Facing the growing threat of cyber-attacks in the healthcare sector

The year 2023 marks a crucial turning point for cybersecurity in the French healthcare sector. With a surge in cyberattacks, as evidenced by the incident at Brest University Hospital in March 2023, healthcare professionals are facing a constantly evolving threat landscape. These attacks highlight the vulnerability of aging computer systems and the need for enhanced security to protect sensitive patient data.

The increase in cyberattacks, reported by ENISA (European Union Agency for Cybersecurity), is due to the high value of medical data (a cybercriminal can expect to resell each medical record for between 50€ and 250€) and the accelerated digitization of healthcare services. The growing interconnection of IT systems, the adoption of telemedicine, and dependence on biomedical equipment increase the attack surface and expose infrastructures to heightened risks. In France, the volume of e-health data has significantly increased, necessitating a more robust approach to cybersecurity.

| Cyber Strategies for Securing Medical Infrastructures

In France, securing healthcare infrastructures relies on several fundamental elements, according to the guidelines of ANSSI (National Agency for the Security of Information Systems). The crucial first step is the identification and securing of different access points, which are divided into four main categories: human, software, network, and physical aspects. However, it is imperative to adopt effective cybersecurity measures that not only cover internal systems but also extend to all partners and all external access points.

Audit and in-depth analysis of healthcare systems, including biomedical equipment and sensitive data, are essential to detect elements most likely to be compromised. It is important that security measures be specifically designed to adapt to the unique characteristics of health data, which cannot be entirely anonymized. This implies finding a delicate balance between anonymized databases and those allowing re-identification of records, to ensure both the protection of personal information and the functionality of healthcare systems.

Continuous management of information system security is crucial to ensure constant evolution and improvement in healthcare facilities. Managed systems represent an effective solution, as they allow for resource pooling and address skill shortages. Healthcare establishments are also advised to consolidate their information technology and operational infrastructures (IT/OT) to make them more robust and resilient. It is important to note that non-malicious incidents play a significant role in security problems, highlighting the need for increased vigilance in all aspects of security management. Collaboration with cybersecurity specialists, like DATASHIELD Risk Consulting, is crucial to effectively combat cyber threats and prevent failures. These specialists provide essential expertise and support to healthcare staff, ensuring the protection of infrastructures, services, and patients.

| Strengthening and Implementing Cybersecurity Standards in the Healthcare Sector

The practical implementation of regulations in the healthcare sector in France is undergoing significant changes with the adoption of the NIS 2 directive and the GDPR at the European level. This regulatory evolution, reinforced by the actions of ANSSI, ARS, ANS, CERT-Santé, and CNIL, highlights the increased importance of cybersecurity in the healthcare sector.

The need for these changes was highlighted by significant cyberattacks, such as the one that affected Rouen University Hospital in 2019, an event that triggered national reflection on the protection of hospitals. In response, the French government integrated measures into the France Relance plan, led by ANSSI, aimed at strengthening the security of public health institutions. Today, more than 130 institutions are committed to this cybersecurity journey.

The importance of compliance is underscored by the example of CNIL's intervention with two medical research organizations. In March 2023, CNIL reminded these organizations of their legal obligations after finding shortcomings in the protection of health data. These shortcomings included the absence of data protection impact assessments and incomplete information provided to research participants. This CNIL action underlines the necessary vigilance in managing health data and complying with legal obligations.

The NIS 2 directive, adopted in January 2023, will require many French companies and administrations to strengthen their security standards. This directive is ambitious and aims to establish a common cyber maturity across the European Union. It extends its scope to sectors heavily reliant on information and communication technologies, including healthcare institutions. The directive imposes new obligations in terms of incident handling, risk management, supply chain security, encryption, and vulnerability disclosure.

To prepare companies for these changes, the directive provides mechanisms for proportionality, distinguishing between essential and important entities, and defines specific requirements for each category. The envisaged sanctions can reach up to 10 million euros, or 2% of the global turnover of the concerned entity.

This new regulation thus requires companies, including those in the healthcare sector, to raise the level of their IT security to comply with the requirements of the NIS 2 directive

Faced with the growing threat of cyberattacks in the healthcare sector, it is imperative to adopt a proactive approach to cybersecurity. Regulatory developments, along with the coordinated efforts of organizations, highlight the crucial importance of protecting medical infrastructures and sensitive patient data. DATASHIELD Risk Consulting, with its expertise in security audits, strategic advice, and assistance in case of incidents, positions itself as a partner for healthcare institutions, offering tailored solutions to strengthen their resilience against cyber threats.