A ransom of 10 million euros, and a highly disrupted care during the weeks to come. The Sud Francilien Hospital Center (CHSF) in Corbeil-Essonnes, south-east of Paris, has been the victim of a large-scale computer attack, since the night of Saturday to Sunday. Hackers crippled the facility’s computer systems, forcing its doctors and nurses to revert to paper administrative forms.
During the night of Saturday to Sunday, the computer system of the establishment began to derail. “The IT specialists noticed a malfunction. They said to themselves that it was a breakdown (…) but when there was a ransom demand of 10 million dollars in English, they understood”, testifies the director of the hospital, Gilles Calmes. The hospital’s business software, storage systems (including medical imaging) and the information system relating to patient admissions, have been made inaccessible according to management.
Opened in 2012 and with a capacity of a thousand beds, the CHSF provides health coverage for a population of nearly 600,000 inhabitants of the outer suburbs. The Essonne hospital center launched a “white plan” on Sunday, an emergency plan to ensure continuity of care. Hospitalized patients are not affected, management said. “Since yesterday, the CHSF has done everything possible to ensure that all urgent care is satisfied”, assures Gilles Calmes. But new admissions are complicated and emergency patients “are directly referred by the SAMU” to other establishments in the region. Deprogramming of the operating theater is to be feared, according to management. The security of the building and the networks remain active, except for the fax.
“No establishment has paid and will not pay,” the director of the CHSF told AFP, because of its status as a public establishment, the attack therefore being a pure loss for cybercriminals. “We also looked at what happened to colleagues. What we understood is that it can go up to a three-week unavailability,” he said. The Minister of Health, François Braun, judged on Twitter the attack “unspeakable” and said he was waiting for legal action against the perpetrators.
The Paris prosecutor’s office has announced the opening of an investigation for intrusion into the computer system and attempted extortion by an organized gang, supervised by its cybercrime section. The investigations were entrusted to the gendarmes of the Center for the Fight against Digital Crime (C3N). The National Authority for the Security and Defense of Information Systems (Anssi) was “quickly seized by the crisis unit”, he added. These agents try to identify precisely which computer elements are affected, by which path the attack reached its goals, in order to secure the hospital’s data and identify how to restore service. According to a close source, “a family of ransomware has been identified”.
The Coeur-Grand-Est group in April, a hospital in Ajaccio in March… A wave of cyberattacks has been targeting the French and European hospital sector for about two years. In 2021, Anssi recorded an average of one incident per week in a health establishment in France. Experts say cybercriminals either act blindly, randomly targeting any computer system they manage to break into, or because they are inspired by examples of attacks on US hospitals, institutions often deprived of the budget allowing them to pay ransoms.
“We block you, we prevent you from working, and if you want to work, you pay, we unblock you”, summarizes Cyrille Politi, digital adviser at the French Hospital Federation (FHF). “There is really a paradigm shift that has taken place in recent years (…) Before, hacker groups did not attack healthcare establishments. They considered hospitals to be a somewhat sacred place. C fell,” laments the specialist. Hackers can also hope to resell the data obtained during their excursions into the computer system of the establishments attacked.
To fight against this growing phenomenon, the State devoted, after the Covid-19 epidemic, an envelope of 25 million euros to the cybersecurity of health establishments. At the same time, 135 hospitals have been designated “essential service operators”, which requires them to comply with more stringent cybersecurity rules than ordinary institutions. However, with its many connected devices, hospitals remain particularly difficult to protect against cyberattacks.