Southwestern hospitals in panic: should we pull the plug to protect ourselves from ransoms?
February 2021 by Bertin IT
On February 11, France 3 channel reported the panic that set in when the eleven institutions of the hospital group of Dordogne almost suffered the same fate as Dax, victim of a ransomware that shut down all computer systems and forced the return to pencil and paper in full pandemic.
The first diagnosis of the incident shows that the hospital group was a collateral victim of its IT supplier, to which it was therefore visibly connected by network.
The decision that followed was to disable the backup servers to protect the datas, in view of what happened in Dax. The rapidity of the reaction is to be commended, but leaves a question unanswered : Do we not have another solution to the problem against the spread of viruses than to "pull the plug"? Is it a lack of preparation, skills, or technical solutions?
Ransomwares (virus that encrypts data, accompanied by a ransom demand) have been known for several years, and the ANSSI is constantly increasing the number of warnings. In addition, the healthcare sector and local authorities have been identified as targets prized by pirates. This new incident highlights a lack of protection in the face of the risk of virus propagation. The surprising reaction in the press of the Dax managers (who find this attack "odious"), questions about the defense strategy they have chosen ...
Hospitals are organizations that are equipped with firewalls, antiviruses and use providers whose skills can be verified with the ANSSI. For all that, one can only note the failure of the ransomware detection, either with new generation antivirus or EDR systems (Endpoint Detection and Response). As for SOCs and SIEMs, sophisticated monitoring systems that require a significant number of human resources, they are reserved for large organizations because of their cost.
But beyond the budgetary aspect that systematically comes up when we talk about hospitals, it is also important to measure the adequacy of the means implemented regarding an quickly evolving threat. Because increasing resources devoted to virus detection haven’t clearly not yielded the expected results, it would be advisable to reallocate a few efforts to protective measures to limit their spread. The analogy with the sanitary crisis seems to be obvious.
There are two immediate steps that need to be taken when analyzing the incidents of the Dordogne Hospitals: Isolating the network from external service providers, and securing the network outside the backup network. There is an effective technical solution, in the form of integrated network equipments: the Secure Exchange Gateway (Google will help you to find it), which responds to the architectural principles recommended by the ANSSI. We must reinforce the insulation of networks and backups and the reactions will be much more serene during the next virus wave.