Cybersecurity News

Public sector and healthcare data under cyber attack

11 April 2023

As database experts, we sometimes witness attacks on the data stored on our customers' databases. Since 2021, we have seen an increase in these attacks, with an average of one security incident per month reported by our customers.

Public Sector and Healthcare Sector Facing Cyberattacks

According to ANSSI, local authorities account for 19% of all entities affected by ransomware attacks in incidents handled by ANSSI in 2021. Public Health Establishments represent 7% of entities victimized by such attacks.* In total, 30% of local authorities have already fallen victim to ransomware.** In 2020, reports of ransomware attacks increased by 3.5 times compared to 2019. All local authorities are affected, regardless of their size.*** Furthermore, the healthcare sector appears to be increasingly affected, as reports of incidents more than doubled between 2020 and 2021, according to the Security Incident Reporting Observatory for the healthcare sector.

Data Security Challenges in the Public Sector and Healthcare

Local authorities are undergoing a profound digital transformation aimed at meeting regulatory obligations as well as citizens' needs. Increasing dependence on information systems and the heterogeneity of the size of municipalities and authorities create certain vulnerabilities.****

Focusing on health data, these are considered sensitive under GDPR. The CNIL defines them as "data related to the physical or mental health, past, present, or future, of an individual (including healthcare services) that reveal information about that person's health condition."***** These factors partially explain the statistics above, as well as recent headlines about security incidents occurring in hospitals or, more broadly, in the public sector.

Public and Healthcare Sector Data: Prime Targets for Cybercriminals!

In 2023, the number of cyberattacks in the public sector surged. Hospitals, town halls, and administrations: no organization is spared. The consequences can be severe: leakage of sensitive data, shutdown of critical services, damage to reputation...

Why Are the Public and Healthcare Sectors So Vulnerable?

Several factors explain this situation:

  • Ongoing Digital Transformation: The public and healthcare sectors are increasingly reliant on information systems, creating new potential security gaps.

  • Sensitive Data: Health data and personal data of citizens are prime targets for cybercriminals.

  • Lack of Resources and Expertise: Public organizations often have limited budgets and staff for cybersecurity.

What Are the Consequences of a Cyberattack?

The consequences of a cyberattack can be serious for both organizations and citizens:

  • Data Leaks: Health data and personal information of citizens can be stolen and used for illegal purposes.

  • Shutdown of Critical Services: Cyberattacks can disrupt or paralyze essential services, such as hospitals or civil services.

  • Reputation Damage: A cyberattack can severely harm an organization’s reputation and that of its leadership.

  • High Financial Costs: Cyberattacks can incur significant costs for repairs, lost revenue, and compensation for victims.

How to Protect Against Attacks in the Public and Healthcare Sectors?

For vital or essential information systems, ANSSI has established a framework that includes defining an information security policy, mapping systems, analyzing the risks of vital activities or essential services, system certification, and security audits.

Types of Attacks Observed

The main attacks we have observed aimed at accessing data are caused by the exploitation of the following:

  • Security vulnerabilities (e.g., exploiting a weakness)

  • Phishing emails

  • Impersonation of service provider accounts

  • Unpatched exposed assets

  • Identity theft

Consequences of Cyberattacks

The consequences of the cyberattacks we have observed may be isolated or combined. The attack can be a simple data leak or extraction. In such cases, it may not be immediately apparent, especially if the leak is not followed by data encryption, or if the source of the leak is internal.

If it is a ransomware attack, a ransom may be demanded to obtain the decryption key or to prevent data from being published/disseminated. This could involve encrypting data, files, virtual machines, backups, and in extreme cases, deleting files and backups.

Even if a ransom is paid, there is no guarantee that the data will be decrypted or that the leak will be prevented. Operationally, the damage can range from the unavailability of an application or service to the complete shutdown of the information system (IS). For instance, there could be a loss of communication (email, VoIP, unavailability of user workstations, one or more applications, company directories) or even a lack of means to manage physical access to sites.

Time to Return to Normal After a Cyberattack

The time required to return to a normal situation varies from a few days for a quickly detected attack to several months for an attack that has deeply impacted the IS. ANSSI explains that "some healthcare establishments have been forced to continue their activities in degraded mode for several months while rebuilding or hardening their IS to make it more resilient to cyber threats.

The Different Phases

Reconstructing the attacked perimeter involves the following phases:

  • Identification Phase: Identifying the threat

  • Investigation Phase: Assessing what is affected, what is intact, and what is partially corrupted. Anything not 100% guaranteed to be intact must be rebuilt or restored. This is when the perimeter of the attack is defined.

  • Containment: Cutting off internal and external access

  • Remediation Phase: Eradicating the threats

  • System Reconstruction Phase: Operational validation of the systems

  • Follow-up: Drawing lessons from the incident

Securing Databases Is Essential

Securing databases is a prerequisite during the reconstruction phase when rebuilding the IS. However, prevention is one of the best protective measures to avoid reaching this stage. To achieve this, it is crucial to work with an expert to identify the best solutions that meet your needs.

Our experts can assist you with risk analysis and management on your databases through audits, risk identification, and monitoring. They can also help with securing SGBDs and Data Lakes right from the design of the data structure. Contact us now to discuss your database security needs.

Sources : 
*Panorama de la cybermenace 2022, ANSSI
**Etude du Clusif, juin 2020
*** infographie ANSSI
**** Revue stratégique de cyberdéfense (RSC) de 2018
***** https://www.cnil.fr/fr/quest-ce-ce-quune-donnee-de-sante

Contact us

Do you have any questions about an article? Do you need help solving your IT issues? 

Contact an expert

Our experts answer your questions

Do you have any questions about an article? Do you need help solving your IT issues?

Contact an expert

Other articles in the category Cybersecurity

Cybersecurity Réglementation

How do you prepare for NIS2?

NIS2 aims to strengthen the cyber security of critical organisations in Europe. Apply it from January 2025 to avoid fines of up to 2% of your global turnover. Find out in this article what NIS 2 is, who is affected and how to prepare by capitalising on what already exists.

Read this article

Published on

28 April 2024

Cybersecurity Statistics

DDoS attacks in Luxembourg in 2024

Discover the statistics of DDoS attacks detected in Luxembourg in 2024 by POST Cyberforce.

Read this article

Published on

31 March 2024

Cybersecurity Statistics

DDoS attacks in Luxembourg in 2023

Discover the statistics of DDoS attacks detected in Luxembourg in 2023 by POST Cyberforce.

Read this article

Published on

15 February 2023