The healthcare sector grapples with cyber crisis

The healthcare sector’s increasing exposure to cyber risks

The healthcare sector is actively targeted by cyberattacks due to the sensitivity of the data processed, ageing IT equipment due to the longevity of certain devices, a significant lack of resources, and the significant human impact of a system shutdown.

Since its inception, Alcyconie has been helping university hospitals, hospitals, private clinics and healthcare software publishers to deal with cyber risks.

The healthcare sector is one of the most targeted by cyberattacks, particularly ransomware attacks. These attacks render all or part of the data inaccessible. The hackers’ objective is to demand a ransom in exchange for the decryption key.

These attacks are often accompanied by data theft and leakage to pressure the victim organisation into paying the ransom demanded or to resell this health data at a high price to other cybercriminals.

Furthermore, a recurring impact of ransomware is very often the shutdown or severe disruption of business activities.

Indeed, shutting down the information system to prevent an attack from spreading is no small matter for a healthcare facility, where everything is computerised: admissions, prescriptions, analyses, reports, etc.

The year 2021 was marked by a large number of high-profile attacks against healthcare institutions. In September 2021, the APHP (Assistance Publique – Hôpitaux de Paris) was the victim of the theft of data from 1.4 million patients, including: ‘the identity, social security number and contact details of those tested’, as well as ‘the identity and contact details of the healthcare professionals treating them, the characteristics and results of the tests carried out’.

In August 2021, the Rome region was forced to suspend its vaccination campaign due to a ‘very powerful and invasive’ cyberattack that completely paralysed its services.

At the same time, in France, Arles Hospital was grappling with ransomware that rendered patient records unreadable, forcing healthcare teams to ‘go back to pen and paper’ and postpone many planned procedures.

A few months earlier, in May, the Irish Department of Health had been targeted by ransomware that completely paralysed the public health service for several days. Throughout April, Pierre FABRE Laboratories was grappling with ransomware that brought its production line to a complete standstill and forced it to rebuild its information system.

These attacks pose a risk to business activities as they can completely paralyse information systems. The risk also extends to health data. This data may be temporarily or permanently inaccessible, but it may also be corrupted, posing a direct risk to patient treatment. Finally, it is commonly sold at a high price (around £250 per unit) for use in fraudulent activities such as identity theft and extortion.

Thus, in the healthcare sector, cyber risk is rapidly becoming a human risk for:

Patients: loss of records and prescription histories, malicious acts such as prescription swapping or modification of surgical instructions, inaccessibility of services, slowdown in the care pathway, extortion attempts (example: in 2020, the Finnish company Vastaamo suffered a hack involving thousands of psychotherapy patient records – cybercriminals contacted patients directly to demand a ransom, threatening to disclose information about their psychological condition if they did not pay).
Healthcare workers: deterioration in working conditions and tools, return to ‘paper-based’ systems, lack of information about patients, guilt in the face of human tragedies, etc.
The crisis unit: difficulties in dealing with a highly technical crisis, pressure over a long period of time (cyber crises often last several weeks), the vital need to ensure that operations continue in degraded mode and to make complex human decisions, the obligation to comply with regulatory notification requirements and, more generally, to develop a sensitive communication strategy for multiple audiences.

Outre les impacts humains, une cyberattaque entraîne également des lourdes conséquences financières : pertes liées à l’arrêt ou au ralentissement de l’activité, frais d’investigation et de reconstruction des données, frais d’accompagnement juridique pour faire face aux obligations règlementaires de notification, aux enquêtes administratives ou encore aux réclamations de tiers.

Alcyconie’s approach to supporting the healthcare sector

Alcyconie stands out for its unique positioning, at the crossroads of crisis management and cybersecurity. The company has earned its place in a dynamic and rapidly evolving market. Whether before, during or after the crisis, the Alcyconie team is at the side of its clients in the healthcare sector when the challenges require strategic and operational solutions, to respond to complex, sensitive or crisis situations.

Alcyconie has developed a tailor-made support method, structured around several key axes, as close as possible to the challenges of the players in the healthcare sector.

1- Prepare to manage a crisis of digital or cyber origin, in all its dimensions

Ahead of crises, Alcyconie intervenes to prepare players in the healthcare sector to protect themselves and prepare to deal with cyber and digital risks. Alcyconie is particularly recognized in the following areas:

raise awareness among operational teams of good IT hygiene practices and train decision-making units in cyber and digital crisis management in their specific areas;
support functions with specific roles to play during a cyberattack (lawyers, communicators) to prepare themselves as well as possible to find their place in the crisis unit on D-Day and respond effectively to the situation (notifications to the authorities, setting up a watch, responding to requests and multiple complaints, etc.);
organize to deal with cyberattacks: identification of roles and responsibilities, implementation of alert, mobilization, crisis management and business continuity procedures;
equip themselves to enable confidential communications and decision-making in a degraded or inoperative IT environment;
train the crisis unit to react to cyberattacks, thanks to immersive exercises that put pressure on decision-makers, who thus acquire life-saving reflexes in the event of a future crisis. Our scenarios are tailor-made and allow us to test the procedures in place under near-real conditions. Alcyconie has developed the PIA® immersive platform which is made available to players on the day of the exercise, so they can train in a closed and secure “bubble” where they interact only with the consultants of the Alcyconie team with increased realism;
train communication teams to identify key information and develop relevant messages.

The PIA® immersive platform has features dedicated to communication teams. The media and social media tabs are fed in during the exercise by our consultants, in order to allow monitoring work (identification of critical information to be transmitted to the crisis unit, qualification of the criticality of the information, etc.) and interaction on social networks.

2- Be guided and supported to steer accurately in a degraded situation

Faced with a detected or suspected cyberattack, Alcyconie is able to support healthcare players thanks to a 24/7 on-call system.

Alcyconie consultants are available, remotely or face-to-face, to:

strengthen your crisis unit: methodological support, operational support, provision of external expertise, consideration of risks in the strategy deployed;
support you in the construction of your operational response;
define your crisis communication strategy by your side by articulating it with coherence between the many stakeholders involved (patients, journalists, authorities, partners and other players in the health sector, suppliers, etc.), with the right level of popularization;
provide operational support to crisis communication teams (drafting of language elements, press releases, tweets, Q&A, etc.) and legal teams.

3- Work on the end of the crisis as closely as possible with the teams

Alcyconie also supports healthcare stakeholders in the post-crisis period, in particular by guiding them on the various aspects involved:

the gradual resumption of their activities;
the facilitation of feedback on the cyberattack, with a dual objective: to consolidate the existing crisis system and to identify the actions necessary to avoid the resurgence of the crisis;
psychological support for victims, employees and affected organizations, in order to understand, decipher and accept what happened, but also to support the teams in the “end” of the crisis and the return to normal activities. Supported by a range of experts, coaches and external partners, Alcyconie adapts to the situation of the establishments it supports and develops tailor-made solutions.