In a report published on January 3, 2025, the Court of Auditors drew up a assessment of cyberattacks targeting French hospitals between 2019 and 2023. During these four years, healthcare establishments located in France suffered an unprecedented wave of computer attacks.
In 2023, 10% of victims of cyberattacks were hospitals, underlines the Court of Auditors, relaying the conclusions of the National Agency for the Security of Information Systems (Anssi). Very often, the offensives are orchestrated by hackers specialized in ransomware. These have hacked more than 30 establishments in two years. Cyberattacks take "mainly the form of
"compromises" of the information system, i.e. violations of databases and confidential codes", explains the Court.
Obsolete equipment and restricted budgets
To explain the explosion of cyberattacks against hospitals, the Court of Auditors first points the finger at the "vulnerability of information systems", considered fragile, too complex and outdated. According to the report, 20% of equipment is obsolete. This vulnerability mainly results from "chronic underinvestment in digital technology". Mirroring French communities, hospitals do not invest enough money in their infrastructure to protect themselves from hackers.
As the report highlights, cyber attacks have serious consequences "on the operation of healthcare facilities and on patient care". It is not uncommon for a cyber attack to force a hospital to disrupt its activities, cancel operations or transfer patients to other facilities. This is obviously a danger to patients’ health.
The report takes as an example the cyberattack on Armentières hospital in early 2024. Claimed by Lockbit hackers, the attack forced the establishment to redirect its patients to other structures, while the emergency room remained closed for three days to “guarantee patient safety” and allow the damaged systems to be repaired.
As part of their intrusion, the cybercriminals stole sensitive medical data from 230,000 patients using their ransomware. We will also remember Lockbit’s offensive against the Cannes – Simone Veil hospital last April, which forced administrators to postpone “non-urgent scheduled activity” and “non-urgent consultations”. Here again, medical data was stolen.
The report also mentions a cyberattack that paralyzed a French hospital and reduced its activity in surgery and obstetrics by 20%. It took the clinic 18 months to rebuild the information system. During this time, the manual management of care caused serious delays and errors.
The colossal cost of cybercrime
In addition, the financial jurisdiction indicates that the rise of cyberattacks has cost a fortune to the French health system. Computer intrusions, which are generally accompanied by data theft or the blocking of infrastructures, cause the affected hospitals to lose a lot of money.
Among the biggest expenses of the establishments that find themselves in the sights of the hackers is the "reconstruction of the information system". Hospitals have to pay out large sums to restart their IT infrastructures, paralyzed by a virus. These expenses allow the reconstruction of the network, the recommissioning of all publishers and associated software or, even, subcontracting costs for certain activities that have been stopped.
For example, the Armentières hospital suffered losses estimated at two million euros. This amount includes all costs related to crisis management, corrective measures and the reduction in the hospital's revenue. For its part, the Dax hospital center injected 2.3 million euros to recover from an intrusion that occurred in 2021. Finally, the Versailles hospital center, victim of a cyberattack in 2022, reports a loss of 20 million euros in revenue.
A late reaction
The Court of Auditors regrets that the public authorities have reacted with considerable delay to the problem posed by cyberattacks. A prevention and protection programme, financed to the tune of 750 million euros, was in fact launched in 2023 in order to strengthen the security of hospital information systems. Although it is a little late, this programme must be maintained, the court believes.
Furthermore, the Court recommends creating a national group of experts to assess financial losses in the event of major cyberattacks and to propose, if necessary, strong measures, such as the removal of certain administrative obligations for the most affected hospitals. The report also calls for additional financial measures to be decreed.
Source: Cour des Comptes
0 Comments