In recent days, two cyberattacks have targeted French hospitals, in Corbeil-Essonnes and Beuzeville, in Eure. Already at the start of the year, the Castelluccio hospital in Corsica and nine establishments of the Cœur Grand-Est hospital group had been the target of cybercriminals. Between ransom demands or resale of data on the Darknet, all means are obviously good to make money at the expense of hospitals.
We met Jean-Baptiste Guglielmine, cybersecurity expert at Cybereason, to comment on the attacks that are multiplying against healthcare establishments.
Jean-Baptiste Guglielmine – Anyone can be affected: these attacks take place both in private and in public. This is a phenomenon that has unfortunately become widespread, all the more so in recent years. It’s not necessarily something related to hospitals. Now, when it affects a health establishment, another dimension appears: that of the patient. As a general rule, when you enter a hospital, you feel rather protected, you don’t expect the establishment to be attacked.
There are several dimensions and it is important to qualify the statement. In hospitals, there may be some particular problems. The first metric is that of staff: we are not in establishments that are always overstaffed. This is all the more true in the sense that IT personnel are often lacking. This will lead to a lack of “digital hygiene”, that is to say the updating of systems (firewall, exposure on the Internet) which is not done in a sufficiently fast timing. This then leaves backdoors for hackers. The attacker will thus be happy to use this system which has not been updated.
Some groups have codes of conduct, but recently these have been flouted. Lockbit, suspected of being the group that attacked the Corbeil-Essonnes hospital, recently targeted a hospital in Spain despite its code of conduct prohibiting the attack on healthcare establishments. In the end, we are faced with people who are there for extortion: we don’t call it cybercrime for nothing.
Ransomware is valued the most, as there is a significant financial gain behind it. But this simple ransom demand is only the first step in extortion, which can be played out on several levels. Thus, the extortion can be doubled with a publication of the hacked data if the ransom is not paid. There are even extortions at three or four levels. The objective is neither more nor less to earn money. Ransomware remains very lucrative in the sense that the means used to hack are not that important.
Two or even three means of intrusion can be retained. First of all, we again come across the problem of the firewall which is not up to date and which will therefore contain a vulnerability. This will then be used by the attacker. The other way is phishing: an email faked to be clicked is sent to a member of staff. Thanks to this, the hacker will be introduced into the network. A last way exists, but it is more rare: some servers can be directly exposed on the Internet. The attacker only has to test passwords (which he can also buy on the darknet).
Concretely, if we take the 25 million euros and divide them by the number of hospitals, we arrive at a figure of around €140,000 per establishment. This is an interesting amount, but not necessarily sufficient. Moreover, even if we have the budget and the means, the time constraint will always favor the attackers. Indeed, an obsolete network will not become brand new in the snap of a finger.
Cyberattacks are constantly on the rise. Groups are using more and more substantial means to make a profit. Thus, as long as we are in hospitals with a lack of means and personnel, we are faced with easier targets for attackers.
What will remain true for a while is that 100% cybersecurity does not exist. However, with a fairly “modern” security posture, attackers can be greatly limited. Unfortunately, the question today is not whether we will be hacked, but rather when we will be hacked. Overall, with the leitmotif of money for attacking groups, anyone can be a target.