More and more attacks

One only has to read the specialised or general public press to understand the extent of the phenomenon. Health establishments in most European countries (and more widely in the West) are affected. Recently, the Dutch National Cyber Security Centre (NCSC) reported that hospitals in Europe, particularly in the Netherlands, have been targeted by a group of hackers. British, German, Polish, American and Scandinavian hospitals have also been targeted in recent months. In May 2022, Italian hospitals based in Milan were also the target of a cyber-attack, which affected both hospital and emergency departments, as well as certain vaccination centres, such as the one in Piazzale Accursio in Milan.

In November 2022, in Belgium, after the Groupe Santé CHC in Liège, it was the Saint-Pierre hospital in Brussels that fell victim to a cyber attack in March 2023. In May 2022, the intercommunal healthcare organisation Vivalia had already been the victim of a large-scale cyber attack. “Hackers are looking for information, especially sensitive medical information, and hospitals are therefore priority targets” said Yves Smeets, Director General of Santhéa, the professional and employers association of Walloon and Brussels healthcare institutions.

In France, more than thirty hospitals were affected by a cyber attack between 2021 and to date.

Finally, on 13 March 2023, at the Hospital Clinic in Barcelona, the cybercriminal group Ransom Home demanded a ransom of $4.5 million not to publish the data to which it had gained access.

A classic modus operandi for accessing high value-added data

To get into a hospital’s computer network, hackers use the usual loopholes. Either they take advantage of a vulnerability in the network, or they use social engineering techniques, or a combination of both, explains Michele Rignanese, spokesperson for the Belgian Centre for Cybersecurity (CCB). It is clear that most of the equipment today is a connected device that very often contains vulnerabilities. The same applies to laboratories where the security of connected equipment does not always seem to be a priority. In short, awareness of the sensitivity and strategic nature of health data is not yet systematically accepted by professionals in the sector.

However, the purpose of collecting health data is probably based on the possibility of using it in massive quantities to feed automatic medical recognition AI , either directly or by selling it to the right people or organisations. It is therefore a matter of massive raids on the health data of citizens of countries with efficient health systems.

In a report on personal data produced by France Télévision in May 2021 Sarah Spiekermann, Director of the Vienna Institute of Information Systems, stated that “our personal data is worth its weight in gold” and that some companies hold up to “30,000 data points for each individual they track”. Among these data, health data! On a global level, “the potential of e-health data is estimated by the GAFAMs at $7,100 billion “, according to Eugène Favier-Baron of Grenoble Alpes University. This leaves great opportunities for cybercriminals…

What status and protection is there for health data?

The General Data Protection Regulation (GDPR), sheds some light on health data (Article 35): Personal data concerning health should include all data relating to the health status of a data subject which reveals information about the data subject’s past, present or future physical or mental health. This data falls under the special character of personal data as provided for in Article 9-1 of the Regulation, the processing of which is prohibited except within a particularly strict framework justifying the necessity :

• The processing is necessary for the purposes of preventive medicine or occupational medicine, the assessment of the worker’s capacity to work, medical diagnosis, health or social care, or the management of healthcare or social protection systems and services (Art. 9-2-h) ;
• The processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or for the purpose of ensuring high standards of quality and safety of healthcare and medicines or medical devices (Art. 9-2-1).

In this case, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32-1) and particular account shall be taken of the risks represented by the processing, in particular those resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (Art. 32-2). This raises the responsibility of the controller of health data and the level of security to be added to it. To control this level of security, healthcare professionals can rely on several ISO standards (27001, 27002 and 27799).
The ISO 27001 standard relates to information security, cybersecurity and the protection of privacy, as well as to information security management systems. It is complemented by ISO 27002 (Information technology – Security techniques – Code of practice for information security management) for which an organisation must identify its security requirements according to :

• The organisation’s own risk assessment;
• The legal, statutory, regulatory and contractual requirements that the organisation and its business partners, contractors and service providers must meet;
• The set of business principles, objectives and requirements for handling, processing, storing, communicating and archiving information.

Finally, ISO 27799 transposes ISO 27002 to the health domain, taking care in considering the appropriate application of security measures for the protection of personal health information.

Beyond the GDPR and this normative environment, health actors are also covered by the NIS 2 directive and are included as highly critical sectors and therefore constitute essential service operators. These include healthcare providers, laboratories, research and development entities, pharmaceutical manufacturers and manufacturers of medical devices are considered critical. Being dependent on computer networks or information systems, the disruption of which would have a significant impact on their operations, they are obliged to put in place internal cybersecurity risk management measures and to submit to reporting obligations.

Conclusion

The increasing use of connected medical devices and equipment is generating a wealth of health-related data. Although this data is considered sensitive, numerous flaws in both the medical devices and in the management and storage of this data make it particularly attractive to malicious actors. Cybercriminals become predators of health data because the financial windfall it represents is immense: theft or misappropriation of data, resale or use in innovative artificial intelligence systems. The race for data represents a field in which the competitiveness of the players concerned depends on agility and the fastest possible response. The temptation is therefore great to acquire, legally (less quickly) or illegally (very quickly), the necessary quantities of health data to achieve the desired objectives.

It is likely that an increasing interpenetration of legal and illegal economies, as in other sectors of activity, will become a reality in the near future with regard to health data, despite the inflation of standards in this area.