French president Emmanuel Macron has promised to invest €1 billion in a national cybersecurity strategy, following ransomware attacks on two hospitals this month.

The hospitals at Dax and Villefranche-sur-Saône were paralysed by attacks in which hackers blocked the telephone systems, forcing the hospitals to shut off the internet service and other networks to keep the ransomware from spreading. This affected patient records, surgical devices, medication management, appointments, bed and doctor allocation.

Patient operations were postponed and some patients moved to other hospitals, while hospital staff were forced to return to paper-based methods such as hand-made service charts and appointment books.

The National Information Systems Security Agency (Anssi) has been working to restore the computer networks and recover data, part of which was protected in backups. It's expected to take several weeks before the hospitals can return to normal operation.

Speaking at a press conference last week,  Macron said the attacks showed France’s “vulnerability and the importance of stepping up and investing."

WHY IT MATTERS

According to Anssi, ransomware attacks in France surged 255% last year compared to 2019, with the increase particularly affecting the health care sector, education system, local authorities and digital service providers.

“It is more urgent than ever to act concretely and collectively on digital security,” said Anssi director general, Guillaume Poupard.

There were 27 cyber-attacks on French hospitals in 2020, according to the Cédric O, the French minister for digital transition and communications.

THE LARGER CONTEXT

Cybercriminals have been seeking to take advantage of the rapid telehealth upscale during the COVID-19 pandemic. 

Earlier this month, French insurance company Mutuelle Nationale des Hospitaliers (MHH) was hit by a ransomware attack, which caused its website and telephone platform to go down.

Meanwhile, Serco, the outsourcing firm behind NHS Test and Trace, confirmed that parts of its infrastructure in mainland Europe had experienced a double extortion ransomware attack from cybercriminals.

ON THE RECORD

Jean-François Goglin, deputy director of Connective Santé and HIMSS board member, said: “The fight against COVID-19 has resulted in a very rapid opening of the information systems of hospitals to the outside, in particular to allow teleworking and teleconsultations inducing security breaches that must now be mastered. A massive investment plan in cybersecurity will only be effective if a real defence in depth is put in place, applied at all levels of care coordination, for hospitals, social and medico-social establishments.”

Dr Saif Abed, founding partner and director of the AbedGraham Group, said: “Investment in healthcare cybersecurity should always be applauded. However, we need to make sure that these investments lead to sustainable improvements by enhancing people and processes in addition to the inevitable spend on technology.

“Furthermore, the funds that are announced have to be easily accessible to healthcare organisations on the frontlines of protecting patients from harm and not become a bureaucratic challenge to receive.”