A strategy for better defense: this is what a recent report published in June 2024 by the National Agency for the Performance Support of Healthcare and Medical-Social Institutions [ANAP] proposes.
Cyber Risk: A Formidable Threat to the Healthcare Sector
The danger of cyberattacks lies not only in the compromise of sensitive patient data — particularly health information — but also in the disruption of essential services. A cyberattack can paralyze daily operations, thereby jeopardizing the continuity of care and patient safety.
At the forefront of malicious acts are phishing attacks — with a sharp increase in 2022 compared to 2021. The report also highlights incidents related to IT system compromise, ransomware, and viruses, among others.
Cyber Risk: A Challenge the Healthcare Sector Can Manage
To limit the impact of cyberattacks, it is first and foremost necessary to understand one’s own vulnerabilities: risk analysis is therefore a crucial prerequisite. The report notes in particular that ANSSI [the French National Cybersecurity Agency] offers exercises designed to help stakeholders identify security vulnerabilities.
The ANAP report also proposes several measures to mitigate cyberattacks, organized around three main areas: IT security hygiene, incident response, and the resources to be mobilized.
- IT security hygiene: Institutions must adopt basic security practices that are often overlooked. This includes, in particular, network segmentation, rights and identity management via Active Directory (AD) — which is described as “a directory service that lists all individuals authorized to access the information system” — access control management, IT system updates, and phishing awareness.
- Incident response: The key elements here are responsiveness, knowledge of the information system (IS), and the establishment of a Security Operations Center (SOC) which enables real-time monitoring of systems, threat detection, and rapid response.
- Resources to be mobilized: The ANAP emphasizes that “the roles of DPO [Data Protection Officer] and CISO [Chief Information Security Officer] must neither be held by the same person nor be subordinate to the IT department, in order to preserve their independence”; however, these stakeholders must maintain close collaboration. The ANAP also mentions another role: the cybersecurity ambassador, described as someone without formal responsibility for IT security but who promotes best practices within teams, thereby acting as a liaison for the CISO, having been previously trained by the latter.
Cyber Risk: An Adversary Addressed by Regulation
Since data protection is central to the challenges of managing cyberattacks, ANAP, citing the GDPR [General Data Protection Regulation], highlights the requirements related in particular to:
- The hosting of health data in secure environments – HDS facilities [Health Data Hosts]
- Reporting breaches within 72 hours to the competent authority – the CNIL [French National Commission on Informatics and Civil Liberties]
- Data transfer between facilities/professionals via secure messaging systems – the MSS [Health Security Messaging Systems]
The report also mentions the portal role of CERT Santé – and the obligation to report to it “without delay any serious cybersecurity incidents affecting the safety of care; the integrity or confidentiality of data, or the normal operation of a facility” [as a reminder: see Articles L.1111-8-2 and D.1111-16-2 et seq. of the French Public Health Code].
Furthermore, it should be noted that the ANAP addresses the NIS 2 Directive [Network and Information Security] — whose national provisions must be adopted and implemented by Member States by October 2024 — in that it requires, in particular, the use of a strong authentication system “for access to the most sensitive data, such as electronic health records or software at the core of the hospital information system,” according to the report.
Finally, it should be noted that cyberattacks are also addressed under criminal law, and that related complaints are handled in particular by highly specialized teams such as the Cybercrime Section [J3] of the Paris Public Prosecutor’s Office and the Cybercrime Unit [BL2C].
Written by Lorena Goudenège
