At the international cybersecurity forum, the director of Anssi Guillaume Poupard detailed the measures taken by the agency to increase the level of security in French hospitals.
” If French hospitals are attacked, it’s because it’s easy: their security is zero “. In front of a well-filled assembly of cybersecurity professionals gathered at the international cybersecurity forum (FIC), the director of Anssi Guillaume Poupard does not mince his words.
During 2020, hospitals became the most symptomatic victims of the impressive growth in the number of cyber attacks. The reason ? They are among the prime targets of ransomware, malware capable of paralyzing an entire computer network in order to recover a ransom.
The reasoning of the cybercriminals is simple: Hospitals have a strong incentive to pay the ransom, because if they fail to restart their computer system (and therefore a whole set of medical equipment) as quickly as possible, they can endanger the disease. life of their patients.
” Before 2020, our hospitals didn’t really believe in the threat, they thought they had better things to do with their money », Regrets Poupard,« now they have understood that it is not just an Anssi delirium “. Vocal on many subjects, the director recalled the need to raise the level of security in the public, starting with local authorities and hospitals.
As early as February 2021, President Macron himself announced a plan to strengthen the cybersecurity of hospitals, a sign that the subject is now taken seriously at the highest level of power. A positive note in a more general serious situation: between 2019 and 2020, the number of interventions by Anssi with victims of ransomware attacks increased by a frightening 255%. This annual growth continues, with + 60% of interventions in the first half of 2021. At the beginning of the year, the government noted one attack per week against hospitals.
Reinforcement of defenses
The United States, jostled by the Colonial Pipeline and JBS cases, recently adopted a more aggressive posture vis-à-vis cybercriminals. But for its part, the Anssi does not intend to engage in the hunt for cybercriminals. ” We will continue to say that the best defense is defense », Recalls Poupard, in opposition to the famous saying.
To link words to deeds, Anssi has taken the lead, thanks to the IT network security directive (SRI, better known by the English acronym NIS), a European text translated in 2018 into French law. The NIS allows the institution to give the qualification ” operators of essential services “(OSE), which complements the name” operator of vital importance »(OIV) introduced by the military programming law of 2013. Concretely, the ESOs must submit to reinforced security obligations. For example, they must notify Anssi of any security incident, and accept the audits and controls carried out by Anssi (or a certified partner). In short, it is a regulatory tool capable of forcing an increase in the level of security of certain critical organizations.
“We do emergency medicine”
At the FIC press conference, Guillaume Poupard explained that in 2020 Anssi had given the OSE designation to 100 hospitals, while only 13 CHU had received the OIV designation. The agency wanted to change its posture of supporting health establishments for a much more directive discourse. ” We did what we had never done before: we took the establishments together and explained to them. We made testimonies of establishments which were victims, and of others which had already engaged in a logic of OSE. », Rejoices the director. In the absence of an immediate increase in the security level of organizations, the legal tool allows the agency to make them accept higher security requirements. ” We’re going to have maybe 20% of these OSEs that are not going to do anything, that are going to hide and not apply the NIS directive. But I don’t care, because we do emergency medicine: the important thing is the 80% who, thanks to the OSE designation, will use the regulations to progress », He specifies.
In the end, the goal of all these changes is to avoid a disaster scenario that regularly fails to materialize. In September 2020, a German patient was refused in a hospital in Düsseldorf paralyzed by ransomware. Her ambulance had been redirected to a nearby hospital a 30-minute drive away, but she died on the way. The police investigation ultimately ruled that her death was not directly related to the security incident, as the patient would have died either way. But it was the first time that we came so close to a death caused by a cyberattack.