Charles Blanc-Rolin, former CISO of a health establishment and head of the digital health security project at the Pays de la Loire e-health co-operation consortium. "It is not uncommon to find Windows systems such as Windows XP, which has not been supported since 2014. And in some cases, even older versions of Windows for which security patches no longer exist. We end up with real “leaky sieves” and highly vulnerable systems. In addition, the CE mark is a regulatory requirement for manufacturers. But it also imposes restrictions on healthcare establishments, which cannot make any modification to mechanisms, such as a safety patch update, without losing this CE mark." In order to prevent the risk from using unmaintained operating systems, IT security policies must instead be adaptable, as Charles Blanc-Rolin points out: "It is important to have a business continuity plan and disaster recovery plan in place, but it is also important to have failover procedures. Today, we use many security tools, but we overlook the basics and the necessary flexibility.”
It is not uncommon to find Windows systems such as Windows XP, which has not been supported since 2014. And in some cases, even older versions of Windows for which security patches no longer exist.
Charles Blanc-Rolin, digital health security project manager at the Pays de la Loire e-health co-operation consortium
At the same time, hospitals have been undergoing forced digital transformation for more than a decade, generating other constraints. Jean-Sylvain Chavanne, CISO of the Brest University Hospital and the Western Brittany Hospital Group, explains: "To give an example, the perimeter to be secured for the Brest University Hospital consists of 140 business applications, 350 virtual servers, 6,000 workstations, 10,000 objects connected to the network, 20,000 pieces of biomedical equipment (such as syringe pumps, MRIs, hyperbaric chambers, etc.), and 2.7 petabytes of raw data to be saved. This constitutes a very broad scope. At the same time, hospitals have undergone a forced digital transformation process since the 2010s, financed by a succession of calls for projects, with no associated budgets to maintain them. As a result, hospitals automatically find themselves with a huge technical debt that must be addressed as they go." As an extension of this digitalisation, healthcare institutions have also been weakened by the universal introduction of smart products. Medicine and its uses are constantly evolving, and the fields of medical imaging, home hospitalisation and patient identification have been turned upside down by these innovations, as Charles Blanc-Rolin reminds us: "With new practices, such as patient tracking via RFID bracelets, we can know exactly where the patient is within a hospital to improve their care. It is therefore necessary to provide a framework for these new digital uses and add a layer of security without creating a technical debt.” Because of the proliferation of these objects in health services, the uncontrolled expansion of the attack surface is a problem that Jean-Sylvain Chavanne analyses as comprising three major risks: “The first risk is a lack of control over the connected objects that are deployed in a hospital information system. This applies when a supplier arrives and logs into the network without any security measures in place. The second risk stems from contractual relations. Without contracts with subcontractors or suppliers, no security obligations – such as updating the relevant software – are required. And finally, the third risk is the on-board applications themselves, which are total 'black boxes'. If we don't know what's in them, we can't control security and patch vulnerabilities. Last December, this happened with Log4Shell, forcing us to contact 200 medical equipment suppliers to find out whether their software included it or not.”
Hospitals have undergone a forced digital transformation process since the 2010s, financed by a succession of calls for projects, with no associated budgets to maintain them. As a result, hospitals automatically find themselves with a huge technical debt that must be addressed as they go.
Jean-Sylvain Chavanne, CISO of Brest University Hospital
But people are also a source of vulnerability in hospitals. Under-staffed IT teams are focused on delivering information quickly. Sometimes, this comes at the risk of ignoring obvious safety rules. That’s why hospital ISS teams raise staff awareness and sometimes rescind freedoms that health professionals should not have had and require deconstruction, as Jean-Sylvain Chavanne identifies: "Currently, our security equipment is blocking one spam message every 50 seconds and one virus every hour. There is a need to raise awareness and educate users about the fact that we are not entitled to full freedom over how we use software that stores and manages health data. For example, medical staff must not keep their patients' diagnoses on their personal phones. We issue reminders of good practice throughout the year." Medical staff are under constant pressure, and tend to take shortcuts in order to focus on their job of caring; they are the ones who need to be more sensitive to the topic of cybersecurity. This poses a major challenge for CISOs, who can draw inspiration from the message that a French hospital director sent to his employees.
Obsolescence of equipment, imperfect risk cultures, recruitment problems; there are still many issues to be solved within hospitals to ensure effective cybersecurity for such vital infrastructure.
Expanding the cyber threat frontline for health data
In view of these various difficulties, Charles Blanc-Rolin emphasises that the key issue of security in healthcare establishments relates to patient data and care. "Ransomware attacks in particular can paralyse a hospital and reduce the chances of patients being treated. Without access to data and diagnostics, caregivers are forced into a 'war medicine’ approach. This leads to a deterioration in the quality of care. And that’s the real danger.”
Without access to data and diagnostics, caregivers are forced into a 'war medicine' approach. This leads to a deterioration in the quality of care. And that’s the real danger.
Charles Blanc-Rolin, digital health security project manager at the Pays de la Loire e-health co-operation consortium
However, health data is also of interest to cybercriminals. In addition to standard personal considerations over information such as name, first name and date of birth, such data can sometimes be of a much more personal nature, leading to to terrifying ransomware scenarios for the victims themselves. This is precisely what happened to patients in Vastaamo during the year 2020. This group of 25 psychotherapy centres in Finland was the victim of a data leak, containing details of the psychiatric care for these patients. As reported by VICE, 30,000 patients received a ransom note that had to be paid within 24 hours or their information would be disclosed. This is a departure from the usual modus operandi of cyber attacks, where ransoms are usually associated with a company. But in this case, the patients themselves were on the front line. More than 25,000 complaints were filed with the authorities, making this the largest criminal case in Finnish history. A few months later, the Finnish Data Protection Authority fined the company €608,000 for violating the General Data Protection Regulation. And neither has France been spared: over the same period, 500,000 medical records were stolen from a group of laboratories in western France. According to one American study in March 2022, health data is worth 25 times more than a credit card.
Health data may represent a financial windfall for cybercriminals; meanwhile, health data can be a target for state powers. Obtaining information on vaccine development during the health crisis has been a priority for some countries who lack research and development capabilities. According to the Wall Street Journal, no fewer than six pharmaceutical companies, including Johnson & Johnson and Novavax Inc., were targeted by North Korean cyber-activists over this period. At the end of 2020, the same group, posing as a recruitment agency, allegedly approached employees of AstraZeneca with false job offers with the intention of circulating documents containing malicious payloads within the company. That same year, in France, seven out of 24 incidents recorded in the health sector affected the pharmaceutical industry, according to Charlotte Drapeau, head of the ANSSI’s Health and Society office. According to the HIPAA Journal, an underlying trend is the number of major breaches involving the theft of health data in the US, which has increased from 368 in 2018 to 714 in 2021.
Jean-Sylvain Chavanne believes that not all the cyber attacks that have targeted French pharmaceutical companies are the work of traditional cybercriminals: "All French pharmaceutical companies that have developed a vaccine against Covid-19 have been hit by cyberattacks. It is difficult to see this as the result of opportunistic actions by the attackers. We are dealing here with a desire for destabilisation or industrial espionage.”
The reasons for the vulnerability of healthcare institutions are thus complex. They are inherited from structural problems in the sector, and will certainly not be resolved in a few months. To clear technical debts, address under-staffing issues and reduce the attack surface, the health sector needs to act now. And in this respect, it can be sure it has the support of national governments. Transforming hospitals (back) into connected and secure spaces.