The number of computer attacks is exploding in the health sector and reveals major flaws in the systems and practices of establishments.
A cyberthreat hangs over the world of health, unprepared for attacks from hackers. In fact, while health data stirs the growing greed of hackers around the world, French establishments are still very easy prey.
This observation is at the origin ofa conference organized under the aegis of the Ministry of Health, which was held on October 7 in Paris. Some 250 managers and managers of computer security in health establishments met to discuss the issue of cyber attacks, and the means to protect themselves from them.
2015, “the year of the hospital hack”
And there is still work to be done. Indeed, while the foreign news – especially American – is full of cases of hacking more spectacular than the others in the field of health, France, it was slow to take the measure of its vulnerability.
“For a long time, there was the idea according to which this sector was sheltered, explains Frédérique Pothier, of the delegation for the strategy of health information systems (DSSIS, Ministry of Health). We thought that French health data was not monetized, since everyone can benefit from social protection, unlike the United States ”.
And yet… 2015 will be “the year of the hospital hack”, predicted in December 2014 the magazine MIT Tech Review – with a certain clairvoyance. In fact, at the time of publication of this editorial, the Polyclinique de Blois (Loir-et-Cher) was facing an extortion attempt through its computer system.
Shortly after, the group of hackers Rex Mundi attacked the laboratory of medical biology Labio, from which it asked 20,000 euros under penalty of disseminating the results of analyzes of patients on the Internet. 1er May 2015, at the Marie Curie Center (Valence), members of the radiotherapy department discovered with amazement the pirating of two network disks containing the data of patients, who, for 24 hours, could not undergo their radiotherapy session.
Obsolete practices
The number of attacks targeting healthcare facilities has grown steadily in recent years. However, they are difficult to quantify. “When one of them suffers a cyberattack, he doesn’t shout it from the rooftops,” emphasizes Frédérique Pothier. Suddenly, the data is undervalued. We probably only know the tip of the iceberg ”.
In submarines, we find large flaws in the IT security of healthcare establishments. “You just have to take a tour of the hospital to realize it,” explains Christophe Kiciak, manager within the company Provadys, specialized in information technologies, who took part in the conference. The computers are used by ten-fifteen people, self-service, without supervision or password. It only takes a moment of inadvertence to insert a USB drive and install malware [logiciel malveillant, ndlr] remote control of the station. So you can surf very easily on the internal network of a hospital. “
Christophe Kiciak, manager within the company Provadys: ” Targeted attacks often originate from internal complicity. “
Make up for the lack of training
Beyond the security of computer systems, which require financial resources to be improved, certain behaviors do indeed seem inappropriate in the face of this threat – both at the level of public and private establishments.
To compensate for this lack of training, the Ministry of Health deployed at the end of 2013 a General Policy for the Security of Health Information Systems (PGSSI-S). Still little known to the professionals it targets, this strategy aims to improve practices to fight against cyberthreats.
“It is aimed at each actor, at his level – liberal doctors in practice, private clinics, hospitals…, specifies Frédérique Pothier. It is about providing advice to everyone to prevent risks. For example, in the Memento for Liberals, we have the need to lock the room where the computer is located, to make regular backups and to keep the hard drives in another room. Other documents are intended for IT professionals ”.
These documents are available on the ASIP Santé website (Shared Health Information Systems Agencies) of the Ministry of Health. And even in the absence of data on the prevalence of attacks in France, it seems advisable for health establishments to consult them.
.
