The hospital sector faces a major challenge: ensuring the security of data and IT systems in a complex environment where digital transformation is constantly evolving. In this article, we explore the main cybersecurity challenges facing the hospital sector, and the solutions being considered to meet these challenges.
In 2022, 588 French hospitals were targeted by a cyber-attack, equivalent to one in six. This figure represents a twofold increase compared to 2020. To name but a few, the CHU de Lyon and the AP-HP were targeted.
Why so many cyber-attacks on healthcare facilities?
Hospitals are often perceived as sanctuaries of life, institutions dedicated to the health of all, relatively neutral entities. One might be inclined to think that cybercriminals would hesitate to attack such "innocent" establishments. However, it is essential to note that even a brief power failure in a hospital can endanger the lives of many patients.
Hospital IT systems contain a treasure trove of data, including digital patient records - crucial information that enables medical staff to deliver effective care. If these computers were to malfunction and staff were unable to access vital information to treat a patient in distress, chaos would ensue.
It is in this context that cybercriminals see the opportunity to demand a ransom in exchange for unlocking or restoring data (although this is not always guaranteed).
In this article published in Les Echos, Laurent Tréluyer, DSN at AP-HP (CHU d'Île-de-France) explains:
"At AP-HP, we have a large number of information systems, over 1,000 applications, and connected biomedical devices from a variety of suppliers. The hospital is also, by definition, a place where the public comes to visit. So it's not possible to secure everything. Faced with this, our resources are those of the public. Our information systems are fragile, and this explains why there are so many successful attacks.
In particular, the health crisis linked to Covid-19 has increased this situation of vulnerability.
What are the consequences?
The consequences of cyber attacks on healthcare facilities are considerable, leading to organizational chaos with dramatic repercussions. These incidents severely disrupt the delivery of care and instill fear among staff and patients alike.
One of the most serious consequences is the interruption of care due to the disruption of the facility's normal operations. Ongoing medical treatment is compromised, putting patients' health at risk. Digital files, containing vital patient information, administrative data and even databases, often become inaccessible.
What's more, hospitals hold confidential information that should not be accessible to the general public. When hospital IT systems are attacked, cybercriminals can exploit this sensitive data for malicious purposes, compromising patients' privacy and security. In the case of ransomware, some hospitals sometimes give in to pressure from cybercriminals by paying high ransoms, generating significant financial losses that fuel the cycle of cyberattacks.
According to Gilles Calmes, General Manager of CH Sud Francilien (CHSF), it is essential that the Business Continuity Plan (BCP) enables all departments and functions to continue operating at reduced capacity. Asked what he would have done differently, he regretted having become aware "a little too late" of the importance of support functions such as human resources and billing: he added that human resources had to fill out 5,000 payslips manually for three months!
Healthcare establishments are highly vulnerable to cyber attacks
Hospitals potentially affected by the NIS 2 directive
The NIS 2 directive, aimed at harmonizing and reinforcing cybersecurity within the European market, extends its scope of application compared to NIS 1. According to information gathered at the 11th Congrès National de la SSI Santé, organized by APSSIS from June 13 to 15 in Le Mans, all healthcare establishments with more than 50 employees will now be affected.
Human resources management at the hospital
Acquiring cybersecurity tools is a crucial step, but it's not enough to guarantee hospital security. It is essential to mobilize qualified human resources to analyze data and manage security systems. Hospital staff, traditionally focused on patient well-being, need to be made aware of the digital risk culture. The transition to a culture of cybersecurity requires the commitment of both hospital staff and IT teams.
Although cybersecurity tools exist and funding is available, the hospital sector suffers from a lack of qualified human resources. Demand for cyber specialists far outstrips supply, making talent retention even more difficult.
The complexity of the hospital environment
Hospitals are complex environments with a considerable attack surface. Connected medical devices, such as MRIs, are ubiquitous, often on the bangs of conventional IT control, making them vulnerable to attack. The lack of an exhaustive mapping of this attack surface adds to the complexity of cybersecurity management.
8 areas for improvement following cyberattacks on hospitals in France
These attacks, which affected numerous healthcare establishments, have essential implications and lessons for businesses in all sectors.
1. Awareness and preparation: One of the first lessons to be learned is the importance of cyber security awareness. Hospitals, like businesses, need to ensure that their staff are aware of the risks and good practice when it comes to IT security. Training and awareness-raising are key to preventing attacks.
2. Vulnerability assessment: Cyber attacks on hospitals have shown that preparation and vulnerability assessment are crucial. Facilities need to carry out regular security audits to identify weak points in their IT infrastructure and put in place appropriate protective measures.
3. Human resources management: The hospital sector has been faced with a lack of qualified human resources in cybersecurity, which has contributed to the vulnerability of these establishments. Investment and support needs to be given in the recruitment and retention of cybersecurity specialists to strengthen their defense against attacks.
4. Reactivity and remediation plans: Attacks on hospitals have shown the importance of a rapid response in the event of an incident. Companies need to draw up remediation plans to react effectively in the event of an attack and minimize potential damage.
5. Collaboration and information sharing: Hospitals have faced challenges related to the complexity of their IT environments. Companies can benefit from collaborating with other entities in the sector to share information and best practices in cybersecurity.
6. Hybridization as a solution: One of the key principles for tackling cybersecurity in hospitals is hybridization, i.e. determining what needs to be managed in-house and what can be outsourced. The human resources aspect is just as important: should the hospital recruit more staff to guarantee security within the facilities, or is this a mission that can be outsourced?
7. Awareness-raising, auditing and security: The hospital sector has recently been the target of numerous attacks, highlighting the vulnerability of these institutions. In response to this threat, a number of measures have been taken, including an increase in the budget dedicated to awareness-raising, audits to identify potential threats, and checks to ensure that security policies are in place to deal with all possible risks.
8. The need to automate processes: Automation is a key answer to maximizing limited staff resources. It saves time by making effective use of the right cybersecurity tools, and by exploiting data in greater depth. This makes it easier to prioritize actions, access information and optimize resources.
Cybersecurity in healthcare establishments: what you need to know
Cybersecurity in the hospital sector is a major challenge, requiring an alignment of the planets in terms of tools, funding and human resources. Hybridization, automation and awareness are the pillars for strengthening hospital security and preventing cyber-attacks. Essential for the country but unevenly mature in the face of digital technology, it is vital to create a culture of cybersecurity within healthcare establishments to effectively protect data and guarantee patient safety.
Want to learn more about how OverSOC can help you? Contact us.
