Practical information for doctors who are victims of cyber-malicious attacks

Practical information for doctors who are victims of cyber-malicious attacks

In the era of all-digital and connected medicine, cyberattacks against health actors really exploded following the first confinement.

Health establishments are the first targets of destabilizing hacking campaigns (cryptovirus, theft of health data, cybersecurity breaches due to negligence). These cyberattacks are likely to completely paralyze the operation of hospital services for several hours. Moreover, ransom demands are sometimes put forward by hackers. 

To fight against these massive attacks, it is no longer rare to see health establishments conclude specific insurance contracts called “cyber insurance”.

Such attacks no longer concern only health establishments but also health professionals, and in particular private doctors. 

Unlike these establishments, supported daily by IT and legal services capable of assisting them in the management of such a crisis, city doctors, sometimes isolated in their offices, are often much more helpless in the face of a cyberattack, which can be both paralyzing and traumatic.

They are however, in the same way as an establishment or a pharmaceutical laboratory, legally "controllers" and have, as such, an obligation to ensure the security of personal data, as provided for in Article 32. of the GDPR, and more specifically the health data of their patients.

This obligation requires them to put in place security measures commensurate with their risk and a crisis management procedure, comprising a certain number of steps to be taken in the event of a cyberattack.

How to react to an act of cyber-maliciousness?

When a liberal doctor is confronted with an act of cyber-maliciousness, such as account hacking, ransomware, etc., it is important to urgently adopt the right reflexes. 

These reflexes are all the more essential to have since the digital tools used by doctors include their patients' health data, which is sensitive data.

The first reflexes therefore consist of: 

• disconnect network computers and tablets,
• do not pay the ransom if requested,
• report the incident on the portal for reporting adverse health events provided for this purpose https://signalement.social-sante.gouv.fr/psig_ihm_utilisateurs/index.html#/accueil

To report the incident on this portal, go to the specific tab “you are a healthcare professional” and tick the box “cybersecurity – information systems security incident”.

Secondly, it is necessary to file a complaint.

Depending on the malicious act suffered by the doctor, the complaint may be filed for damage to property in the event of theft and/or for damage to automated data processing consisting of:

• access or remain fraudulently in all or part of an automated data processing system, and/or
• to hinder or distort its functioning, and/or
• to fraudulently introduce data into an automated processing system, to extract, hold, reproduce, transmit, delete or fraudulently modify the data it contains.

In addition, since cyber-malicious acts, of which doctors are victims, have the particularity of involving patients' health data, it is appropriate in a third step, tootify the incident within 72 hours of its discovery, to the National Commission for Computing and Liberties (CNIL)¹.

Indeed, as mentioned in a previous article on the security of patient health data², in the absence of notification of this incident by the doctor, the latter may be heavily sanctioned by the CNIL, for breach of data security and breach of the obligation to notify, on the basis of articles 32 and 33 of the GDPR .

Finally, when the leak of data is likely to create a high risk for rights and freedoms, the data controllers, including private doctors, have the obligation to inform data subjects individually that their data has been compromised and published online.

How can we try to protect ourselves against these attacks? 

To maintain the trust of their patients, doctors have a legal obligation to take measures to secure the health data they collect. In order to support them, the CNIL has co-drafted with the National Council of the Order of Physicians (CNOM) a practical Guide on data protection in 2018³. 

Thus, doctors are advised in particular to: 

• limit the information collected what is necessary for the care of their patient; 
• respect the legal deadline for data retention, that is, 20 years from the last medical appointment⁴;
• secure exchanges in particular with other healthcare professionals by using secure messaging (and not whatsapp), and by encrypting sensitive documents when using standard messaging; 
• secure access to patient data, in particular by implementing appropriate measures such as the use of a strong personal password, the use of a strong encryption system when using the Internet, the limitation of the use of public WiFi or unknown, authentication via professional card, etc. 

When the doctor has a contract with a service provider for the hosting of health data, the latter must guarantee a sufficient level of security. It must therefore be certified or approved, and comply with the conditions provided for in Article L. 1111-8 of the Public Health Code.

It is also recommended to carry out regular data backup, applying security updates on electronic and computer devices (PC, tablets, phones, etc.) used and this, as soon as they are proposed, to use an antivirus, to download applications only from official sites, and to separate personal and professional use of hardware, messaging, and “clouds”.

Achieve an audit of the information system of his liberal cabinet can also make it possible to identify the flaws and to make the necessary corrections, in order to prevent any computer attacks.

It is therefore imperative to acquire the right reflexes to, on the one hand, guard against such attacks, and on the other hand, to react rigorously and quickly when they occur, so as to avoid any risk of sanction by the CNIL. . 

It should be remembered that the penalties for a breach of data security represent two-thirds of the penalties imposed by the CNIL, which should strongly encourage private doctors to bring their information system into compliance or to seek assistance. to achieve this.