A total of €20m ($20m) additional funding to the French national cyber agency ANSSI has been promised to help improve the cyber-protection of the French health industry following a ransomware attack on the Centre Hospitalier Sud Francilien (CHSF) on August 24, 2022.
The funding was pledged by France’s Minister for Digital Transition and Telecommunications Jean-Noël Barrot and François Braun, Minister of Health, who visited the affected hospital on August 26, just days after the attack was made public.
The 1000-bed hospital located 28km from Paris was hit by a $10M ransomware attack, adding to a growing list of French medical centers to fall victim to cyberattacks these past few months.
“[The funding] is a good sign, but money isn’t everything,” Boris Lecoeur, Head of Cloudfare France, told Infosecurity Magazine. Lecoeur, who has prior experience with attacked healthcare providers, advised that industry should walk away from the perimeter security approach and embrace Zero Trust.
Infosecurity magazine spoke in more detail to Lecoeur about his experience, how hackers penetrate the systems and what they should be doing to protect themselves for future.
Infosecurity Magazine: Why do attackers increasingly target hospitals?
Boris Lecoeur: First, we’re noticing a global increase in cyber-attacks across all sectors – the health industry receives particular attention because of the critical aspect of the potential consequences.
Then, hospitals’ IT generally is very heterogeneous, with a mix of proprietary and/or industry-specific hardware and protocols (DICOM) and it is often unpatched. We’ve even seen obsolete pieces of software. For example, it was found that some of the UK’s NHS computers were running on Windows XP when the WannaCry ransomware broke the news in 2017. This, and the ever-growing hybridity of locally hosted and cloud services, generally shared with suppliers, make it harder to efficiently maintain the whole IT system and operate traditional perimeter security.
Further, compared to industrial [OT] systems, which share this heterogeneity of devices and software and hybridity of connections, healthcare networks are much more connected to the internet, making them an easy target for attackers.
IM: Hospitals used to be red line cybercriminals didn’t dare cross. Why has this changed?
BL: I don’t quite know if this is for geopolitical reasons. Still, it seems like some hacker groups that previously declared healthcare providers off-limits are now targeting hospitals anyway. This is the case of LockBit, a ransomware group allegedly responsible for the CHSF hack and whose ransomware-as-a-service (RaaS) program's rules prohibit affiliates from encrypting the systems of healthcare providers.
From a purely financial point of view, there is no doubt that the critical aspect of healthcare systems makes it a very lucrative business to attack.
In many cases, hacker groups increasingly use double extortion methods, asking for money to decrypt the data and prevent the leak of this data on the internet. [First analysis by French media LeMagIT shows that one such method could have been used to encrypt the French hospital’s systems, using LockBit 3.0.]
Security needs to be apprehended with a Zero Trust approach, including least-privileged access, context-based multi-factor authentication (MFA) and micro-segmentation.
IM: Based on your experience working with healthcare providers, what is the typical method used to hack the IT systems of a hospital?
BL: I don’t think there is much difference with other industries, to be honest. We found that 91% of all cyber-attacks begin with a phishing email. It is all corporate IT systems’ Achilles’ heel. Then, another increasing vector comes from VPN providers. Threat actors know that their use has been growing, especially since the beginning of the new working-from-home era, and they are the first thing they scan in search of vulnerabilities.
Then, once the hackers have infiltrated the systems, they can do anything they like. Most hospitals would only have perimeter security in place, so it is tough to control what someone is doing once they’ve obtained the proper credentials. For instance, when we audited one of our clients in the healthcare industry, we realized that no application firewall was installed on the network. Once granted access, the threat actor can deploy trivial attacks such as SQL injection. They can also elevate their access with credential stuffing to access more sensitive data.
With such freedom, the hackers usually stick around for a few days to scan the network and launch the encryption process.
IM: Would you say the healthcare industry is behind in terms of security?
BL: I would certainly say so, at least as far as France is concerned. Most healthcare networks are still operated with an outdated perimeter security approach (anything inside the network is considered trusted). In an ultra-connected age, where threat actors are getting experts in social engineering, this cannot stand anymore.
The healthcare industry is also behind in terms of cloud security adoption.
However, I am not trying to shame anyone. If you put yourself in the shoes of budget managers in a hospital, faced with investing in either new modern health equipment or patching the existing software, it‘s not an easy choice. But now, cybersecurity must be among the budget priorities for this industry.
IM: What should be done to improve the cybersecurity of such critical infrastructure?
BL: First, security decision-makers must tackle the phishing issue with better email security. One possibility is to use cloud-native advanced email protection, a piece of software that will isolate each link the user opens and identify even the most sophisticated phishing attempts that go past the filters of Microsoft and Google services.
Then, security needs to be apprehended with a Zero Trust approach, including least-privileged access, context-based multi-factor authentication (MFA) and micro-segmentation.
This is for the big picture. Then, in terms of timeline, when healthcare providers reach out to us after being attacked, their top priority is to improve security on the application level (Web Application Firewalls, anti-DDoS and anti-bot solutions). We can then move on to deploy better, broader infrastructure security with help from cloud-based security solutions.
IM: What do you make of the €20m injection to ANSSI to help levelling-up healthcare network security?
BL: Given the scale of the problem, €20m doesn’t sound like much, but it’s certainly a good sign. We have noticed increasing cybersecurity funding across all industries in France these past few years.
However, money isn’t everything. When we have identified an issue, it is common to pour money into solving it. But there is so much to be done without spending a penny!
Organizations often have too many security solutions installed, which are complicated to configure and maintain that require a lot of time and resources. I think that’s what every CISO should start with.