It is already dark, Thursday, December 10, when the alert is given. A hacker entered the computer system of the Narbonne hospital center (Aude). Hélène Lherbette, digital services manager, is on deck. A crisis unit has been set up to respond as quickly as possible to the attack, limit its damage and “tell doctors what consequences this could have on their work”. The decision was taken to isolate the affected server, to cut off internet access and to continue treatment using the data saved internally, a priori spared.
The situation is not unprecedented at Narbonne hospital. “We are attacked every day, it varies between twenty and a hundred times, relativizes the manager. We even have days with 400 attacks. Yet we are a small establishment. “ Usually, the first level of security is sufficient to stop these infiltration attempts. Not this time, although the worst has been avoided. All screens could have been out of order. A “nightmare” lived in many hospitals.
Since 2018, the cyberthreat has been growing rapidly, with a peak reached during a year 2020 marked by the Covid-19. “The number of victims has thus increased fourfold in one year”, report the National Information Systems Security Agency (Anssi) and its German counterpart, the BSI. “During the pandemic, the number of attacks on hospitals worldwide has skyrocketed”, Confirms to franceinfo Saif Abed, a former doctor who became a cybersecurity consultant.
Among the structures targeted are the Assistance publique – Hôpitaux de Paris (AP-HP) on March 22, the American hospital chain Universal Health Services (UHS) and the University Hospital of Brno, in the Czech Republic. “If you walked the halls you could see that nothing was working anymore. All services, all computers were affected “, Vlastimil Cerny, IT director at the Prague hospital, recalls in a documentary * produced by antivirus vendor Kaspersky.
Hackers don’t just target hospitals. Pharmaceutical industrial sites, medical organizations, logistics players and laboratories also suffer their share of offensives or intrusion attempts. On December 3, two IBM analysts alerted * to a series of phishing scams (“phishing” in English, a technique intended to deceive the target to induce them to communicate personal data) targeting organizations responsible for the distribution of Covid-19 vaccines. Six days later, the European Medicines Agency (EMA), responsible for issuing marketing authorizations for vaccines, also suffered a cyberattack.
These attacks are often carried out by hackers, spies, sometimes affiliated with governments, or cyber activists. Each group has its own methods and objectives: “For example, we have ‘antivax’ who mobilized by saying: ‘The vaccine is scandalous, let’s attack the labs to delay them'”, explains Vincent Trély, President of the Association for the Security of Health Information Systems (Apssis).
Cybercriminals are driven by the pursuit of profit. They are generally oriented towards ransom demands, through the famous “ransomware” (“ransomware”, in English). In France, in 2020, Anssi was informed of 24 cases of compromise by this specific type of attack in the health sector, against 17 in 2019.
In recent years, a well-established ecosystem seems to have taken shape. Some develop malware, while others lead the attacks, demand payment of a cryptocurrency ransom, resell the data, or launder the money. The profits can be substantial, “from a few hundred to several million dollars”, estimates Anssi in a report from February 2020 (PDF).
If they are sometimes hit in a hazardous manner, medical structures can also be the target of more subtle attacks: the sending of false spam emails attributed to regional health agencies, messages carrying new health instructions, new protocols for health workers. samples, or order forms for masks or gowns were thus identified in 2020.
The goal is to use the pandemic to increase panic during a cyberattack. This method has already proven its worth, according to Stéphane Duguin, director general of the CyberPeace institute and former Europol employee. “The first ‘ransomware’ was launched against the health sector in 1989 during a World Health Organization conference on AIDS, he says. Already, a health crisis was turned into a criminal opportunity. “
The stakes are high, because blocking computer systems can threaten human lives. “A cyber attack can force you to redirect a patient who is having a stroke to another hospital and the thirty minutes you will lose him may cause him to have hemiplegic, when he could have fully recovered”, Illustrates the former doctor Saif Abed.
In mid-September, the University Hospital of Düsseldorf (Germany) was paralyzed by an attack, forcing the transfer of a patient, who died shortly after. Can we speak of the first “deadly cyberattack”? After two months of investigation, the Cologne prosecutor’s office could not establish the decisive role of piracy, reports the specialist magazine Wired*. “But it will happen one day or another”, warns Loïc Guezo, secretary general of the French Information Security Club (Clusif).
The hackers have understood it well: the threat hanging over the lives of patients plays in the decision whether or not to pay the ransom. In matters of negotiation, each State has its own line of conduct. The United States has tended to pay a lot, exploding the price of ransoms, while others, like France, recommend not to give in. Providing yourself with virtual currency takes time, paying does not guarantee that you will be able to easily recover your data, the intervention of specialized technicians will remain necessary and above all, any ransom paid helps to finance the increase in skills of cybercriminals.
“Hospitals are prime targets for cybercriminals because it becomes more complicated to attack banks or high-tech industries, which have put millions into safety.”, Vincent Trély analysis. With relatively few resources, the medical community has to manage sensitive personal data. In recent years, medical records, treatments, prescriptions, test results, vital signs follow-ups, and even syringe pumps have become computerized, increasing the risk of data compromise.
Loïc Guezo cites in particular the case of scanners or MRI machines, which are particularly vulnerable: “If IT teams start installing anti-virus software, the warranty is lost and they are no longer legally entitled to use the hardware.” “It’s fantastic hardware designed for care, but it rests on lousy computer layers! “, indignant Vincent Trély.
“You have 1.5 million euro MRI machines and scanners in French hospitals that run Windows XP.”Vincent Trély, President of the Association for the Security of Health Information SystemsAdvertisement
The lack of means would therefore weigh, here too, in the smooth running of care structures. In 2018, the global budget allocated to digital, including that of online security, represented only 1 to 2% of the general budget of hospitals in a majority of establishments, reports the atlas of French hospital information systems, against 4.3% for Spain or 4.9% for the Netherlands , according to the 2019 European e-health survey *.
On the authorities’ side, specific measures have been taken since 2017: an attack reporting portal has been opened and instructions communicated. Things are going in the right direction, confirm the specialists interviewed by franceinfo, but not quickly enough, faced with the frantic development of criminal groups.
In addition, the lack of training of caregivers in cybersecurity is regularly denounced. The Ministry of Health communicates on the subject with awareness campaigns such as “All cybervigilants” (PDF). In the meantime, the delay remains substantial and learning too often conditioned by a bad experience. “Getting a surgeon to put an eight-character password and change it every ten months is complicated”, regrets Vincent Trély, who organizes awareness seminars.
“We start from very far, because the hospital is a benevolent world. In the army, when you tell them to put in security, they answer: ‘Of course, the enemies are there!’ At the hospital, you are told: ‘Oh no, if we have to put codes, we waste time and we already do not have enough for our patients. Who do you want to blame us? ” The list of enemies is long, however. And the pandemic did not dampen their intentions.
* Links marked with an asterisk refer to content in English.