In 2015, American cybersecurity experts affirmed following the hacking of Anthem, one of the most renowned insurance companies and during which tens of millions of personal data had been compromised, that they were living “the year of the health data hacking. Seven years later, it still is. While the Corbeil-Essonnes hospital is the latest in France to be the victim of a cyberattack on Sunday, the stakes around health data seem more than ever gigantic.
Recognized as particularly sensitive, today they do not get the treatment they deserve and the weaknesses surrounding their security make them a highly coveted asset. “Today, there are four types of cyberproblems, counts Vincent Trély, founding president of Apssis, the association for the promotion of the security of health information systems. Cyber espionage, carried out by the States and of which the Americans with the NSA, are the champions in all categories, cyber war, in which we have been immersed for six months, cyber activism and cyber crime”. For the expert, health data play a major role in all cases.
Big stakes… especially financial
“They are among the most lucrative on the darknet,” says Yosra Jarraya, co-founder of Astrachain, which specializes in securing the confidentiality of sensitive data. And the more sensitive they are, the higher their rating, the more money they bring in for hackers”. The reasons for this high market value? Blackmail, identity theft, tarnished reputation, etc… The reasons are many. The expert speaks of a real business where the law of the strongest applies: “we attack the weakest, who bring in the most money, there is no morality”. And as in all Far West, the threat is enormous.
“Beyond the financial aspect, the victims of these data thefts can suffer a much more dramatic trauma, knowing that they are already weakened,” Yosra Jarraya continues. “Imagine that hackers call patients directly and tell them ‘send us 800 euros or we put all the elements on social networks and your family and your employer will know that you are schizophrenic'”, adds Vincent Trély. A real series scenario? Not only: the case occurred in Finland at the end of 2020. Chilling.
Huge moral damage
Regarding the South-Francilien hospital in Corbeil-Essonnes, “there is no evidence that the attack is targeted”, analyzes Vincent Trély. “I would even lean more towards a net attack, given the amount of the ransom demanded. 10 million dollars is a classic sum, like 300,000 or 600,000 dollars”. However, as the expert thinks, to hope to obtain such a sum, the hackers did not aim at the right place. “LVMH or Dassault might pay that amount, but not a public hospital. Never. No chance “. This therefore suggests that the hacker launched his virus at random from collected email addresses, and that he “fished” the hospital. As a reminder, 90% of ransomware attacks are opportunistic and untargeted.
However, if everyone agrees on the sensitivity and the very high value of the data held by health establishments, an additional vulnerability is added: “the lack of means of public hospitals affects investments linked to cybersecurity which are undersized while an attack on the computer system with a ransom demand puts the lives of patients at risk”, specifies Yosra Jarraya. “A hospital shut down is a disaster”, abounds Vincent Trély. And in a system where almost all professions are computerized, we force ourselves to go back, with paper and pencil as the only tools. “Depending on the virulence of the virus, if it touches the heart of the infrastructure, MRIs, scanners, patient admission, bed management, real-time patient monitoring, etc. are put on hold,” he adds. .
Secure again and again
Can we hope for a rapid securing of the hospital environment given the “good hundred cyberattacks targeting hospitals in France last year”, according to the expert? “There is a real need to educate staff on the risks associated with cybersecurity,” he insists. The IT manager of a hospital must stop being seen as a paranoiac who annoys his world when he asks for a change of password every three months and at least twelve characters”.
But the announcement of the 350 million euro investment plan in cybersecurity at the start of 2021 by Emmanuel Macron gives reason for hope. “We are in the middle of the implementation of this program which will allow hospitals to take a leap forward, positive Vincent Trély. The hospital is ten years behind the CAC40”. This observation is shared by Yosra Jarraya, whose company, Astrachain, offers an alternative to encryption to protect sensitive data.
The Ukraine-Russia cyberwar, a potential new risk
Like Voldemort in the Harry Potter saga who separates his soul into several pieces before disseminating them to the four corners of the magical land, Astrachain’s technical solution is based on fragmentation algorithms which make it possible to secure data confidentiality. “They are illegible and unusable until we have collected a number of fragments” explains the CEO of the company. But for now, it’s hard to see the miracle solution: “hospitals are rarely the first to adopt a new technology, it takes time to convince them,” she regrets.
And in this race against the clock, the war in Ukraine can also play spoilsport and stir up ever more greed. “If Russia decides to activate its cyber missiles by shutting down the system for regulating trains, paying civil servants and around twenty hospitals around Paris, health data will be further undermined”, considers Vincent Trely. In a worst-case scenario where robbing the health system is a weapon of massive paralysis, the latter could run an ever greater risk of being revealed and exploited by hackers.