Cyberattacks, which already made it to the top five risks in 2020, have witnessed a staggering 600% increase since the onslaught of the COVID-19 pandemic. This alarming trend has left both public and private sectors grappling, with each subsequent attack proving more devastating than the last. As we navigate the final months of 2023, reflecting on the measures implemented in the healthcare industry to reduce these risks becomes imperative.

The rising tide of cyberattacks in healthcare

The year 2022 saw an unsettling rise in cyberattacks directed at the public sector, leaving institutions, including hospitals, paralyzed. Financial and personal information was increasingly compromised, with ransom demands escalating. The European Union Agency for Cybersecurity (ENISA) reported that between July 2021 and July 2022, a significant 24.21% of global cyber incidents were aimed at the public sector. The situation in France mirrored this global trend, with hospitals alone registering 730 such breaches in 2022. Particularly striking was the multifaceted assault on Corbeil-Essonnes Hospital. On August 20, 2022, the hacker group Lockbit 3.0, primarily Russian-speaking, unleashed a massive data breach, dumping more than 11 gigabytes of personal information onto the darknet.

In a concurrent move, they initiated a crippling denial-of-service (DDoS) assault, jeopardizing critical hospital software, patient management databases, and vital imaging systems. Despite the daunting ransom demand of 10 million dollars, the hospital, in line with the French government’s stance, refrained from paying. Their recovery journey was protracted, with a total return to normalcy only announced in November.

The proactive response of Reunion Island’s University Hospital

Come February 2023, the European University Hospital of Reunion Island, nestled in the Indian Ocean and affiliated with France, confronted a formidable cyber onslaught. The potential ramifications could have been dire, endangering countless patients on this remote island. Yet, the institution’s cybersecurity chief successfully identified and stymied what appeared to be a burgeoning ransomware strike. Nonetheless, the hospital, which caters to over 190,000 patients annually, remains vigilant, consistently fortifying its defence systems against prospective threats.

In the face of such challenges, how did these attackers penetrate the hospital’s defenses? How did the cybersecurity team detect this intrusion, and what protocols are in place for similar breaches in public health facilities? Stephane Duchesne, who helms the Information Systems Security and stands as the Data Protection Officer at Groupement Hospitalier de Territoire La Réunion, unpacks these pressing concerns in an illuminating discussion.

What transpired on February 5th?

On the evening of February 5th, a Sunday, we monitored our systems remotely from home. During this time, we identified a suspicious activity within our Active Directory (AD), a database and suite of services linking users to network resources. Even though our hospital, with its 7,400 professionals, receives multiple alerts daily, this particular alert was alarming because it pertained to a critical part of our infrastructure. This component could connect to another system controlling doors, elevators, and other functionalities. The implications of unauthorized access to this system could have been catastrophic.

How did you respond to this?

Our immediate action was detection, followed by a swift response. We prioritized isolating the compromised segment of our system and began the process of restoring the affected areas. During this time, we advised our healthcare professionals to refrain from digital healthcare activities such as teleworking, tele-expertise, and telemedicine. This remediation and restoration process extended over several weeks. Simultaneously, we ensured that all stakeholders, including our staff and the public, were kept informed, especially since the full implications of the cyberattack were still unknown. The isolation procedure took several days, considerably impacting the digital-dependent professionals at our institution.

For how long were the services affected?

The services weren’t entirely halted; however, we had to significantly reduce digital operations for about three weeks. Those working remotely were requested to return to the hospital premises. Our tele-expertise services for Mayotte (a French island in the Mozambique canal) had to be temporarily suspended.

Were you able to trace the origin of this cyberattack, and do you understand their motivations?

Up to now, the exact identity of the attackers remains elusive. However, it’s evident that their primary intent was to deploy ransomware on our systems. Fortunately, we could thwart this attempt and didn’t succumb to data theft or secondary attacks on our partners. Interestingly, our investigation traced the initial breach back to the personal computer of an individual associated with the hospital.

Did you experience stress? How did you manage this crisis situation?

While I remained relatively composed, the situation undoubtedly placed significant pressure on my team. Over ten people were continuously engaged during the initial three weeks post-breach, accumulating over 500 extra working hours. Our primary focus was on thoroughly inspecting the entire infrastructure to ensure no isolated parts remained infected.

What were the repercussions of this breach?

The cyberattack had multifaceted impacts:

Disruption in patient care and overall hospital activity.

Mismanagement of medical on-call duties and general operations.

Suspension of particular services provided by external partners following our public communication about the attack.

Identification of shadow IT systems.

Preventive disconnection of Remote Desktop Services affecting teleworking and medical on-call duties.

Several service disruptions with external service providers after publicly communicating about the attack. We are maintaining internet restrictions until further notice.

What was the financial implication for the hospital?

We, fortunately, did not have to pay a ransom, unlike the hospital of Corbeil-Essonnes in the south of Paris, which ended up spending nearly a million euros on unidentified hackers presumably based in Russia. Our additional investigative costs amounted to 25,000€, and the repair costs for the Active Directory totalled around 45,000€. Although this was initially planned, we also invested 740,000€ in new security platforms. The exact financial losses due to halted operations remain unassessed.

Having adeptly managed this crisis without data loss or ransoms, would you say the situation is entirely resolved? What advice would you offer to healthcare institutions under a cyber threat?

While we’ve made substantial progress, we are still in the remediation phase, which may extend into 2025. This is primarily due to integrating a new surveillance system and fortifying our compromised AD. I liken cybersecurity to cooking—the right balance of ingredients, continuous learning, and adapting. For healthcare institutions facing cyber threats, I’d advise:

Prioritizing detection capabilities. With hackers evolving as fast as technology, early detection is paramount, irrespective of how robust your defences are. Also, responding swiftly, especially by isolating the compromised entry points.

Investing in continuous training and staying updated on the latest cyber threats is another thing. To consolidate data in secure, accessible servers. For instance, 95% of our data is locally stored at the University Hospital of Reunion Island.

Recognizing that threats can come from interconnected systems, including utilities, connected devices, and integrated biomedical tools. And regularly conducting mock cyber-attacks or drills to gauge and improve response strategies.