France’s social security system in the face of cyber challenges

France’s social security system in the face of cyber challenges

According to a recent study carried out by the Agence nationale de la sécurité des systèmes d’information (ANSSI – French national agency for information systems security) in collaboration with social security organizations, almost 80% of operations carried out by policyholders are now carried out online. This trend towards paperless administrative procedures is growing steadily. This growing digitization of social security services in France has improved the efficiency and accessibility of social benefits for citizens.

On the other hand, the sheer volume of personal data stored in social security databases makes them an attractive target for hackers. According to a study by the digital health agency, social security organizations in France have seen a significant increase in attempted cyber attacks in recent years, with a 35% rise in reported incidents in 2022 compared to the previous year.

In today’s digital society, it is vital to anticipate the potential consequences of a cyber attack on France’s social security system, from both an operational and a financial point of view. In addition, it is vital to identify vulnerabilities and preventive measures to mitigate the risks associated with such attacks, and guarantee the continuity of essential services for insured persons.

Exponential dematerialization

France’s social security system offers a range of digital services and functionalities that give policyholders easy access to social security benefits and enable them to manage their administrative procedures online. The main digitalservices offered by social security include income declaration, healthcare reimbursement and management of social entitlements.

The interconnectivity of the various players involved in the social security system is essential to ensure the smooth and secure exchange of information. Social security organizations, healthcare professionals and policyholders are all connected via digital platforms. This increased interconnectivity has led to significant changes in modes of communication and data exchange. The dematerialization of administrative procedures has reduced processing times and improved service efficiency. According to the 2021 annual report of the Caisse nationale d’assurance maladie (CNAM), over 80% of electronic health care forms have been transmitted electronically, an increase of almost 20% on 2020. And around 95% of tax returns have been filed online.

Specific cyber vulnerabilities and threats

France’s social security systems have certain vulnerabilities that make them susceptible to cyber attacks. These vulnerabilities include, of course, weak passwords. Used by citizens of all ages, login applications are often the easiest way in. Many users use weak passwords or reuse the same passwords for several accounts, thereby increasing the risk of account compromise. But they also include software security flaws. As an entity created in 1945, vulnerabilities linked to outdated devices may exist in the applications and software used by social security systems, and are therefore exploitable by attackers. Finally, the lack of cybersecurity training is also one of the vulnerabilities of the social security ecosystem. End-users and employees are not sufficiently aware of good security practices, which can lead to human error and facilitate attacks.

Given these vulnerabilities, cyber-attacks on social security systems can take many forms, depending on the hackers’ objectives.

These include phishing attacks designed to trick users into divulging sensitive information, such as login credentials. According to a study carried out by the French government’s Centre de veille, d’alerte et de réponse aux attaques informatiques (CERT-FR), in 2022, France recorded over 65,000 reports of phishing attempts, an increase of 67% compared to 2021.

Secondly, we see ransomware cyberattacks aimed at encrypting data in exchange for a ransom to unlock it. If social security systems are compromised by ransomware, the crisis will be followed by massive disruption of services and potential loss of personal data. In 2021, the number of ransomware attempts in France rose by 62% compared with the previous year, according to Kaspersky, particularly in the public and healthcare sectors, as demonstrated by the recent cyberattacks on the Corbeil-Essonnes hospital, or very recently on the Saint-Brevin town hall in Loire Atlantique.

Finally, one of the most likely attacks to affect social security network infrastructure are DDoS attacks. These attacks, known as distributed denial-of-service attacks, aim to overwhelm targeted systems by flooding them with traffic, resulting in service unavailability for legitimate users. According to a survey conducted by ANSSI, in 2022, France saw a 75% increase in DDoS attacks compared with the previous year.

Diverse motivations

While cyber attacks can be successful, and cyber attackers increasingly experienced, it’s vital to understand the main motivations for targeting the social security network infrastructure. Among these motivations, one of the most important is the theft of personal information. The target is personal information such as social security numbers, bank details or medical data, with the aim of exploiting it for fraudulent and lucrative purposes. A complete medical file sells for around $350 on the dark web, while a social security number sells for around $3. With more than 65 million insured people, this can be a lucrative business.

To find out how much your personal data is being sold on the dark web, check out the summary table from our cyber experts here:

Other motivations include financial extortion, as previously mentioned thanks to ransomware – 10 million euros were demanded from the Corbeil-Essonnes hospital in September 2022 – or sabotage and disruption of social security services, subsequently causing operational problems and affecting user confidence.  It should be noted that most cybercriminal groups specify in their code of ethics that they do not attack healthcare establishments with the aim of harming hospitalized patients, and only for profit.

While social security, a not-for-profit entity, is not subject to significant financial loss due to loss of customers, regardless of the nature of the attack and the motivations behind it, the consequences of a cyber attack on social security can be formidable. This could result in the interruption of services, loss of sensitive data, violation of policyholder privacy, and significant costs for system restoration and crisis management.

Short- and long-term consequences

The consequences of a cyber attack on the social security system are both short- and long-term. Immediately after the attack, services are disrupted and digital platforms are unavailable. Attackers can paralyze IT infrastructures, interrupting essential services for policyholders. For example, in 2020, France’s Assurance Maladie was the victim of a major IT attack that disrupted its online services for several days. This had a direct impact on policyholders, who could no longer access online reimbursement services or check the status of their claims.

A cyber attack on social security systems can also lead to the leakage of sensitive data, compromising the privacy of policyholders both immediately and in the long term. Sensitive data can subsequently be used for identity theft or fraud, or for profit-making purposes as mentioned above. In 2017, ANSSI reported a data leak at the Caisse nationale d’assurance maladie (CNAM). Nearly 500,000 records containing the personal information of policyholders were compromised, exposing these individuals to a high risk of fraud.

The financial consequences of a cyber attack on social security systems can also be significant. Social security organizations can face high costs for system restoration, data recovery and the implementation of enhanced security measures. What’s more, policyholders themselves may suffer financial losses if sensitive information is stolen. If bank data is compromised, policyholders can fall victim to financial fraud and unauthorized transactions. A 2020 study by IBM Security and the Ponemon Institute shows that the average cost of a data breach for a company in France was €3.92 million. These costs include remediation expenses, lost revenues, regulatory sanctions and potential litigation. On the scale of the French social security system, it’s hard to put a precise figure on the cost, but it would undoubtedly be very substantial.

Finally, a major cyber attack on social security systems can have a significant impact on user confidence in digital services. Policyholders may fear that their personal data is not sufficiently protected, which may lead them to avoid using online services and prefer more costly and less efficient traditional modes of communication. A study carried out by Ipsoson behalf of Microsoft in 2021 revealed that 66% of French people were concerned about the security of their personal data when using digital services.

Rigorous preventive measures

It is therefore essential to put in place robust security measures, establish incident response protocols and communicate effectively with policyholders to restore trust and ensure the continuity of digital social security services. These include firewalls and intrusion detection solutions, the use of strong authentication systems (multi-factor authentication), and regular software and application updates to plug known vulnerabilities. Regular backup of sensitive data is also essential to minimize losses in the event of an attack or compromise, as is the use of encryption techniques to protect data in transit and at rest.

Secondly, it is necessary to apply technical, organizational and human security measures to reinforce the resilience of their systems.  These measures include constant monitoring of networks and systems to detect suspicious activity and potential intrusions. They also involve the development of clear security policies and incident management procedures, combined with appropriate access controls to limit user privileges and authorizations, thus reducing the risk of compromise.

In order to raise user awareness, we can think of organizing regular awareness and training sessions, distributing security alerts and recommendations via internal and external communication channels, such as social security organization websites and social media, or constantly encouraging users to immediately report any suspicious activity or suspicious e-mails.

In terms of sustainability, social security organizations need to draw up business continuity plans and crisis management plans to deal with cyberattacks, including the identification of critical processes and services, the definition of clear procedures for restoring services, and the maintenance of coordination with the relevant authorities, cybersecurity service providers and external stakeholders for an effective response in the event of an incident.

Our outlook for the future

It is crucial to keep a close eye on the evolution of threats and potential attacks in the field of social security. Cybercriminals are constantly using new tactics and techniques to compromise social security systems. What’s more, with the advent of new technologies and AI, attacks are becoming ever more precise and impactful. Social security organizations therefore need to invest in appropriate resources and technologies to strengthen the resilience of their systems in the face of cyberattacks. This includes allocating adequate budgets for cybersecurity, hiring security experts, using advanced security solutions and setting up effective monitoring and detection mechanisms. The reform of the Public Procurement Code, called for by many cyber experts, would enable public institutions to protect themselves with European and sovereign solutions.

“Collaboration between social security organizations, government authorities
and cybersecurity companies is essential to deal with cyberattacks”
 says Frans Imbert-Vier, cybersecurity expert and CEO of UBCOM.

It is crucial to build strong partnerships, share information on threats and incidents, and benefit from the expertise and resources of external stakeholders. With this in mind, it is becoming vital to raise awareness of cybersecurity issues among political decision-makers and those responsible for social security .