Corbeil-Essonnes in August, Versailles on December 5… French hospitals are increasingly victims of cybercriminal attacks. In the majority of cases, hospitals face hackers who infiltrate their computer system, steal data and then deny access before demanding a ransom in exchange for a return to normal and the promise that the stolen data will not be disseminated.
These attacks, classified under the term “ransomware”, are devastating: the CHU of Corbeil-Essonnes (91) took, for example, more than two months to return to normal activity. Loss of data and inability to use in-house software hampered systems automation and forced staff to revert to pen and paper. The stolen data, including many personal items from patient records, was eventually released after the hospital adamantly refused to pay the $10 million ransom. In addition, this type of payment is prohibited for public bodies in France.
In recent years, attacks of this type have multiplied. Although the principle has been known for a long time, it took advantage of a truce declared by most cybercriminals in the midst of the Covid crisis, which had resulted in overloading hospitals in 2020. But in 2021, these attacks resumed with renewed vigor and almost doubled in France (733 compared to 392 in 2020). Although the figures are not yet known, the trend should continue in 2022. The National Authority for the Security and Defense of Information Systems (Anssi) assessed the frequency of a serious incident in French healthcare establishments more than one per week.
Hospitals are particular targets because the lives of patients may depend on their proper functioning. Above all, they have health data, which are among the most sensitive, within the meaning of the European regulation for the protection of personal data (GDPR). For Gérôme Billois, cybersecurity specialist for the firm Wavestone and author of the book Cyberattacks: the underside of a global threat, published by Hachette, the equation is simple: “When your bank account is hacked, you object to your bank and you will be reimbursed for the lost money. Whereas when all of your medical data is made public, it is irreversible, it is for life. »
The reaction of the various targets also plays a role: in France, where the hospital is overwhelmingly public, paying the ransom is out of the question. In other countries, on the other hand, pirates can touch the jackpot, as in the United States, where the hospital groups are generally private. “When doing extensive searches for flaws in hospital computer systems, the hackers don’t know if they’re French, they probably don’t speak French, and they don’t know that the hospitals here are public, that they don’t have no right to pay the ransoms. Their goal is just to find a loophole and exploit it. »
In the United States, almost 400 hospitals had been targeted in a large attack in 2020, each facing a ransom demand of around $2 million. In 2021, the total sums paid across the Atlantic would reach 1.3 billion dollars according to federal agencies, compared to around fifty million a few years earlier. Last August, General Christophe Husson, second in command of the Cyberspace Gendarmerie Command (ComCyberGend), estimated the global cost of cybercrime at $6 billion per year. So much money potentially reinvested in the sophistication of the means available to pirates.
DOSSIERThe new global cyberwar
The overwhelming majority of “ransomware” comes from independent hacker groups, “often network heads in Eastern Europe or former Soviet republics, but the teams are spread all over the world,” said Gérôme Billois. The recent attacks on the Corbeil-Essonnes hospital or that of Versailles, for example, would have been launched by the Russian group Lockbit 3.0. These groups rather strike in the West to avoid prosecution where they are based.
When Russia launched the war in Ukraine in February, Western countries feared they would suffer massive destabilizing attacks targeting public services in particular. “Eventually, such destructive attacks did not take place,” says our expert. Cyber operations coming from the States remain for the purpose of espionage, and “there, it is more a question of not being detected than of making a lot of noise like with ransomware”. They are therefore difficult to quantify and rather affect sensitive companies or institutions.
If we talk a lot about hospitals, we must not forget that companies remain the most affected by cyber-maliciousness: according to Anssi, between 2020 and 2021, they suffered a 50% increase in the number of attacks targeting them and constituted a third of the victims. Communities accounted for 19%, hospitals only 11%. “These attacks are opportunistic: hackers will actually crawl thousands of websites looking for a security hole, and assess the value of the target once they manage to get in,” says Gérôme Billois.
On the other hand, companies have more interest in being discreet about these attacks, which sometimes lead to the disclosure of valuable commercial data, in particular. It is therefore difficult to accurately assess the number of attacks targeting the private sector, while institutions, communities and public establishments must report it to Anssi when they are victims. Gérôme Billois specifies that barely more than one ransom in ten is paid, in general: “If you have backups of your data, no need to pay, just reinstall them. Whether you pay or don’t pay, you have to reinstall the files anyway, so the crisis management time remains roughly the same,” he explains.
To combat this phenomenon, the State had announced that it would devote 25 million euros to securing public health establishments, to which are added 20 million euros released by the Minister of Health François Braun in August, after the Corbeil-Essonnes attack. 135 centers have been designated as “essential service operators”, which subjects them to more demanding IT security rules.