Why French hospitals stay the popular targets of cybercriminals | EUROtoday
NNot solely do hospitals lack nurses however they lack cyber surveillance. According to the most recent report from the Court of Auditors, laptop hackers have made well being institutions one among their recurring targets. “In 2023, according to data from the National Information Systems Security Agency (Anssi), on French territory, 10% of victims of ransomware attacks were hospitals (public or private),” underline the magistrates of rue Cambon. A vulnerability which isn’t new however which the Covid-19 disaster has cruelly highlighted.
The first main sufferer was the Rouen University Hospital in November 2019, a couple of months earlier than the pandemic struck. Then got here the flip of the Dax-Côte d’Argent hospital in 2020, in the course of the second wave. Since then, the assaults have been growing. There are two in 2022 earlier than a darkish 12 months in 2023. That 12 months, the report lists 9 main assaults recognized: the Brest hospital, the Rennes University Hospital, the Rouen University Hospital (repeat), the Western Vosges hospital middle, the Diaconesses-Croix Saint-Simon hospital group, 4 institutions of the Ramsay group and clinics of the Elsan group. The report consists of two for the beginning of 2024: the Armentières hospital middle in February with a theft of information regarding 230,000 sufferers and the Cannes hospital middle (assault in April with exfiltration of 61 gigabytes of information).
Attacks can price tens of hundreds of thousands of euros
The prognosis established by the Court of Auditors is uncompromising. “The fragility of hospital information systems is due to their increasing complexity, measured in number of applications, without equivalent in other sectors of activity (up to 1,000 applications for the largest university hospitals) and to the sub- chronic investment in digital technology,” level out the magistrates. With just one.7% of their funds dedicated to digital, in comparison with 9% within the banking sector, our hospitals are poor relations. And are uncovered to rising laptop piracy.
Even extra worrying, solely 7% of institutions have a full-time data techniques safety supervisor (CISO). Most carry out different features. A state of affairs that’s all of the extra worrying as the results of cyberattacks are devastating. “The cost to a hospital can reach 10 million euros for crisis management and remediation and 20 million euros for loss of operating revenue,” the report reveals.
France, on the high of essentially the most attacked European nations
Faced with this rising risk, Europe is making an attempt to react. The NIS 2 directive, adopted in December 2022, now imposes bolstered obligations by way of cybersecurity. France, which has nonetheless not transposed this important textual content, had till October 17, 2024 to take action. A invoice was adopted within the council of ministers however the dissolution delayed every thing.
This delay is extraordinarily damaging regardless that our nation seems to be essentially the most affected in Europe by cyberattacks within the well being sector within the broad sense (hospitals, laboratories, mutual medical health insurance firms, public well being organizations or, even, pharmaceutical industries), in line with the European Cybersecurity Agency (Enisa). The Court’s report mentions that over the interval January 2021-March 2023, France recorded 43 incidents, adopted by Spain (25), Germany (23), Italy (19) and the Netherlands (20).
The dissolution delayed the means
One statistic to place into perspective, nevertheless: our nation has a compulsory incident reporting system that’s older and extra rigorous than its neighbors, and has a bigger variety of well being institutions on its territory. These figures maybe replicate extra our capability to establish assaults than any specific vulnerability.
The French state, nevertheless, didn’t stay inactive. The “Cyber-acceleration and resilience of establishments” (CaRE) program, endowed with 750 million euros over 5 years, was launched in 2023. “A catch-up program”, within the very phrases of the Court of Auditors, which however emphasizes that “this financial commitment is only assured until the end of 2024”. Here too, we should look ahead to the adoption of the funds by Parliament…
4,000 positions to fill however salaries too low
The reorganization of digital well being governance, with the creation of a Digital Health Delegation (DNS), constitutes one other optimistic sign. But the problem stays immense: 4,000 cyber specialist positions are to be crammed in a sector which is struggling to draw expertise as a result of an absence of aggressive remuneration. The salaries supplied (between 3,300 and 4,600 euros) are half as excessive as within the personal sector.
To Discover
Kangaroo of the day
Answer
Territorial hospital teams (GHT) seem like a part of the answer. With 87% of GHTs now having a typical Information Systems Department, the pooling of assets is progressing. But there may be nonetheless a protracted strategy to go: solely 47% of institutions have built-in their related biomedical tools into their IT safety coverage.
The pandemic has reminded us of the important nature of our hospitals. Leaving them weak to cyberattacks quantities to accepting a brand new type of well being disaster, silent however simply as devastating.
https://www.lepoint.fr/sante/pourquoi-les-hopitaux-francais-restent-les-cibles-privilegiees-des-cybercriminels-05-01-2025-2579223_40.php