In its preamble (pdf), ANSSI recalls that the health sector “ consists of a set of actors characterized by their fragmentation and heterogeneity “, which obviously complicates the task when it comes to strengthening cyber defenses at the sector level as a whole.
These actors are the target of malicious people coming from several spheres: <a href="http://www.world-today-news.com/patient-dies-because-hospital-was-attacked-by-ransomware/” title=”Patient dies because hospital was attacked by Ransomware”>cybercriminal (for data theft and/or ransoms), hacktivist (to send messages, often in reaction to current events) and supported by States (Russia , China, Iran and North Korea are cited as examples) for espionage, particularly on vaccines and treatments during the pandemic.
The level of security is… “variable”
On ransomware attacks, ANSSI notes that, “ since 2020, the healthcare sector has continued to be the target of attacks ». During the Covid-19 pandemic, “ many ransomware operators have taken advantage of the pressure on the healthcare sector “. Nevertheless, ” the health sector does not appear to be a specific target of ransomware operators, who mostly seem to act opportunistically against vulnerable entities of all kinds ».
Two phenomena can explain this visibility: legal reporting requirements and “ greater media coverage received by structures welcoming the public when they are victims of incidents “. But it should also be noted that “ the variable level of security of entities in the sector and in particular hospital IT systems, favors their targeting ».
30 compromises and encryptions in 2022 and 2023
Between 2022 and 2023, 30 ransomware compromises and encryptions were reported to ANSSI. These incidents in health establishments “ represent 10% of incidents linked to ransomware reported to ANSSI over this period “. The attack vectors are numerous: Lockbit (including Lockbit 3.0), NoEscape, Bitlocker, Bianlian, Phobos, Blackcat, Blackhunt, Wannacry, Scarab and ViceSociety.
ANSSI echoes a study of October 2023 from the University of Minnesota which shows that, in the context of hospitals, “ this type of computer intrusion could increase the risk of mortality of patients already admitted at the time of the attack »… which should surprise no one.
Months of work and millions of euros
The Agency explains that “ Remediation of ransomware attacks and return to nominal operating mode can take up to several months and generate high costs associated with ».
For example, the attack on the South Francilien hospital center would have cost 7 million euros. If in certain cases remediation is rapid, “ the majority encounter serious difficulties », Explains the National Information Systems Security Agency.
Paying a ransom doesn’t pay
ANSSI takes advantage of its analysis of the health system to send a message on ransoms: “ paying a ransom in the context of a ransomware attack does not necessarily allow an entity to protect itself against further attacks ».
She gives, as an example, the case of the American health manager Change Healthcare. Attacked in February 2024, the company would have paid the ransom. “ However, a few months later, the entity was once again the victim of blackmail into disclosure by another cybercriminal group who claimed to also be in possession of exfiltrated data. […] following an internal conflict between cybercriminals ».
The report also allows you to get an idea of the prices. A pirate named Ansgar is said to have put up for sale “ nearly seven terabytes of personal and medical data of Australian citizens exfiltrated from the systems of Medisecure, an Australian electronic prescription service provider, for the sum of fifty thousand dollars ».
Third party payment: data could be resold or exploited
And France is not left out, particularly regarding the data leaks that affected third-party payment providers Viamedis and Almerys in February 2024. The purpose “ remains unknown at the moment. However, the exfiltrated data could likely be resold or exploited for fraud purposes. ».
Concerning hacktivist attacks, ANSSI recalls that against the Assistance Publique-Hôpitaux de Paris which had been “ claimed on the social network Telegram by the hacktivist group Anonymous Sudan15 in response to the death of Nahel Merzouk ».
This year, following the arrest of Pavel Durov (Telegram), “ numerous pro-Russian hacktivist groups including the Cyber Army of Russia Reborn group have claimed DDoS attacks against websites of French entities in various sectors ».
A mess of recommendations
ANSSI ends its assessment with around ten pages of recommendations. There are a number of common sense actions there, such as raising awareness among employees, carrying out a map of your IS and its environment, including security requirements in specifications, partitioning systems, having good management of rights and access, tighten the configuration of equipment (passwords to access the BIOS, disk encryption, delete unnecessary services, etc.), define Business Continuity Plans (PCA) and Disaster Recovery Plans (PRA) before ‘it’s too late…