Appendix: Hospital cybersecurity: Emergency planning response and preparedness to mitigate the effects of a potential cyberattack on French hospitals in Paris, France
DOI:
https://doi.org/10.5055/jem.0885.AppendixKeywords:
emergency preparedness response and resilience, cyberattack, simulated exercise, cyber resilience, hospital contingency planning, mitigation plan, crisis response and emergency managementAbstract
Over the last few years, numerous hospitals in France have been subject to increasingly frequent and severe cyberattacks that have disrupted healthcare provision to varying degrees. To mitigate this threat, especially in light of the forthcoming 2024 Olympic Games, Assistance Publique–Hôpitaux de Paris in Paris has been developing contingency plans that have been tested in simulated exercises called CRYPTolocker EXercice since May 2021. The latest simulated ransomware cyberattack that involved more than 200 participants took place on July 5, 2023, and lasted for 24 hours. Although cybersecurity contingency plans are confidential for obvious reasons, this article presents the multidisciplinary organization of the simulated attack based on previous experiences from other hospitals and general findings that are in the public domain. It was found that the procedures in place worked well overall, and countermeasures were quickly implemented to limit the severity of this simulated cyberattack. However, failings were observed in intra- and extra-hospital communication, and conflicting priorities between different categories of personnel (administrative, managerial, and clinical) hampered the information technology team in resolving various issues. Furthermore, it was found that mental fatigue, task saturation, and information overload may have overwhelmed senior managers at sporadic intervals. This often resulted in an action–reaction approach being used to find temporary solutions to immediate problems. Consequently, senior managers who participated in this simulated cyberattack were unable to think strategically and anticipate demands for middle- and long-term issues. This unprecedented exercise was an important learning experience for all participants, and the lessons learned will help further improve contingency planning and cyber resilience. It advised that all hospitals worldwide adopt and develop a similar multidisciplinary approach (taking into account their local contexts) to limit the deleterious effects of a potential cyberattack that undoubtedly will become more prevalent in the future.
References
de l’intérieur M: Lettre d’information SSI No. 68. Pole defence et securité des systemes information. Notes di’nformation technique. 2021. Available at https://hauts-de-france.dreets.gouv.fr/sites/hautsde-france.dreets.gouv.fr/IMG/pdf/lettre_info_ssi-nr68-avril-2021.pdf. Accessed September 25, 2024.
Figaro A: LEFIGARO. Cybersécurité des hôpitaux : «27 attaques majeures en 2020 et une par semaine en 2021». 2021. Available at https://www.lefigaro.fr/flash-eco/cybersecurite-des-hopitaux-27-attaques-majeures-en-2020-et-une-par-semaine-en-2021-20210217. Accessed September 25, 2024.
KonBriefing: Cyber attacks 2021 by country. Available at https://konbriefing.com/en-topics/cyber-attacks-2021-by-country.html. Accessed September 25, 2024.
Pontier N, Orre M, Martin M: Cyberattaque à l’hôpital de dax: Exposition des faits, conséquences et retour d’expérience. Cancer Radiothér. 2022; 26(6): 938-940.
RFI: Paralysed French hospital fights cyber attack as hackers lower ransom. 2022. Available at https://www.rfi.fr/en/france/20220902-paralysed-french-hospital-fights-cyber-attack-ashackers-lower-ransom-demand. Accessed September 25, 2024.
Di Giacomo D, Le Hen S, Franceinfo: Yvelines : ce que l’on sait de la cyberattaque qui a visé l’hôpital André-Mignot de versailles. 2022. Available at https://www.francetvinfo.fr/internet/securite-surinternet/cyberattaques/yvelines-ce-que-l-on-sait-de-la-cyberattaquequi-a-vise-l-hopital-andre-mignot-de-versailles_5522565.html. Accessed September 25, 2024.
Agence Nationale de la Secuirté des Systemes d’Information: Cybersecurity in France. ANSSI. Available at https://www.ssi.gouv.fr/en/cybersecurity-in-france/. Accessed September 25, 2024.
APPSSIS: Plan blanc numérique – etablissements de santé –guide d’aide à la préparation. Available at https://www.apssis.com/actualite-ssi/698/plan-blanc-numerique-etablissements-desante-guide-d-aide-a-la-preparation.htm. Accessed September 25, 2024.
Ghanchi A: Insights into French emergency planning, response, and resilience procedures from a hospital managerial perspective following the Paris terrorist attacks of Friday, November 13, 2015. Disaster Med Public Health Prep. 2016; 10(5): 789-794.
Sullivan N, Tully J, Dameff C, et al.: A national survey of hospital cyber attack emergency operation preparedness. Disaster Med Public Health Prep. 2023; 17: E363.
Rizzoni F, Magalini S, Casaroli A, et al.: Phishing simulation exercise in a large hospital: A case study. Digit Health. 2022; 8: 205520762210817.
Dupepe LM, Donaho JC, Roble G: Emergency response and management. In Weichbrod RH, Thompson GA (Heidbrink), Norton JN (eds.): Management of Animal Care and Use Programs in Research, Education, and Testing. 2nd ed. Boca Raton, FL: CRC Press/Taylor & Francis, 2018. Available at http://www.ncbi.nlm.nih.gov/books/NBK500442/. Accessed September 25, 2024.
Hartwig A, Clarke S, Johnson S, et al.: Workplace team resilience: A systematic review and conceptual development. Organiz Psychol Rev. 2020; 10(3-4): 169-200.
Published
How to Cite
Issue
Section
License
Copyright 2007-2025, Weston Medical Publishing, LLC and Journal of Emergency Management. All Rights Reserved.
