La Bassée hospital center (North) disturbed by ransomware

[ad_1]

The two officials were contacted by APMnews (site of the APM International group, of which TICsanté is a member) following the announcement of this attack during the wishes of Edmond Mackowiak, then director of the hospital center (CH) in Lens and the CH associates within the Artois GHT, relayed in an article published on Friday January 17 in the Voix du Nord.

"On October 24 at 2 p.m., a CHLB agent opened an email from the regional health agency (ARS) which contained an infected attachment," said Jalal Soujad. "The same day at 5 pm, the ARS warned us that one of its mailboxes had been hacked. It was too late, the information system (IS) was already infected and the virus had started to spread. "

This "false ARS alert mail" did not target a particular recipient, said Dominique Deschildre. "It was sent to the CH alert box, which is used by several agents. About ten out of 80 stations were infected, we saw a black screen."

The IT department of GHT reacted the same day: "we shut down the PCs, we unplug them from the network and we run the antivirus. The Emotet ransomware has been detected, the PCs have been cleaned but as soon as we plug them back in on the network, the virus returns and begins to spread again, "continued Jalal Soujad.

The virus contained a ransom demand of 8,000 euros per infected post, said hospital leaders at TICsanté.

Faced with the threat, the CH alerted the ARS and asked for help from the Digital Health Agency (ANS, formerly Asip Santé) and the National Information Systems Security Agency (Anssi). Anssi gave him "methodical, almost daily support, by telephone".

At the same time, the CH called on three service providers: Palo Alto, Orange cyberdefense and Sophos.

On October 28, 2019, "Anssi and the service providers tell us that it is too late," said Jalal Soujad. "They tell us that you have to format everything because the virus has spread throughout the IS and the machines are obsolete. They were running Windows XP." There is no longer an antivirus that allows cleaning because this operating system is too old, he said.

The CHLB then went "in degraded mode". Each care unit was equipped with a single new computer, smart health connected to the external network through an internet connection normally dedicated to patients.

On November 8, the decision was made to reset the entire CHLB SI. "A dozen computer scientists" were present to "format all existing stations and install new stations," said the CIO. The CH acquired the anti-spam Mailinblack, a Sophos antivirus and a firewall produced by Palo Alto, he added.

Business applications, including the computerized patient record (DPI), began to be replaced on November 18, more than three weeks after the opening of the trapped email.

A cost of 100,000 euros for the CH

The replacement of the CHLB IT equipment, which was planned to allow the installation of Millenium, the new GHT DPI published by Cerner, has been accelerated.

"We are in the process of reshaping the infrastructure of our network, some orders have not yet arrived," explained Dominique Deschildre. The situation is now "back to normal" for the DPI and the administrative services of the CH. Only the intranet is still not accessible.

The total cost of the attack and its consequences was estimated at 100,000 euros. "We are going to ask for specific assistance from the ARS," said the deputy director of the establishment.

There was no data loss or leak. "The DPI is hosted outside and the office data has been cleaned with Sophos and Palo Alto," said Jalal Soujad.

[ad_2]