The Observatory of information system security incident reports for the health sector released its latest report at the end of April: this shows a sharp increase in reports of incidents targeting the health sector.
Alerts on the rise
In 2021, CERT Santé – the “cyber threat management support service” – thus had to manage 733 incidents – double the number recorded in 2020 – concerning 582 different establishments.
In 2019, some 300 establishments reported 392 incidents (+20% compared to 2018, with 247 structures for 327 incidents). In 2020, the first year marked by the Covid-19 pandemic, 369 incidents were declared.
This increase is partly explained by incidents targeting external service providers (hosts, accounting services, etc.), themselves increasingly confronted with these problems:
This increase is linked not only to major incidents encountered by service providers and having impacted several hundred structures, but also to an average monthly reporting rate having increased by 33%, rising from 30 to 40 reports per month (excluding service provider incidents).
The observatory report
–
When a service provider is affected, there can be cascading consequences: in around a hundred cases of major incidents, service providers had to interrupt their service for a prolonged period in order to block any spread of the threat to its other customers.
Nearly 40,000 establishments concerned
No less than 3,306 health establishments and nearly 35,000 establishments or medico-social services (ESMS) are affected by the obligation to report this type of incident.
–
With regard to ESMS, declarations are up sharply: their number has quadrupled compared to 2020, especially for establishments welcoming people with disabilities.
Patients sometimes in “proven” danger
Among the most publicized cyberattacks of the year are ransomware attacks. Concretely, this type of attack is manifested by the “locking” of an entire computer system, until the possible payment of a ransom.
The most important struck for several days, in February 2021, the hospitals of Dax (Landes) and Villefranche-sur-Saône (Rhône) as well as that of Arles (Bouches-du-Rhône) in August.
Ransomware attacks were particularly important during the first quarter of 2021, resulting in major claims for certain structures
CERT Health
–
“A sort of lull” was noted afterwards, but they have been increasing again since December 2021.
In particular, an increase in ransomware attacks targeting service providers (hosts of business solutions) has been observed: in concrete terms, attackers seek to compromise a service provider’s IT system in order to be able to spread to all of its customers. and multiply the effects of his attack.
–
Beyond the impact on the “classic” IT management (administrative, emails, etc.) of a site, this type of attack is capable of seriously compromising the very health of patients, as the IT is today at the heart of health:
Among the 80 patient endangerments of this year 2021, 5 incidents led to proven patient endangerment
CERT Health
–
The other 75 correspond to the share of “potential” endangerment of patients, such as incidents related to the interruption of hosted services
for several days or the interruption of the SAMU support telephone service.
The report distinguishes between two types of incidents: those that are clearly malicious (52% of the total) and others – such as the giant failure of emergency call numbers due to a serious software failure last June.
Massively stolen data
Other types of attacks are less publicized but just as problematic, especially in the sensitive area of health: data theft – called “data exfiltration”.
Among the cases recorded in 2021, the cases of the million and a half patients whose data were stolen from the Assistance Publique-Hôpitaux de Paris (AP-HP) in September and, more recently, the 500,000 stolen from the National Health Insurance Fund.
Various other types of threats
The report details other types of threats: 2021, for example, was marked by strong malicious activity in the theft of login and/or email credentials or even remote access accounts.
To do this, criminals use three techniques: phishing, exploiting vulnerabilities on equipment that has not been updated and recovery attempts by testing a large number of passwords (technique brute force).
The “thieves” do not necessarily use these identifiers themselves: they can also sell them on the darknet, for the benefit of crooks.
Rarer but just as worrying, attempts at fraud by mass sending false invoices or transfer requests, or even the installation of viruses that can be used to disrupt the operation of equipment or even… “manufacture” of cryptocurrency.
No (yet?) widespread attack
According to the Ministry of Health, if “2021 was marked by many major incidents linked to ransomware attacks” or “massive data exfiltration, there has not been a coordinated attack to date. aimed at seriously disorganizing the French healthcare system”.
Such an attack is entirely possible, as Ireland had the bitter experience of last May.
Faced with the threat, the Ministry of Solidarity and Health has been leading since 2019 a cybersecurity campaign with the #TousCybervigilants initiative.
For the past year, the CERT Santé (Computer Emergency Response Team) led by the Digital Health Agency has ensured the Ministry’s increased power in the face of cyber-maliciousness:
–
Since the beginning of 2022, CERT Santé has ensured that it is strengthening its support and improving the tools put at the service of health and medico-social establishments and actors to help them develop their capacity to deal with a increasingly complex threat.
–
