Much more specific than simple anonymized data, health-related data are particularly coveted by cybercriminals. Hospitals and other health organizations, for which this kind of information is crucial, have become prime targets for ransomware attacks. To better prevent the latter and protect health data, organizations must address at once their information systems’ security and data sovereignty issues. In France, the Cofrac (French Accreditation Committee) has accredited the HDS certification, which acknowledges health data hosting services complying with the highest cybersecurity requirements. Insight.
In April 2020, the Italian social security system was the target of multiple cyberattacks that caused a major breakdown for several days, thus disrupting COVID-19 payouts. Hammersmith Medicines Research, a British company specialized in medical trials was also hit by a ransomware attack in March of that same year. The consequences of cyberattacks can be even more serious when it comes to hospitals. “Imagine if this attack had not been stopped and had spread across all networks, making it impossible to access patients’ personal data and medical records, to perform scans or use operating room equipment.” In this statement made on September 7, 2020, Florence Parly, French Minister for Armed Forces, refers to a major ransomware attack on the Sainte-Anne military hospital in Toulon, a city in the southeast of France and the country’s most important naval base. An attack that could have had disastrous consequences on the health of patients without the intervention of CALID (Centre d’analyse de lutte informatique défensive), an analysis center focusing on cyberdefense. Another case was registered in September when Düsseldorf University Clinic, a major hospital in Düsseldorf, fell victim to a cyberattack that caused the failure of its IT systems, forcing the staff to divert patients to other facilities and leading to the loss of a patient’s life. For the first time, this case raised the question of patient safety and the risk patients may be subjected to during hospital cyberattacks.
The market value of medical data—far more specific than anonymized data—is skyrocketing. In the case of hospitals, which have already been severely weakened, cyberattacks have dramatically increased by 475% since the beginning of the health crisis. Therefore, the cybersecurity of organizations handling medical data is becoming a fundamental issue for patients.
Increasingly Connected Medical Devices
Hospitals face two major threats: the extraction of raw health data on the one hand, and the spread of ransomware in information systems on the other. Hospital networks—made vulnerable by their lack of fragmentation and over-centralization—are further jeopardized by smart devices (IoT). Whether it is blood pressure monitors, insulin pumps or defibrillators, the connection of medical equipment is a major breakthrough for the world of healthcare. However, this same equipment is becoming an entry point for hackers wishing to intrude into information systems. The security perimeter to be defended now also extends to related applications such as chatbots available to patients, appointment scheduling platforms or telemedicine tools.
To protect itself against intrusion attempts through smart devices, the healthcare sector must turn to a certified and perfectly secure Cloud. It is also important to reassert the sovereignty of data in transit and to control their route in order to ensure that they do not fall under legislation other than that guaranteed by the European GDPR. To protect their infrastructures, CISOs (Chief Information Security Officer) must integrate the security issues related to the use of the IoT into their roadmaps. Thus, to preserve data and limit malicious intrusions through the IoT, experts recommend confining smart devices by implementing containers and fragmenting the network, an initiative that remains all too rare in under-resourced public hospitals. Once the network is fragmented, CISOs must remain vigilant by simplifying cybersecurity governance with the implementation of monitoring tools to analyze all network segments efficiently.
Certifications as a Guarantee for Data Protection
In order to choose the right technology partner, organizations can refer to certifications such as SecNumCloud or HDS in France. These ensure the adaptability of providers to all security and compliance constraints. Let’s see how certifications can help your organization choose a technology partner and guarantee the protection of your sensitive data.
The Health Data Hosting (HDS) certification has been accredited by Cofrac to meet the specific requirements of the medical environment and to assist CISOs in their tasks. The HDS certification ensures the encryption of transmitted personal data as well as their traceability and reversibility. Customers know where their data are stored and how they are used, and can retrieve them at the end of the contract or in the event of loss. This certification specific to the medical environment proves that the data of healthcare organizations are protected and secured. Hospitals can take full advantage of the power of a trusted Cloud to facilitate the management of digital medical records and to protect data in transit between different smart devices.
The HDS certification also comes with prerequisites in terms of cybersecurity, including the implementation, maintenance and continuous improvement of an ISMS (Information Security Management System). An ISMS guarantees that a system is in place to ensure business continuity and recovery in the event of a vulnerability or security incident. This system also aims to verify that the processing of personal data is compliant with the GDPR.
Finally, the SecNumCloud Security Visa delivered by ANSSI (the French National Cybersecurity Agency) makes it possible for public and parapublic organizations and private companies processing sensitive data to identify providers that meet the highest security, confidentiality and sovereignty requirements. In concrete terms, the SecNumCloud qualification validates the security line implemented in organizations according to the strictest criteria. The protection and data processing measures in place are assessed during a series of audits carried out by ANSSI.
The protection of the hospital network is essential, especially with the ongoing pandemic during which a cyberattack aimed at intensive care units could have disastrous consequences. More than ever, the protection of healthcare organizations appears to be a national issue. So, make sure to look out for relevant certifications for your organization!