“Ransom payment is not a solution, otherwise it becomes the Wild West”

Emergencies are reduced to half of their usual activity, maternity, to a third, but “safety of care is ensured”. This was the assessment, Monday evening, December 5, of the cyberattack which targeted the hospital center of Versailles (Yvelines) two days earlier, according to Richard Delepierre, the co-president of the supervisory board of the establishment. He said that the hackers had demanded payment of a ransom, in an undisclosed amount, to restore the computer system.

On August 22, the Sud-Francilien Hospital Center in Corbeil-Essonnes (also in Ile-de-France) saw its operation disrupted for several weeks by a comparable attack. In 2021, “we have seen almost one attack per week on our health establishments”explained Jean-Noël Barrot, the Minister Delegate for the Digital Transition, during an on-site visit, specifying that in 2022 “this figure fell in the first half of 50%”.

In an interview at Worldthe consultant Vincent Trely, founder and president of the Association for the Security of Health Information Systems, details the security protocols put in place to anticipate and respond to these threats. A major challenge, because, according to him, there is ” no reason “ so that healthcare establishments stop being the target of hackers.

What are the consequences of a cyberattack for the operation of establishments?

Vincent Trely: Not all attacks have the same severity. Hospitals can recover in three or four days, because the attack was taken at the right time, or did not exploit all that it could do. In the extreme case, everything is encrypted by hackers, down to system backup, as in the case of Dax, in the Landes, in 2021where the hospital lost ten years of data.

Reportage : Article reserved for our subscribers After a major cyberattack and two months of paralysis, the Corbeil-Essonnes hospital is barely recovering

What protocol do hospitals follow in the event of a cyberattack?

The first step is detection: the duty manager is alerted in some way that there is a problem. He calls the computer security manager; they will take an hour and a half or two hours to qualify the problem as a cyberattack. We then proceed to partitioning: we unplug, assuming that the infection may not have spread everywhere.

Then a crisis unit is set up, including the general management and the president of the establishment’s medical committee. She will orchestrate the response. It identifies all patient-related issues. The hospital goes into “white plan” mode, which covers health security. The transfers of critical patients, previously established between the hospital and partner establishments, are carried out.

After six to ten hours, the cell has a map of the damage. If the establishment is an “operator of essential services”, the National Agency for the Security of Information Systems (Anssi) will send experts. Do we still have the backup? Where is the virus? There is no question of restarting the machines if you are not sure of having eliminated it everywhere. It takes twelve to fifteen hours to understand what happened and assess the extent of the disaster.

Then there is probably going to be a negotiation phase with the hacker demanding a ransom. It will not go well, because the hackers believe that the hospitals, which have large budgets, will be able to pay large sums like a big company. But the hospital won’t pay, and the hacker will release data. The establishment is entering a phase of legal crisis, as it is no longer in compliance with the General Data Protection Regulation (GDPR). The hacker then sells pieces of his database to other hackers: copies of passports, Vitale cards, e-mail addresses, telephone numbers, etc.

On the IT side, we rebuild and secure. If we had good backups and a fairly solid system, after ten to twelve days we can restore activity to 80%. We will take several weeks or several months to work on the 20% for which things did not go well.

Have any hospitals ever paid a ransom?

To my knowledge, no, neither in public nor in private. The guidelines are very clear. We have never considered the payment of ransom as a solution, as for the taking of hostages. Otherwise, it becomes the Wild West. There was also a bit of a stir when Bercy has authorized insurers to offer ransom payment in their guarantees. This sends a very bad signal, in contradiction with Anssi which is attached to the Prime Minister.

If they don’t pay a ransom, why are hospitals being targeted?

A hospital contains millions of documents with personal health data. They can be stolen to sell, or made unavailable for blackmail.

The fourth digital revolution is artificial intelligence (AI); however, to make an AI learn something, you need data. Today, we have the engine and the fuel: the engine is the computing power; the fuel is the data. For the first to automatically detect breast cancer five years before radiologists, that’s tens of billions of dollars in the long run.

We are at the beginning of the story. In the United States, between 2000 and 2007, at the height of digitization of hospitals, 170 million records were stolen, almost 100%. There’s no reason for the North Korean or Russian hackers to stop, and no reason for the drug traffickers not to start paying attention.

Do hospitals have specific security vulnerabilities?

Many systems are connected, such as neonatal incubators to manage temperatures, or syringe pumps in sheaves. However, biomedical equipment is sometimes supported by obsolete IT: many devices run on Windows XP [lancé en 2001, et dont Windows a arrêté le support en 2014] and some systems even date from 1998 or 2000.

We are also working on behavior: for hospital staff, in an ideal world, all the computers are on all the time. Buying 10 million euros worth of security products and hiring five full-time people on the subject will have an impact, but that’s only addressing part of the problem: if people click on a fake e-mail who blinks promising to win 10,000 euros, your tools will fizzle out.

Are health facilities sufficiently prepared?

Hospitals have been digitized for twenty years, and a whole generation has known only the computerized care plan. Since 2019, a number of sites have taken the time to simulate working without IT. The digital risk is increasingly taken into account in the white plan of each hospital. In general, hospitals have experienced a crisis, in particular due to Covid-19. Between public and private, the situation is roughly similar.

Security managers are much more listened to than a few years ago, but we have 1,300 computer systems in the public sector, 3,000 including the private sector, which are very heterogeneous. Recent incidents have, in quotes, “done some good”. In February 2021, the 135 main hospitals were named “operators of essential services”, and are required to apply 23 specific safety rules decided at European level. And the President of the Republic announced an investment plan of 350 million euros, in the Ségur de la santé, targeted on cyber.

The major difficulty is that money is not enough, you also need hands. However, everyone is looking for cyber technicians: the CAC 40, local authorities, start-ups, digital service companies… Consequently, it can be interesting to share skills between several hospitals, because it is useless a small field hospital has its own security manager and cyber expert paid 120,000 euros per year.

source site-27