Over the past year, hospitals in multiple cities and towns across France have been the target of ransomware attacks by unknown adversaries. Within the last ten days, two more French hospitals – the Villefranche-sur-Saône hospital complex in the Southwest Landes Département, and the Dax hospital in the eastern Rhone Département – suffered ransomware attacks, and a third hospital in the Dordogne Département preemptively broke connections with an information technology provider.
Neither of the two most recent cyberattacks appeared to have resulted in any harm to patients. The French Ministry of Health, however, stated that the attack on the Dax hospital had “paralysed . . . almost all information systems” in the hospital, and the Villefranche hospital reported that the attack on it “strongly impact[ed]” three of its locations.
This recent spate of ransomware attacks in the French healthcare sector may constitute a significant change in targeting by ransomware criminal groups. As recently as December 2020, the German Federal Office of Information Security and the French National Agency for the Security of Information Systems (ANSSI) issued a joint report stating that “the overall threat level for a cyber-attack on the healthcare sector has not risen above levels observed before the COVID-19 pandemic.”
In response to the latest cyberattacks, on February 18 French President Emmanuel Macron publicly stated that the attacks had put the hospitals in a position of “vulnerability.” He called cybersecurity a “priority,” and promised to accelerate cyberdefense measures that reportedly include “boosting police and judicial cooperation, earmarking around €500 million ($600 million) to help companies and public authorities boost their cyber defences, and funding research and development.” He also noted that later in 2021 he would open a new cyberdefense center in Paris’s financial district, to be staffed by 1,500 researchers and others working for private firms or for the government.
These latest reports should come as no surprise to information security officers in the healthcare sector. Last October, the New York Times reported that Russian hackers had been trading a list of more than 400 hospitals that they planned to target. Even before the latest French hospital attacks, the Wall Street Journal reported this month that hackers “are increasing their attempts to break into health-care companies.”
While COVID-related financial pressures may have made it exceedingly difficult for many hospitals to fund cybersecurity improvements, it is imperative for hospitals to bolster their cyberdefenses, particularly for ransomware attacks, while they can. Although no hospital patient has yet died as a direct result of ransomware-caused loss of electricity or system functionality, hospitals need to understand that ransomware groups are indifferent to the possibility that their attacks may one day result in such deaths.