Imagine you are peacefully sorting your emails at home, when one of them catches your sight. A particular email from your hospital that you have not visited for 3 years and half. This email is not really what we call a ‘positive’ one. With a drop on your forehead, you read. Here lies the news: there was a data leak in the hospital you used to go to. You know it’s bad. But how bad?
Stay with us, we are telling you more about cyberattacks in hospitals and what happens to your stolen data.
Cyberattacks in hospitals are frequent, and their number underestimated.
Figures about cyberattacks are not small ones. For example, in 2022 in France, total cost of cyberattacks held against public institutions and private companies that were a success reached €250,000,000,000 according to Asterès’ study.
Another attack happened on February 10th this year for the Armentières Hospital Center in the north of France within the night. The hospital had to temporarily close its health emergencies’ doors to reorganize its patients’ arrival and their treatments. All the computers were switched off after a ‘ransom demand’ message was sent through the hospital’s printers. Patients were moved to another hospital. As for the maternity service, it was less impacted by this cyberattack, but 130 files had to be printed to follow up 130 patients’ cares. Records that could have been stolen.
Again.
It impacted the hospital for 3 days.
Sometimes, even insurances refuse to insure surgeons that operate without having the patient’s record available.
Hackers use different methods to attack, but the most often used is phishing (a text message or email is sent, encouraging the person to click on a fraudulent link or to download a file containing a malware). Or they can come directly within the hospital to leave an infected USB key somewhere, for someone to take and try it, out of curiosity.
Then? They could take possession of the healthcare centre’s services, monitor its activities, encrypt their data, or stole them.
Those cyberattacks are scary for those who live them, but also for the triggered patients when they know what could happen with their data.
What happens after a cyberattack?
The hospital usually needs to answer the ransom demand but for public ones, they have no legal right to give money to hackers (the French CNIL’s recommendations it to not pay as the data recovery is not guaranteed). Then, it verifies the security of its IT systems, analyses the attack in details to set up restoration work priorities, with the help of the ANSSI (the national agency in charge of the information systems security).
The CNIL also warns hospitals using not-secured enough EHR, requesting corrective measures for the data treatment. Some special confidentiality treatments can be required for patients from penal institutions.
An important point concerns the tracking of the EHR access. Knowing who logged in, when and what did this person reach is super important. Controls over these accesses need to be done regularly to spot fraudulent usage of the software.
What consequences for your personal data after a cyberattack?
Several consequences could derive from it and there is nothing good here to consider…
- You could receive a tremendous amount of daily spam emails or unknown calls,
- Your personal information are publicly displayed on the internet (first name, name, social security number, medical information like cancer, genetic diseases, consultations summaries, biological exam results, pathologies, …),
- Your bank details are used all type of purchases,
- Your infos are sold on the black market for a significant amount of money (€200 per health record),
- Your stolen passwords are used to create another attack…
Healthcare data is the new gold. The more data you get, the more money you can get out of it.
And the more pathologies the patient has, the more valuable its data will be!
With this data, you could create new treatments, accelerate drug marketing, do predictive medicine, improve diagnosis… etc.
The more value to get, the more money at stake! The first person to find the new treatment for this or that disease will win the market, for instance. For that matter, it is not important but mandatory for an EHR to provide super secured health data storing solutions, compliant with the evolving legal regulations in a country.
And it’s exactly what @Galeon does with its EHR solutions and its HDS and ISO 27001 certifications.
0 comments