In the field of health, there are three good reasons to attack the hospital. The first, the most common and easily echoed in the media, is the attack by encrypting systems and data that no longer allows the hospital access to patient information..
For the hospital, it is visible and relevant to the media, because it generates a form of excitement that can excite the political actor according to the methods of treatment and the effect that can increase the reaction of the media as a result. The hacker then uses this context to advertise it in a world where ego is king. This is what happened to the hospital of Versailles which “benefited” from a very large coverage, no doubt because it is the hospital of Versailles and one hospital too many.
But since the hospital never stops, you either have to pay the ransom, or you are lucky enough to be able to anticipate this kind of crisis, which is not given to hospitals, which are already forced to manage a financial crisis like no other. Kafkaesque Administrative Management. The hacker thinks, and thinks well, because the probability of getting a ransom is higher in a sensitive system than in a station bakery, without wanting to offend the bakers!
Hacker: lazy and practical
The second reason is the effort required to put the hospital in the dark. This effort is weak to strong effect. So, that’s an interesting return on investment, and for a hacker, who’s very pragmatic and lazy in his attitude, being able to tap into hospitals’ massive tech debt is a godsend. This observation makes them more complex in terms of protection, but more for regulatory and legislative reasons than technological constraints, because existing solutions can easily improve the cyber resilience of these organizations with reasonable cost and proven effectiveness, especially if we rely on European and French technologies in particular.
Our state of health determines our weakness
The third reason, the most insidious and covert, is hospital data theft. This is called patient record leaks. Health data is valuable in two ways. It is easily monetized on the black market, because there is demand ready to be paid. We will not steal patient data if it is of no interest to anyone. Health data includes important information for controlling the free economic and even political will of a citizen. How ? Simply because our health indicates our weakness. Knowing and knowing our weaknesses is essential to exerting influence on us, be it social, economic or political.
Here is an example: you are 48 years old and you want to buy an apartment. The bank insurance company will want to verify that you are in good health and that you are not hiding anything. Based on a conventional medical examination, we will find out that you are fine. On the other hand, if I get your blood result in detail, I will be able to give my own opinion on your future condition and investigate a possible possibility of an underlying pathology. By correlating your lifestyle and testing your blood, the insurance company will be able to better define its risks according to its own arbitration and without any convincing scientific basis. This will have the effect of providing him with better protection by setting an insurance rate at a higher than average amount if he discovers the possibility of diabetes, for example. The increase in price will then affect your investment capacity and may force you to buy smaller and cheaper ones. With this health data, the insurance company will have rendered an arbitration in complete independence and on the basis of information that the regulations will undoubtedly be limited, at least in Europe, thanks to the European Data Protection Regulation (GDPR).
Health information including diagnoses is valuable.
Beyond this example, health data “data consumers” (23andMe, Optum, Eqva) are in great demand for this type of data, as it addresses a strategic need for biotechnology research, but also for states, intelligence as well as insurance companies. The former needs to identify the progression of diseases and can thus, on the basis of accurate biological diagnostic data, predict chronic diseases in the future and by region. Thus, it is certain that the laboratory will develop a customized molecule that the market will anticipate. The other side of the coin is that minor diseases will no longer risk taking advantage of research programs to treat them, due to the lack of profitability. Thus, the pharmaceutical laboratory will be able to respond effectively to a specific need for a collective pathology, while the orphan disease is likely to be forgotten. The last glaring example is that of Sanofi and a COVID vaccine that a lab eventually decides not to develop after a year of hesitation. This attitude leads the tester not to take any financial risks on research costs, because he wants to be sure that tomorrow’s cure will be produced today with an expected future demand that no one has yet determined. Therefore health information including diagnosis is valuable.
For a political actor in power, health data is strategic in all respects
For a country, knowing how its population is doing is essential, if not vital, information. Predicting health insurance financing, the cost of relying on our seniors, and immigration analysis are all must-know pieces of information to determine major social projects, but also state finances to legislate on policing, taxes, and the nation’s budget. For a political actor in power, health data is strategic in all respects. Let’s remember the controversy around the TousAntiCovid app that dealt with a health issue when it was police data.
And then there are the insurers who will not only be able to improve their forecasts and adjust accordingly the strategies of the abundance of insurance funds, but also, above all, they will be able to better control the risks for each citizen when the latter borrows to finance the acquisition of a car or a house, or even when Obtaining complementary health insurance.
Another interested party, moreover, very active in this sector, is state espionage. Knowing how the inhabitants of a friendly or hostile country do makes it possible to influence commercial, financial and technological strategies with the aim of controlling or weakening them. If, for a country, knowing what is happening with regard to the health of its population is essential information, it is necessarily for its neighbor or ally or not. And in this little game, Americans are one step ahead of the rest of the world. The Microsoft Corporation, one of whose roles is to highlight the health of tomorrow, puts great pressure on countries and large pharmaceutical companies thanks to the data collected and analyzed, always according to regulations, of course.
“Little” opportunistic hacker.
The final candidate for using health data remains the opportunistic “small” hacker. The example that can be drawn from this can help us think about the importance of always having to protect patient data, whoever it may be. Let’s imagine a little boy born in 2008 who goes to daycare at the age of two. This little boy is so dynamic and energetic that he can hardly stay attentive for more than 3 seconds. So the management of the nursery orders a child psychiatry consultation to identify a possible underlying disease such as autism or simply notice that there is none, because this little one is full of energy like millions of others. The doctor’s report is sent to the nursery department, which archives it in an unencrypted file. Since the nursery is funded by the municipality, it relies on its own computer system. Now imagine that this abomination was attacked in 2012 and the data it contained was stolen.
In 2022, 10 years later, the young boy has become a 14-year-old teenager, registered on social networks. Like every teenager, he talks and makes friends, and sometimes enemies. Someone teases him, ridicules him and insults him on the networks, and this is called a defamation campaign. The teenager changes his stature, and the social pressure becomes heavy. The community follows the crowd effect of the social network, and everyone laughs at it. One day, a stalker walking on the Darkweb types his name and discovers on an old server the town hall data, the one that was stolen 10 years ago. There he finds the psychiatrist’s report, which does not contain anything specific, but it is a psychiatric report, which the bully uses to trap our teenage son in his shyness and loneliness. Four months later, the young man committed suicide.
Crime scene is the social network
In this tragedy there is a gun, a bullet and a shooter. The weapon is the health data, the bullet is the health chain that did not respect the basic principles of security, and the shooter is the pursuer like the hacker.
The moral of this story is that obviously every citizen should consider their health as their most valuable commodity, but their health data is just as important. Regardless of the circumstances, allowing the use of a patient’s health data, if you are not a doctor or a health actor, sometimes harms them to the point of killing them. Getting your prescription delivered today to your neighborhood pharmacy’s Gmail account can be an unexpected life changer in the short term. When it comes to a minor, this is totally unacceptable. Thus, cliché as a prescription constitutes a mass of information and knowledge about you that can always be exploited without your knowledge, against you and in the name of a very dubious dogma and throughout your life.