How can cybersecurity be ensured in healthcare facilities?

Healthcare Facilities and Cybersecurity: A Cause for Concern

Digital Transformation and Its Consequences

In recent years, healthcare facilities have adopted digital tools to streamline their operations.

New technologies are found in every department and at every level of healthcare facilities, from medical imaging equipment to hospital management software.

While these advancements are essential for improving the quality of care, they also increase vulnerability to cyberattacks.

Healthcare organizations handle sensitive data, including patients' personal and medical information, which is highly sought after by cybercriminals.

The confidentiality, integrity, and availability of this data must be ensured to maintain patient trust and ensure the smooth operation of services.

For example, a cyberattack targeting a hospital could compromise access to electronic medical records, thereby delaying diagnoses and treatments.

 

A wide range of cyber threats

The Court of Auditors' report identifies several types of cyberattacks that could target the IT systems of healthcare facilities:

• Ransomware: This type of malware encrypts victims’ data and demands a ransom in exchange for restoring access. These attacks can completely paralyze a hospital.
• Data breaches: The theft of medical records can have serious consequences, ranging from identity theft to blackmail.
• DDoS (Distributed Denial of Service) attacks: These attacks aim to render institutions’ online services unavailable, effectively paralyzing some of those services.
• Phishing attacks: attempts to compromise hospital staff in order to gain access to the computer network or steal personal information.
• Website defacement: a technique often used by hacktivists to convey a political message that garners significant media attention.

 

Is the French healthcare system under attack?

According to ENISA,France is the country most affected by cyberattacks within the European Union in the broader healthcare sector (hospitals, laboratories, health insurance providers, the pharmaceutical industry, etc.), as illustrated in the infographic below.

Source: ENISA. Map of cybersecurity incidents observed in the healthcare sector from January 2021 to March 2023

 

This observation should, however, be put into perspective for at least two reasons. First, France has more healthcare facilities than other countries, thereby increasing the potential scope of the problem.

In addition, since 2016, French healthcare facilities have been required to report any serious cybersecurity incident, which is not necessarily the case in all European countries.

Nevertheless, cybersecurity in the healthcare sector remains a major concern in our country.

 

Cybersecurity Assessment in Healthcare Facilities

The main gaps identified

The Court of Auditors highlights several structural and organizational weaknesses that expose healthcare facilities to significant cyber risks:

1. Inadequate governance

Many institutions lack a clear cybersecurity strategy. This lack of governance often stems from a failure to prioritize these issues in favor of other budgetary and operational constraints. Furthermore, national guidelines are not always tailored to the specific needs of local hospitals.

2. Limited human resources

Healthcare facilities are facing a severe shortage of cybersecurity specialists. The teams responsible for information systems are often understaffed and lack the training needed to address current threats. Hospitals struggle to attract candidates who could command much higher salaries in other industries. As a result, 5% of positions in hospital IT departments are vacant.

3. Outdated systems

Many organizations continue to use outdated hardware and software. These systems, which no longer receive updates, contain vulnerabilities that cybercriminals can exploit.

Source: Court of Auditors

 

4. A lack of awareness

Hospital staff, whether administrative or medical, are not always aware of best practices in cybersecurity. This can lead to risky behavior, such as using weak passwords or clicking on phishing links.

 

The consequences of security breaches

Cyberattacks in the healthcare sector can have far-reaching consequences:

• Service disruptions : System outages may force a facility to close certain essential services, such as the emergency room, delay life-saving treatments, postpone admissions, and so on.
• Disruption to patient care: With an IT system that is down, it is very difficult for hospital staff to continue ensuring the safety of patients in the facility. How, for example, can they know which patient is in which room?
• Loss of trust : Following a cyberattack that results in a data breach, patients and partners may question the organization’s ability to protect information that is, by its very nature, highly confidential.
• Administrative and financial management: System outages can prevent administrative departments from handling essential day-to-day financial transactions (invoices, payroll, etc.).
• High financial costs : According to estimates provided by hospitals that have been the victims of cyberattacks, the total cost of a cyberattack can reach up to 20 million euros when factoring in lost operating revenue.

It should be noted that the cost of cyberattacks is sometimes covered by the ARS through the regional response fund, but this is by no means a standard practice. As a result, some hospitals that have been targeted may find themselves in a very difficult financial situation following a cyberattack.

 

How can we improve cybersecurity in healthcare facilities?

Strengthen governance

It is essential to establish clear, centralized cybersecurity governance.

This includes appointing a Chief Information Security Officer (CISO) at each facility, as well as developing appropriate strategic plans.

CIOs must have sufficient authority to drive change and ensure the implementation of security policies.

 

Increase human and technical resources

It is vital for healthcare facilities to invest both in recruiting qualified staff to help protect their systems and in replacing aging IT equipment.

Obviously, in both cases, the financial aspect is just as much a key factor as it is a limiting one in a highly complex budgetary context.

 

Foster a culture of auditing and collaboration

Regular audits must be conducted to identify weaknesses and track progress.

At the same time, better coordination among healthcare facilities can be a key factor in building resilience and a way to address the lack of financial resources.

 

Raise staff awareness of cybersecurity

Finally, staff training is crucial for reducing risky behavior. Targeted awareness campaigns must be conducted to foster a genuine cybersecurity culture within teams.

That’s the whole point of the solution AvantdeCliquer which offers ongoing, hands-on training to help users learn how to thwart phishing attempts.

The Court of Auditors notes that, depending on the year, phishing is the leading or second-leading cause of incidents reported to Cert Santé.

Now more than ever, people must therefore be at the heart of efforts to protect digital systems in healthcare facilities.

 

Learn more about the Avant offerClickClick here to learn more about our healthcare-focused offering.

 

Conclusion: A Need for Long-Term Support

Cybersecurity is a critical issue for the healthcare sector. While healthcare facilities still have many gaps to address, the Court of Auditors’ report offers concrete recommendations for strengthening their resilience against cyberthreats.

The ongoing digitization of healthcare services requires a sustained commitment to cybersecurity. This includes providing long-term financial support to healthcare facilities.

This initiative is already underway through the "Cyber Acceleration and Resilience of Institutions" (CaRE) program, which provides €750 million in funding for IT system security from 2023 to 2027.

While bearing in mind, as the Court of Auditors points out, that “the end of the CaRE program will not mark the end of the need to secure hospital information systems.”

CIOs, CISOs, DPOs, request a free demonstration of the fully automated phishing awareness solution: