In the world of healthcare, 2023 is a year that has been strongly characterised by cyberattacks: a report from ENISA shows that cyberattacks doubled in the first quarter of 2023 (40 incidents, compared with an average of 22 in Q1 2021 and 2022). Targets have included not only hospitals, but service providers too: for criminals will stop at nothing to access patients' health data.
This multi-faceted threat to healthcare players is greatly increased by inherent factors specific to this sector, whose entire operation relies on ageing or even obsolete IT infrastructure and increasingly permeable information systems.
For example, factors such as the growing number of IT interconnections between establishments as members of associations, the development of remote maintenance by service providers, and the increasingly widespread use of telemedicine and remote monitoring all serve to accentuate the risks. The attack surfaces of information systems are increasing, due to more or less secure login methods and access points. Internally, the interconnection of IT and operational networks is equally sensitive, with building management technical infrastructure and a great deal of biomedical equipment that all too rarely makes use of cybersecurity concepts or solutions.
In France, the volume of healthcare e-data has increased thirty-fold between 2016 and 2022, according to the ANAP (Agence Nationale d'Appui à la Performance des établissements de santé et médico-sociaux) healthcare watchdog; by definition, this increases the surface area and size of the infrastructures that need to be secured. A cybercriminal can expect to resell a patient’s medical file for between €50 and €250. And for 12 consecutive years, data leaks in the healthcare sector have proved to be the most costly of all sectors, with a median cost of around €300,000 in Europe.
Cyber-measures to protect healthcare infrastructure
To protect healthcare infrastructure, we first need to identify the entry points. These fall into four categories: human, software, network and physical.
Once these categories have been identified, any detected weaknesses need to be remedied, and the process must then be duplicated for all partners or service providers and any unprotected external entry points. For example, during the coronavirus crisis, a company specialising in the transport of Covid-19 vaccines was hit by a phishing campaign aimed at gaining access to sensitive information about its distribution network.
From a methodological point of view, the first step in protecting healthcare infrastructure is to audit and analyse the entire system, the most sensitive assets and the associated risks. Secondly, action is required: this means deploying security solutions (for networks, terminals and biomedical equipment) while taking into account the specific characteristics of health data, which cannot be completely anonymised. This requires combining two databases – one anonymised, and one capable of re-identifying files – hence the complexity of the operation. Lastly, information system security must be constantly monitored to enable continuous improvement. Managed systems are a good alternative, as they enable resources to be pooled and make up for shortages of workstations.
But protecting healthcare players is not just a question of preventing and combating cyber-attacks; it also means strengthening IT/OT infrastructures to make them more robust and reliable. It is worth noting that non-malicious incidents account for 48% of reports.
The best way to combat cyberattacks and prevent failures, while protecting infrastructure and services (and ultimately, patients), seems to be to surround ourselves with specialist sovereign players with the ability to support qualified personnel. After all, although cyber-solutions in healthcare are much the same as in other sectors, the consequences can be far more dramatic.
Regulations in a real-world setting
Over the last few years, with the NIS2 directive and the GDPR at European level, in addition to the work carried out by ANSSI, the ARSs (Regional Health Agencies), the ANS (Digital Health Agency) and the CERT-Santé and the CNIL at French level, the cyber-risk in the health sector seems to have been understood by the public authorities.
The public authorities’ awareness has been rudely awakened, mainly as the result of large-scale cyberattacks; for example, the attack in France on Rouen University Hospital in November 2019, which kick-started a national debate on the subject of hospital protection.
As a result, the government established a reference framework for e-health in 2020. The France Relance plan, launched in September 2020 and overseen by ANSSI, will provide an initial increase in the security of public establishments. Today, 132 schools have already embarked on the plan’s cybersecurity pathway.
Yet despite a constant level of good intentions from healthcare players, a number are being punished for IT security failings. In April 2022, the French Data Protection Authority (CNIL) fined Dedalus Biologie €1.5 million for a security breach that resulted in the leaking of personal data for over 500,000 people.
A second shock occurred in August 2022 following the cyberattack on the Corbeil-Essonnes hospital, prompting the Government to invest €20 million in ANSSI to improve the effectiveness of its work.
At European level, the GDPR – which came into force in 2017 – covers a portion of the regulatory obligations in its efforts to define stakeholder accountability and the role given to the consent of individuals and the use of their medical data. This reference regulation is supplemented by the NIS 2 directive, which significantly expands the scope of the health sector and requires health establishments to perform actions such as reporting security incidents.
The European health data regulation complements these pieces of legislation, and has been particularly well received by most of the relevant stakeholders because of its proposed scheme to secure the sharing of information, reinforcing the requirement to report incidents and ensuring interoperability.
The next cybersecurity challenge in the world of healthcare will revolve around medical “Big Data”. This will involve collecting, processing and analysing data, with the promise of personalised and predictive medicine, which must include consideration of protection and sovereignty imperatives.
