Interview: Cloudflare France Director Warns Healthcare Industry Is Falling Behind in Cloud Security
Additional funding totaling €20 million ($20 million) to ANSSI has been pledged to help improve cyber protection for the French healthcare industry following a ransomware attack on Center Hospitalier Sud Francilien (CHSF) on August 24. 2022.
The funding was promised by French Minister for Digital Transition and Telecommunications Jean-Noël Barrot and Francois Braun, Minister of Health, who visited the affected hospital on August 26, just days after the attack has been made public.
The 1,000-bed hospital located 28 km from Paris has been hit by a $10 million ransomware attack, adding to a growing list of French medical centers that have suffered cyberattacks in recent months.
“[The funding] is a good sign, but money is not everything,” said Boris Lecoeur, head of Cloudfare France. Infosecurity Magazine. Lecoeur, who has previous experience with healthcare providers under attack, advised the industry to move away from the perimeter security approach and embrace Zero Trust.
Infosecurity The magazine spoke to Lecoeur in more detail about his experience, how hackers get into systems, and what they should do to protect themselves in the future.
Infosecurity Magazine: Why are attackers increasingly targeting hospitals?
Boris Lecoeur: First, we are seeing a global increase in cyberattacks across all sectors – the healthcare industry is receiving particular attention due to the criticality of the potential consequences.
Second, hospital computing is typically very heterogeneous, with a mix of proprietary and/or industry-specific (DICOM) hardware and protocols, and is often unpatched. We have even seen outdated software. For example, some of the UK’s NHS computers were found to be running Windows XP when WannaCry ransomware broke the news in 2017. This, along with the ever-increasing hybridity of locally hosted and cloud services, typically shared with vendors, make it more difficult to effectively maintain the entire IT system and leverage traditional perimeter security.
Moreover, compared to the industry [OT] sharing this heterogeneity of devices and software and the hybridity of connections, healthcare networks are much more connected to the internet, making them an easy target for attackers.
IM: Hospitals used to be the red line that cybercriminals dared not cross. Why has this changed?
BL: I’m not sure if it’s for geopolitical reasons. Yet it appears that some hacking groups that previously declared healthcare providers banned are now targeting hospitals anyway. Such is the case with LockBit, a ransomware group allegedly responsible for the CHSF hack and whose ransomware-as-a-service (RaaS) program rules prohibit affiliates from encrypting healthcare provider systems.
From a purely financial point of view, there is no doubt that the critical aspect of health systems makes it a very lucrative business to attack.
In many cases, hacker groups are increasingly using double extortion methods, demanding money to decrypt data and prevent such data from leaking onto the Internet. [First analysis by French media LeMagIT shows that one such method could have been used to encrypt the French hospital’s systems, using LockBit 3.0.]
IM: Based on your experience working with healthcare providers, what is the typical method used to hack into hospital computer systems?
BL: I don’t think there’s much difference with other industries, to be honest. We found that 91% of all cyberattacks start with a phishing email. It is the Achilles heel of all enterprise information systems. Then another growing vector comes from VPN providers. Threat actors know that their use has increased, especially since the start of the new era of working from home, and they are the first thing they scan for vulnerabilities.
Then, once the hackers have infiltrated the systems, they can do whatever they want. Most hospitals only have a security perimeter in place, so it’s hard to control what someone does once they get the proper credentials. For example, when we audited one of our clients in the healthcare sector, we realized that no application firewall was installed on the network. Once access is granted, the threat actor can deploy trivial attacks such as SQL injection. They can also elevate their access with credential stuffing to access more sensitive data.
With such freedom, hackers usually stick around for a few days to scan the network and start the encryption process.
IM: Would you say that the healthcare sector is behind in terms of safety?
BL: I would certainly say so, at least as far as France is concerned. Most healthcare networks are still operated with an outdated perimeter security approach (everything inside the network is considered trusted). In an ultra-connected age, where threat actors equip themselves with social engineering experts, this cannot last.
The healthcare industry is also lagging behind in cloud security adoption.
However, I am not trying to shame anyone. If you’re putting yourself in the shoes of budget managers in a hospital, faced with investing in new, modern healthcare equipment or fixing existing software, it’s not an easy choice. But now, cybersecurity must be part of the budgetary priorities of this industry.
IM: What should be done to improve the cybersecurity of these critical infrastructures?
BL: First, security decision makers need to tackle the phishing problem with better email security. One possibility is to install software that will isolate each link opened by the user and identify even the most sophisticated phishing attempts that pass the filters of Microsoft and Google services.
Next, security should be approached with a Zero Trust approach, including least privileged access, context-based multi-factor authentication (MFA), and micro-segmentation.
This is for the big picture. Then, in terms of delays, when healthcare providers contact us after being attacked, their top priority is to improve security at the application level (Web Application Firewalls, anti-DDoS and anti-bot solutions). We can then move on to deploying improved and broader infrastructure security using cloud-based security solutions.
IM: What do you think of the injection of €20 million into ANSSI to contribute to upgrading the security of healthcare networks?
BL: Considering the scale of the problem, €20m doesn’t seem like a lot, but it’s definitely a good sign. We have seen an increase in cybersecurity funding across all industries in France in recent years.
However, money is not everything. When we have identified a problem, it is common to pay money to solve it. But there is so much to do without spending a penny!
Organizations often have excellent security solutions installed, but they are poorly configured or the processes are not well implemented. I think this is where any CISO should start.