The parallel seems an easy one to draw, but that does not make it any less true. Behind the Covid-19 pandemic lurks another affliction, less deadly but just as insidious: the spread of “ransomware” attacks, which have hit hospitals in several countries since the health crisis began.
The epidemic has infected hospital units in France, the US and the UK, and most probably other countries as well. The scenario is almost always the same: the attackers gain access to the facility’s IT system, encrypt its data, and then demand money to make the data available once again. The hospitals suffer: IT systems are disabled or corrupted, operations and consultations are cancelled, medical teams have to resort to using pen and paper, etc.
The spectacular increase in the number of cyberattacks over the last few years is not limited to the healthcare sector. As Ivan Fontarensky, a cyberdefence expert at Thales, explains: “Between October 2019 and October 2020, there was a twenty-fold increase in ransomware-based cyberattacks.”
Along with attacks carried out by activists and cyberterrorists, and state-sponsored threats, ransomware strikes represent one of main threats – if not the main threat – out there today. “It’s far less risky than robbing a bank, doesn’t require exceptional technical skills and, ultimately, turns out to be very effective,” acknowledges Ivan Fontarensky. “The victims pay to get their data back and to avoid having it divulged. Over time, it has become a full-blown business, operated by people whose methods are becoming more and more professional – buying and selling lists of IP addresses, for example.”
Ivan Fontarensky, cyberdefence expert at Thales
Are hospitals a preferred target for this new breed of hostage-takers? Ivan Fontarensky is not so sure. These types of attacks are automated; the cybercriminals do not necessarily know what systems they are getting into before the attacks begin. Once the system is breached, however, they do know, and they can choose not to launch the data encryption process. “During the first lockdown, a group of cyberattackers announced that they had called off an attack when they realised that the target was a hospital.”
Although hospitals may not be targeted specifically, they are nonetheless relatively easy prey. Their IT systems are extremely complex, often poorly structured and inadequately protected. “They also face a difficulty that is specific to the health sector,” adds Ivan Fontarensky. Scheduling constraints and a heavy workload, particularly during this pandemic, make it very difficult to separate work life and home life, and medical staff often use the same devices for both, or bring their personal computer into work. If one of them gets exploited, the malware can spread to the whole hospital.
Safety measures and prevention
So how can this epidemic and its devastating effects be prevented? “First of all, just as with the Covid-19 pandemic, safety measures must be taken,” says Ivan Fontarensky. “Warning people about using devices for both work and personal business, making sure computers are fully updated, carrying out backups, and setting up the right procedures to ensure that an IT system can be recovered.”
Above all, defence mechanisms need to be put in place as far upstream as possible, in order to prevent these attacks from happening. Prevention means, for instance, helping organisations build secure architectures, isolate the different systems to avoid the spread of infection, be resilient in the event of an attack and, most importantly, be able to detect that attack, for example with sensors that monitor traffic at all times.
This is what Thales’s 2,000 cybersecurity experts around the world work on every day. “Of course,” Ivan Fontarensky admits, “protecting against this new kind of hostage taking costs time, energy and money. But any organisation – large or small – is a potential target, and has been, or will be, attacked, and the consequences for victims are severe. However, it’s not a foregone conclusion. We have both the technology (products, procedures and so on) and the human expertise to combat these cybercrimes, and even to prevent them.”