Health care institutions: between sensitivity and insecurity of personal data

Publié le 14 March 2023
cybersécurité données de santé

400. That’s the number of cyberattacks that healthcare institutions in France can suffer every day, as Hélène Lherbette, head of digital services at the Narbonne Hospital Center, can attest. Fortunately, most of these attacks do not overcome the security measures implemented. However, if one of them slips through the cracks, hospitals such as those in Dax, Narbonne and Villefranche-sur-Saône are in serious trouble this year.

Over the past decade, the cyber threat to the health care sector has increased dramatically, as have the sophistication of cyberattacks. Both professionals and government recognize this new era. For every improvement brought about by automation, interoperability, and data analytics, the vulnerability to malicious cyberattacks also increases.

Cyberattacksare of particular concern to the health care industry, as they can directly threaten not only system and information security, but also patient health and safety.

According to Cedric O, Secretary of State for Digital Transition and Electronic Communications, “there were 27 major hospital attacks in 2020, there has been one per week since 2021.”

The National Agency for Information Systems Security, ANSSI, explains in a press release dated December 17, 2020 that “the number of cyberattacks has skyrocketed: the number of victims of cyberattacks has increased fourfold” between 2018 and 2019. Specifically, “during the Covid-19 pandemic, the number of attacks around the world against hospitals skyrocketed,” explains Saif Abed, a former physician turned cybersecurity consultant.


1. Why is the hospital sector particularly targeted?

Generally speaking, attacks are successful because of:

  1. Technical vulnerabilities (systems and applications that are not up to date, insufficient partitioning of systems and networks, lack of separation of uses);
  2. Lack of detection and reaction (lack of monitoring of information systems, lack of preparation for incident remediation and crisis management);
  3. Poor governance (insufficient password management policy, lax access rights management, lack of threat anticipation, uncontrolled remote working);
  4. From poor awareness (insufficient user awareness and maturity, insufficient financial commitment, lack of comex awareness).

However, if several reasons can explain the multiplication of ransomware attacks that target Hospital Centers, university hospitals, clinics and other health care facilities, the lack of means and the Covid-19 pandemic are the main ones.

1) A lack of resources

Health care facilities often lack the resources to deploy costly cybersecurity defenses. The Ministry of Solidarity and Health points out in its Hospital Information Systems Atlas that less than 2% of the total budget of health care institutions is spent on cyber defense.

Vincent Trély, president of the Association pour la sécurité des systèmes d’information de santé, additionally argues that “hospitals are prime targets for cybercriminals because it becomes more complicated to attack banks or high-tech industries, which have put millions into security.”

2) The Covid-19 pandemic

Health care institutions are “easy prey“, according to Frédéric Valletoux, the president of the Fédération hospitalière de France, more specifically during the Covid-19 pandemic, as the priority has not been to protect the files and information held.

The idea is to increase the pressure on health facilities, which, for fear of being paralyzed as waves of patients pour in, would more easily give in to blackmail and ransomware.

2. What are the risks involved?

1) Encryption of patient data and information

Ransomware is a contraction of “ransom” and “software”. Schematically, ransomware corresponds to two things: a vector that allows entry into an information system (an attachment in an email) and a malicious payload (the virus that is hidden in the attachment).

Whether it is an attack of opportunity – a fraudulent attachment sent in an email to a very large number of recipients – or a targeted attack, the goal is to infect the entire hospital’s information system in order to ultimately paralyze all computers.

The next step is to encrypt all data on the network: patient records, emails, access to connected tools, etc.

Hospital services tend now to be more and more digitized. If the information system is paralyzed due to an attack, it is the entire hospital activity that is impacted.

Therefore, for a health care institution, the main risk is to patients’ lives. Planned operations can no longer take place, doctors receiving patients in consultations no longer have access to paperless patient records.

However, it should be noted that ransomware is not the only threat. The full spectrum of the cyber threat is more significant. In ascending order of risk, there are also:

  1. The defacements of websites that are not very sophisticated and generally not very important;
  2. Distributed denial of services (DDOS) that correspond to avalanches of flows that can paralyze information systems;
  3. Clever attacks (social engineering);
  4. The exfiltration and disclosure of data;
  5. The destruction and neutralization of data;
  6. An advanced persistent threat (APT) via which the hacker can be present in an information system for months or even years with great discretion.

2) The total paralysis of connected medical tools

According to Charles Blanc Rolin, Chief Information Security Officer (CISO) at the Moulins-Yzeure Hospital Center interviewed by France Télévisions reporters, hackers are able to take remote control of connected objects found in patients’ rooms. This is the case of monitors that display the vital data of a patient admitted in a health institution but also of pacemakers for example. It is possible to change the display of the heart rate and make the doctor think that the patient is fine when this is not the case at all.

Similarly, anesthesia stations are hyper connected and therefore hyper vulnerable. This is also the case with radiology and MRI machines, which are fully connected machines and therefore potentially inaccessible in the event of a ransomware attack.

3) Online disclosure of stolen data

This is an argument frequently used by attackers. In order to get the healthcare facility to give in and pay the ransom, the hackers threaten to post the data they were able to access online thanks to the computer virus dropped on one of the facility’s computers.
Hackers can, for example, break into a health care facility’s system by sending a fraudulent email that an employee negligently opens. The hackers can then view the latest exams performed. “They can access the patients’ names, their date of birth, the type of exam, and the date of the exam,” explains Charles Blanc Rolin.

The risk for patients is no longer so much that their health is at stake, but rather the collateral consequences that such revelations could have. As an illustration, if health data were to be disclosed, patients with certain diseases could suffer discrimination (at work, in their families) or see their chances of accessing real estate loans diminish.

3. What solutions are there to prevent the occurrence of these risks?

First and foremost, it is advisable to back up all of one’s files to avoid being taken hostage by attackers. As such, the “3-2-1” rule can be relevant to ensure an effective backup of your data:

3: you must keep at least three copies of your data and information.
2: Files should be backed up on two different types of media such as external hard drives or the cloud.
1: One of your three backups must be located outside your facility.

In addition to the backup, establish an IT charter and an information systems policy available to all employees. The goal is to inform them about these topics. The CNIL recommends raising staff awareness of security risks. Trainings may therefore be relevant to inform staff about the risks and measures to follow.

myDPO, a tool created by DPO Consulting, notably helps raise awareness among healthcare facility teams through e-learning materials specific to the healthcare sector developed by data protection consultants. Customized and adapted training can also be offered to staff.

Remote working increases the risk of cyberattacks. According to Jérôme Notin, Director General of, quarantine measures have led to communities opening access without adequate security measures. Therefore, good practices must be disseminated within the institution such as closing sessions in case of inactivity.

Two private doctors were condemned on December 7, 2020 for not encrypting their personal laptops. However, the CNIL specifies that “in the absence of encryption, the medical data contained in the hard disk is readable in clear text by any person taking possession of this device (for example, following its loss or theft) or by any person improperly entering the network to which this computer was connected.”

In addition, access must be restricted to what is strictly necessary (all employees must not have access to all records but only to their patients’ records) and passwords must be changed regularly.

On October 26, 2020, the Italian supervisory authority fined a clinic €20,000 for failing to restrict access to patient files in such a way that they were freely accessible.

Similarly, the Norwegian supervisory authority fined a hospital €6,440 on October 22, 2020 for not having a security system in place for access to patient files. As a result, 118 employees had access to them without needing to. Moreover, these data were stored beyond the legal limit.

A financial penalty of €400,000 was pronounced on July 17, 2018 against a Portuguese hospital for failure to manage access to the information system: doctors had access to all patient files regardless of their specialty.

Implementing restrictions on password creations is also recommended by the CNIL. Preferably, passwords should contain:

  • A minimum of 8 characters;
  • 1 number;
  • 1 upper case letter;
  • 1 lower case letter; and
  • 1 special character or punctuation mark.

By way of illustration, on December 8, 2020 the CNIL sanctioned a company to the tune of €20,000 because it “did not require the use of a strong password when creating an account on its website or mobile application“.

As an alternative to long and complex passwords, using a password managercan be interesting. A password manager allows you to build up a database of passwords encrypted with a single “master” password that has been verified for security. This allows you to remember only one password which opens the access to all the others. The passwords can then be very long, very complex and all different because the computer remembers them for you.

There are solutions recognized for their security such as Keepass evaluated and recommended by the ANSSI, Zenyway and Passwordsafe.

Website security audits and penetration tests (or “pain tests“) can be performed to detect security flaws and vulnerabilities at an institution.

The CNIL fined a data controller and a data processor €150,000 and €75,000 euros on January 27, 2021, for suffering attacks by “credential stuffing.” The authority found that the companies had “delayed in putting in place measures to effectively combat these repeated attacks.”

Finally, on December 3, 2020, the Swedish supervisory authority fined seven hospitals a total of more than €4 million. At the time, the authority had noted insufficient security measures given the sensitivity of the data processed.

4. How to react in the event of an attack?

The management of a cyber attack can be broken down into six steps:

  1. Prepare for a cyberattackby adopting procedures drafted by the CISO in conjunction with the Data Protection Officer and an adequate work organization to manage a security incident;
  2. Identify the occurrence of the incident and analyze the situation;
  3. Split up the attack to bring it under control and prevent the problem from spreading;
  4. Eradicate the causes of the incident;
  5. Restore the system to enable a return to normal;
  6. Analyze how the incident was handled to improve the process.

You can also get in touch with the ANSSI, which will be able to assist you in restoring your information system.

In addition, the General Data Protection Regulation requires that the CNIL be informed within a maximum of 72 hours in the event of a data breach that poses a risk to the persons concerned (especially patients).

If it turns out that the risk is serious for them, you will have to warn them of the attack and the risk for their personal data as soon as possible, individually or publicly.

However, all security agencies recommend not paying the ransom: it is not certain that you will recover all the files despite the payment. Additionally, by paying the ransom, you are funding cyber malware ecosystem would be funded. France’s policy is therefore not to give in to ransom demands.


– Gabriel Privat