According to the digital health agency ANS, more than a third of the security vulnerabilities detected, or 37% during audits of the ite security branch of that agency, risk the disclosure of patients' confidential data.
The confirmation was given by a cyber-surveillance specialist from the digital health agency Cédric Bertrand during an online conference on October 5th.
The digital health agency's computer surveillance department has been deployed for almost a year to conduct external computer security audits on demand at health facilities. Since it entered service more than a year ago now, the auditing agency has audited some 60 structures, especially territorial hospital groups," notes expert Cédric Bertrand.
The cyber-monitoring service also uses incident reporting at the it security support unit of health facilities, another service attached to the National Digital Health Agency.
It is recalled that since 1 October 2017, health agencies have an obligation to report all computer security incidents of a serious or even significant nature near the Regional Health Agencies (ARS). Once done, the digital health agency is then responsible for supporting the structure affected by the computer incident. In concrete terms, the IT surveillance department analyses the sub-domains of the institutions concerned. The objective is detected the possible security flaw, you could for example allow access to confidential data not protected. Speaking of sub-domains, it should be noted that these are extensions of the main domain name, thus allowing to access ab particular section of the site or application through a link. Let's take the example of this address: "etablissements.fhf.fr." Here the sub-domain is "establishments" of the domain name "fhf.fr."
The health organizations audited by the cyber-monitoring service had a total of 103 domain names. "It may sound huge, but it's because we audit mainly GHTs that consist of a CHU and several small CHCs that each have their own domains," Said Cédric Bertrand. "Some large CHUs have up to 400 or 500 domains that represent as many potential gateways for an attacker," he adds.
Beyond the disclosure of patient information, the most common security vulnerabilities affect:
– 23% cryptography implementation
– 11% software configuration management
– 18 percent security patch management
– 10% lack of access control
It was detected on average about 27 security vulnerabilities per audited structure. 8 of these vulnerabilities were rated as high and 12 were average. 7 are considered low according to the ANS.
It is noted that the most serious vulnerabilities that have been detected are:
– the lack of an update in an operating system in 37 percent of cases
– the presence in the obsolete component system in 37 percent of cases
– the ability to inject malicious codes into an application up to 21% of cases
– accessibility of development servers 21% of cases
According to Cédric Bertrand, the last two vulnerabilities are caused by "bad development practices". Worse still, 80% of the institutions audited, a widespread security flaw "allowed you to take control of at least one server or access confidential data."
The risk has now become notorious. In every sense, we realize that cybercrime, which is on the rise, is in some way upsetting the integrity and effectiveness of health structures. This means that those in charge of its structures and government agencies need to redouble their efforts even more. More resources need to be devoted to this struggle. On the one hand, awareness must be at the heart of this strategy, because as we know humans are the weakest link in the cybersecurity chain.
Now access an unlimited number of passwords: