Hospitals are increasingly becoming targets of cyberattacks. These attacks jeopardize the security of sensitive medical data and the ability of healthcare facilities to provide quality care to their patients. During the Cybersecurity Conference held in Monaco a few weeks ago, DirectIndustry met with four executives from companies that develop solutions to help healthcare institutions strengthen their cybersecurity and better protect their patients’ data.
In recent years, hospitals have become a preferred target for hackers. Cyberattacks on hospitals come in various forms, but the two most common are ransomware attacks and attempts to steal medical data.
This is what happened last year at the French hospital in Corbeil Essonne, in the Paris region, where over 11 gigabytes of data were stolen and then posted on the Lockbit cybercriminal group’s website.
These cyberattacks have a devastating impact on hospitals and their patients. When computer systems are compromised, hospitals may be forced to suspend certain operations or services, which can endanger patients’ lives. Besides, the loss of medical data can lead to privacy and security issues for the affected patients.
To address this growing threat, numerous technical solutions and best practices are available. During the Cybersecurity Conference in Monaco, our medical industry expert Luca C met with the leaders of four companies that offer solutions to help hospitals enhance their cybersecurity, better protect their patients’ data, and respond more effectively in the event of an attack.
Julien Gourlaouen is a Solution Engineer at Fortra. For him, healthcare data is highly sensitive and requires special attention.
“The issue with hospitals often revolves around closed environments, but some expose their data externally. This very sensitive health data therefore needs to be correctly classified and identified to ensure its protection. Therefore, visibility is crucial. It’s a real problem for hospitals today.”
What are the recent cybersecurity threats that hospitals have had to face? Are they mainly patient data breaches or business interruptions? According to Baptiste David, a Product Evangelist at Tenacy, the primary threat to hospitals is business interruption.
“In today’s landscape, the most significant peril facing hospitals is business interruption, mirroring the unfortunate reality for many entities, as it represents a monetizable threat. This threat primarily materializes in the form of ransomware attacks on hospitals, where their information systems become locked, catching them unprepared. The sole recourse they then have is to pay the ransom. This dire situation has incentivized attackers to target hospitals, with the regrettable consequence that some are indeed profiting from these attacks.”
Vincent Ribes, Product Owner at EGERIE, confirms this, as the consequences of a business interruption are extremely damaging.
“Systems need to be urgently shut down, and patients must be redirected to other hospitals due to the inability to accommodate them with offline information systems. With the widespread computerization of hospital operations, this necessitates a return to manual processes. Consequently, everything must be reworked, resulting in a significant slowdown in the flow of information between departments.”
The Origin of Attacks
According to Vladimir Kolla, founder of Patrowl and winner of the 2023 Innovation Award at the Cybersecurity Conference, the two main vectors of intrusion in hospitals are phishing and hacking.
“Phishing entails sending a malicious email that, when opened by an employee, allows the attacker to compromise the organization from within. When targeting something exposed to the internet, the attacker gains the ability to further infiltrate the company or hospital network. The primary objective is financial gain. The attacker has two main tactics: one is to encrypt the data, rendering it inaccessible to both the IT department and the business, subsequently demanding a ransom. The other tactic involves copying the data and using it to extort money.”
How can patient data be safeguarded? What are the best practices that hospitals and healthcare facilities should implement to strengthen their cybersecurity?
The Basics: A Guide to Best Practices
All stakeholders agree on one thing: implementing the basics is crucial—antivirus, endpoint detection and response (EDR), and firewalls.
ANSSI, the French National Agency for the Security of Information Systems, has, in fact, published a cybersecurity hygiene guide, formalizing the top 42 rules that everyone, whether hospitals or businesses, should follow. Those rules involve training operational teams in information system security, raising awareness among users about basic computer security best practices, identifying the most sensitive information and servers maintaining a network diagram, and encrypting sensitive data transmitted over the Internet among other rules.
According to Baptiste David from Tenacy,
“It’s interesting because we’re not always dealing with highly advanced, costly technologies.”
Vladimir Kolla from Patrowl emphasizes,
“Simply adhering to these guidelines can protect you from 90% of the problems.”
Email Security and the Internet
ANSSI’s 24th rule involves “securing your professional email.” It’s indeed vital to secure emails, as this is often the point of entry for attackers, explains Vladimir Kolla from Patrowl.
“Securing your email can be accomplished using French solutions like Vade (formerly Vade Secure) or BreakInMail, which effectively protect incoming emails against phishing attacks. To secure everything exposed on the internet, solutions like Patrowl aims to safeguard all the information a company exposes online.”
Identifying Healthcare Data
For Julien Gourlaouen from Fortra, identifying healthcare data is another thing to do:
“We offer healthcare data identification solutions to permanently and persistently tag healthcare data. Once tagged, whether you archive or move this data within hospitals, we can track it using classification and data loss prevention (DLP) tools to prevent data leaks.”
For Vincent Ribes from EGERIE, the key is to anticipate.
“Anticipation is crucial, organizations should not wait for an attack to occur. Therefore, preparation is necessary. What we offer at EGERIE is to analyze your cybersecurity posture, understand the measures you’ve already implemented, the threats you face, and the potential attacks you might experience, such as patient data theft. We help clients consider the threat landscape they’re up against and devise the most relevant action plans to avoid the worst when an attack does happen.”
To prepare effectively, some solution providers offer penetration testing. The idea is to test all the hospital’s applications, as explained by Julien from Fortra:
“Many attacks in hospitals come through aging software that wasn’t specifically tested. This is a real issue because updating these solutions is relatively expensive for hospitals, and they can’t afford to do it. However, if we don’t test the security of these aging applications, they become entry points for attackers. So, it’s important to test your healthcare data tools, aging software, and even new ones. You need to run automated or manual penetration testing systems, involving partners with expertise in the healthcare field, to ensure that these software solutions aren’t too easily penetrable.”
Cybersecurity is an investment. But for Vincent Ribes from EGERIE, it’s worth the effort:
“I read a testimonial from someone at Corbeil-Essonnes Hospital who said that thanks to the 2022 attack, they now have allocated funds to secure their system. If they had done this before, it would have cost them the same amount, minus the costs related to the attack. Hence the importance of anticipating cyber risks and conducting risk analyses. So, yes, cybersecurity is a bit costly, but it saves many troubles, many expenses, and, in the end, it’s worth it.”