In 2020, nearly one in two French companies was the target of a cyberattack (1), compared to only one-third in 2019. Do these observations apply to the healthcare field in particular? The answer is yes. Worse, the healthcare world is particularly targeted and for several reasons.
A growing danger: the reasons
The healthcare sector is particularly targeted by cybercriminals, first of all because of the financial aspect: a medical file can be sold for 250€ on the Dark Web and ransomware can demand tens or even hundreds of thousands of euros (if they manage to enter a hospital's computer system for example). Secondly, it is also a question of opportunity: in the middle of the Covid crisis, hospitals are an easier target. In fact, since Covid emerged, cyberattacks have increased by 45% against the healthcare sector. This represents 650 weekly attacks against healthcare organizations worldwide, and one major attack per week against a French hospital. Thus, the healthcare world is particularly at risk in terms of cybersecurity.
What are the consequences of a cyber attack?
Faced with this threat, the stakes for a company in the health sector are multiple. First of all, the main risk concerns the company's productivity: today, any company has a more or less developed information system, which is necessary for its operation. A cyber attack can block the computer system and make it unavailable, which can have serious consequences: 50% of SMEs that have suffered a cyber attack do not recover and go bankrupt.
A cyber attack also leads to heavy financial losses. These losses are not only due to the loss of productivity caused by the attack and the time spent defending against it, but also to the main form of cyberattacks: ransomware. Ransomware is malware that is installed in the company's information system without the company's knowledge, and which "takes hostage" the system's data by encrypting it. The only way to decrypt them is to pay a high ransom to the hacker.
Cybersecurity is also a legal issue. Indeed, every company has personal data (such as the data of its employees for example) and some companies in the health field also manage health data which are sensitive data. The RGPD imposes a regulated and secured storage of this data. In case of leakage or suspicion of leakage (often due to a cyber attack), the RGPD requires the company to notify the CNIL, which can conduct an investigation by inspecting the company's information system. In case of non-compliance with the RGPD, a fine of 2 to 4% of the company's turnover can be given.
Finally, cybersecurity represents a competitive issue. The reputation of a company that has suffered a cyber attack is greatly diminished. Moreover, some cyber attacks introduce spyware, allowing industrial espionage. In conclusion, cybersecurity is a global issue for the company. What are the means to fully integrate it?
What are the means to have an efficient security?
Firewalls and antivirus software are already well known and indispensable means of cyber defense. A VPN is also strongly recommended to protect our Internet browsing. It is also necessary to infuse good security practices to all employees of the company. This is done through three points: training (informing employees of the risks related to cyber attacks and the means to prevent them), awareness (with phishing tests for example) and obligation (imposing a regular change of passwords, a secure email, prohibiting USB keys, ...). For companies in the health sector, it is important to have a CISO (Information Systems Security Manager) and a DPO (Data Protection Officer), or even a cybersecurity referent/expert for large companies. Finally, it is also possible and recommended to call upon external organizations to ensure the management of cybersecurity in the company. Having an audit or an intrusion test performed by a company offering these services often reveals many flaws that need to be corrected. The ANSSI (French National Agency for Information Systems Security) also offers to help companies to better monitor their information system, and helps them to recover from an attack.
It is obviously a truism to point out that cybersecurity is a major issue that can only increase in the coming years. The interrelationships of security systems are growing and the security of the entire information system can be impacted by the least secure link. The COVID crisis, by making telecommuting the norm, has exposed the security systems of healthcare organizations to attacks, which are already particularly targeted by cybercriminals. Cybersecurity is therefore a challenge that must mobilize, beyond the laboratory's IT departments, all the players: laboratory employees, but also service providers and subcontractors.
(1) : https://www.hiscox.fr/sites/france/files/documents/CP%20Hiscox%20Cyber%20Readiness%20report%202021_19042021.pdf