The healthcare sector handles a massive volume of sensitive information — medical data, patient records, personal information and research data.
This data is increasingly digitalised to improve and speed up communication between healthcare professionals, administrative bodies and patients.
The cybersecurity stakes around this data are many. Here are the main ones:
- Respect for medical-data confidentiality
- Control over patient-data integrity
- Availability of healthcare services
- Protection against attacks targeting medical data
- Compliance with data protection regulations
The threats weighing on this data and the consequences of poor cybersecurity can be critical — they require a very specific security policy. Without access to digitalised data, a healthcare facility can literally be paralysed when trying to access patient records and therefore deliver treatment.
1 – The main cybersecurity threats in healthcare
A. Ransomware attacks
Always looking for value to steal remotely, cybercriminals have no qualms about targeting healthcare facilities. They know a hospital cannot function properly without access to patient data. Medical data becomes a tradeable product in exchange for a ransom demand.
That is the principle of a ransomware: the attacker accesses the facility’s IT network remotely and blocks its operation using various techniques. They then offer a way to make it operational again, in exchange for a large sum of money.
Sometimes, the healthcare organisation has no choice but to pay to avoid the potentially dramatic consequences of losing access to their patients’ medical information. In 2022, the list of French hospitals and other healthcare facilities hit by ransomware kept growing (several dozen in that one year).
Probably the most striking example is the CHSF (Centre Hospitalier Sud Francilien) in Corbeil-Essonnes, near Paris, whose data was locked from 21 August 2022 in exchange for a 10-million-dollar ransom demand.
A single email with a phishing link was probably enough to trigger the intrusion of a malicious programme into the CHSF’s IT network. Once inside, the ransomware starts encrypting every piece of data within reach, making it unreadable without a decryption key.
As you might guess, that key can only be obtained by paying the demanded ransom. If the facility refuses to pay, it must deploy very expensive resources to try to recover its data — sometimes unsuccessfully. Meanwhile, the attackers have already monetised the hacked files on the Dark Web: the internet’s parallel market.
B. Attacks on connected medical devices
Attackers are now targeting medical devices equipped with internet connectivity (IoT). Examples include:
- An MRI machine (magnetic resonance imaging)
- Hospital surveillance cameras
- Infusion pumps placed at patients’ bedsides
- Pacemakers carried by patients
These devices multiply in healthcare to provide ever more automated services. Despite precautions taken by device manufacturers in the connection protocol between the device and the medical IS network, a security gap is always possible.
One of the most-cited IoT attack cases involves Medtronic’s MiniMed insulin pump. In 2018, the company confirmed that a device in their pump, sold to US hospitals, was affected by a cybersecurity vulnerability.
The potential attack could have let an attacker remotely access one of these pumps to change the insulin dose injected into a patient. Thankfully, that nightmare scenario never happened. Device manufacturers run many cybersecurity tests to make sure it never does.
C. Social engineering and phishing
Attackers do not even need sophisticated techniques — they sometimes just use trickery to fool healthcare staff. This is called social engineering.
One of the most common techniques is phishing. For example, a doctor at a hospital reads an email that looks exactly like a message from a known organisation or person: identical-looking domain name, same graphic style, same tone.
Social engineering relies on the emotional reactions of people reading the baited messages. In healthcare, staff is often under stress. They must act fast, obey hierarchy without discussing… Attackers take advantage of this situation to send emails that perfectly imitate threatening-toned messages. The goal is to push the recipient to click the link out of fear of disobeying.
In this professional environment, mutual aid is also prominent. The attacker can push medical staff to come to a struggling colleague’s aid by circulating a donation pot. A tiny click on the visible button will let you send a donation…
Attackers’ imagination is limitless and morality doesn’t bother them. How do you defend against all these fraud possibilities without becoming paranoid?
Follow a few common-sense rules:
Social-engineering security rules
1. Always verify the domain name
A link or email is always tied to a website URL. For example, the French tax website domain is impots.gouv.fr. If you received an email from albert.dupond@impots.gouv.fr, the address is properly built from the tax domain.
But if the email is built like albert.dupond@impots.gouv.fr.net, it is a fake domain. That address doesn’t belong to the tax website and is probably the start of a trap.
Same check for a link: you can read the URL it corresponds to (hover the mouse over the link instead of clicking) and verify the domain name is what you expected. Never validate a form without first verifying the URL of the page displaying it.
2. Never download software without your IT department’s approval
When you are in a rush and need a specific piece of software on your computer, it is tempting to install it yourself without waiting for IT approval. Unfortunately, that is often how malicious programmes sneak into healthcare networks.
A USB stick lent by a colleague is enough to carry malware that wasn’t detected by their antivirus. You plug the stick into your work computer thinking nothing bad can happen and install the missing programme. The malware takes the opportunity to install itself too…
Antivirus software can only protect against already-catalogued malicious programmes and sometimes lets recent malware slip through. By the time the malware is detected, it’s too late — it has had time to spread across your organisation’s network.
3. Always verify the source of a command
If you receive a message from your hierarchy with an instruction asking you to act in place of your manager (for example to communicate a password or authorise a SEPA wire transfer), take the time to think.
Is your manager really contacting you? Why this unusual situation? In that case, try to call the person or, failing that, alert other managers to decide what to do.
Make IT Safe offers a complete platform to define your entire security defence strategy. We are also at your disposal if you want to run specific cybersecurity training to familiarise your staff with social-engineering rules.
2 – The possible consequences of cyberattacks on healthcare
A. Medical-data compromise
Even more than an individual’s personal data, medical data must be protected from any risk of compromise. The GDPR highlights the responsibility medical staff bear here.
A patient’s health information can be used against their personal interests if revealed outside the medical context. For the patient, the consequences can include psychological trauma or hiring discrimination.
For the healthcare professional, a medical-data leak can be a breach of medical secrecy with significant legal and professional consequences — sometimes visible in the press.
An even more serious consequence of altered medical data: a patient’s treatment can become ineffective or incompatible with their real health condition. A medical accident can then occur — for example due to a wrong dosage in a prescription.
Short of such extremes, protecting medical data is also important to maintain trust between patients and their healthcare system. Otherwise, patients may stop sharing all their medical information, with the risk of not getting treatment suited to their real health condition.
It is therefore especially important to have specific tools that ensure medical-data quality and protection.
Make IT Safe offers its cybersecurity and GDPR compliance software to help you manage all the medical-data protection rules you are responsible for.
B. Disruption of healthcare services
Take the cyberattack on Versailles Hospital in December 2022: several buildings were impacted — André-Mignot Hospital (700 beds, 3000 staff) in Chesnay-Rocquencourt, the Despagne nursing home and Richaud Hospital in Versailles.
Hospital computer screens went black, then a ransom demand appeared. Several at-risk patients whose care could no longer be guaranteed had to be transferred urgently to other hospitals. The Plan Blanc (French national health emergency plan) was triggered and several operations had to be cancelled.
The hospital’s entire IT system was cut off as a precaution. A crisis unit was set up with the Ile-de-France Regional Health Agency (ARS).
Medical devices kept working, but not their networking. Specialised staff had to be hired urgently to manually manage these tools essential for patient survival.
Emergency access was limited and maternity services reduced. Every administrative formality had to be done manually.
In the end, the cyberattack disrupted the hospital’s operations for several weeks and cost it considerable money.
C. Financial consequences
The financial consequences of such an attack are extremely heavy and span many areas:
- Tight scheduling constraints on staff
- Extra staff costs to substitute for machines
- Intervention costs for at-risk patients
- Plan Blanc activation
- Attack forensic and diagnostics
- IT restart costs
- Audit and cybersecurity upgrades
- Revenue loss on impacted services
- Reputation damage for the attacked hospital
3 – The security measures to put in place
A. Awareness and training
To prepare effective security measures for this type of risk, start by evaluating your staff’s knowledge level. You will detect existing gaps and put in place specific training to close them.
B. Roll out robust security policies
For a security policy to be effective and robust, it must be clearly defined and backed by proven practical measures. That means defining the main directions and generic principles to apply inside the healthcare organisation.
The security policy should follow three pillars:
- Identify every device, software and network to protect, via audits
- Evaluate threats and risks (via simulations and pentests)
- Apply protection measures (deploy software)
Our Make IT Safe cybersecurity software is built on these three pillars and offers a range of features to confidently roll out your security policy.
C. Collaboration and information sharing
Attackers keep innovating to find new gaps or new attack techniques. They have understood that healthcare facilities are targets that haven’t all reached sufficient cybersecurity maturity.
In the face of this threat, collaboration between healthcare facilities, regulators and cybersecurity experts is an effective and essential solution to help healthcare staff skill up.
This cybersecurity watch must be international — the threat can come from any country, as the internet has no borders. International cooperation fills gaps in digital border protection and lets threat information be shared globally.
It also drives the adoption of shared cybersecurity standards, making communication and interoperability between national and international security systems easier.
Make IT Safe actively participates in this international watch and is at your disposal for any question about your cybersecurity. Do not hesitate to contact us.
