Recently, I had the privilege of joining a panel as part of an initiative from the Cyber Peace Institute, highlighting the cybersecurity threat to healthcare. The panel was introduced by Madeleine Albright, the former US Secretary of State and included Robert Mardini, the Director-General of the International Committee of the Red Cross. I thoroughly recommend reading the paper and – if you are really feeling brave – watching the launch event and listening to me waffle.
One of the key drivers for this event has been the way that cyber actors, particularly ransomware gangs, have been targeting healthcare systems. Much of this activity has gained little publicity in the UK and so I wanted to highlight how the changing cyber threat to Healthcare has changed by looking at what has been happening in France.
For those of you who are not aware, France has a fully integrated network of public hospitals, private hospitals, doctors, and other medical service providers. It is a universal service providing health care for every citizen, irrespective of wealth, age, or social status.
According to the French cyber security agency, the National Information Systems Security Agency (ANSSI), ransomware attacks in France increased by 255% last year compared to 2019. Whilst not all these attacks were on healthcare, there were at least 27 significant cyber-attacks on French hospitals in 2020. According to the French government, the number of attacks has dramatically increased in 2021 with an average of a major attack against a hospital every week.
In mid-February, for example, hospitals at Dax and Villefranche-sur-Saône were hit by ransomware attacks. The attack and subsequent containment activity impacted patient records, surgical devices, medication management, appointments, bed, and doctor allocation. Patient operations were postponed, and some patients moved to other hospitals, while hospital staff were forced to return to manual systems and paper-based methods such as hand-made service charts and appointment books.
France has attributed the attacks to criminal groups operating in Russia, China, Eastern Europe and North Korea. The attacks over the last few months have involved the Emotet, Trickbot and Ryuk malware, and unfortunately, these have not been the only recent high-profile cyber-attacks in France.
Arguably more worrying has been the posting online of highly sensitive confidential medical data for 500,000 French patients. The data would appear to have been stolen from 30 French medical laboratories, and the attackers are believed to have exploited Mega-bus, a piece of legacy medical administration software developed by the European company Dedalus, whose software is used in many countries around the world and was the subject of a ransomware attack in December 2020.
In trying to understand why there has been this increase in cyber-attacks in France, it is clear that:
- The Ransomware-as a-Service criminal ecosystem has resulted in a dramatic increase in the number of ransomware attacks around the world. The success of such attacks against the US healthcare system in 2019, 2020 and 2021 has encouraged these criminal groups to focus on healthcare as a sector.
- Cybercriminals have been seeking to take advantage of the rapid telehealth upscale during the COVID-19 pandemic. This is because a key part of the response to COVID-19 has been to open hospital IT systems to facilitate teleworking and tele-consultations.
- The attackers have identified that the greater the pressure on the hospital system the more likely it is a ransom will be paid. Indeed, according to leading French IT security expert, “If you’re a hospital director dealing with a COVIS crisis and all of a sudden the information systems are blocked, maybe you would rather pay a hundred-thousand-euro ransom than deal with a hospital that cannot function for three or four days,”. Payment of ransoms will have encouraged other attacks.
- It is also clear that the French healthcare system, like many others around the world, has suffered from underinvestment in its IT infrastructure. The resulting legacy systems are vulnerable to these attacks.
- A successful attack can result in further attacks. For example, details of French medical user accounts were stolen last year and are being sold on criminal forums and this is likely to lead to more attacks.
- The healthcare supply chain is a critical target and will continue to be an important route into healthcare systems.
Lessons for the NHS
There are clearly lessons for the NHS. In the period since WannaCry, the NHS has made good progress in improving its cyber security. However, as we have seen, the cyber threat to healthcare has also changed. The NHS was collateral damage in WannaCry. Now, as the NHS Digital Cyber Security Operations Centre sees every day, there are an ever-increasing number of attacks specifically aimed at the NHS. Over the last 12 months there has been some great working between NHS Digital, NHSX, NCSC and regional NHS security teams to keep the NHS safe from these attacks during the pandemic when it is under such enormous pressure. However, everyone involved in this work knows that we will have to continue to be really focused on cyber security if we are to avoid the sort of disruption that has been experienced in France.
John Noble is an advisor to Glasswall. He is also a non-executive director at NHS Digital, where he is responsible for overseeing cyber security and information assurance.