Cybersecurity and health: "the challenge is not only financial but also human"
“In order to secure the IT infrastructures of healthcare institutions, you need a budget to invest in appropriate solutions, but you also need skills. The France Relance plan is a first step with support for the financial aspect. However, without human resources, projects cannot be carried out effectively. The emphasis must therefore be placed on recruitment, but also on awareness and training for all hospital professions. Cybersecurity is now a matter of governance.”
In an exclusive interview with Health & Tech Intelligence, François Lancereau, healthcare expert at WALLIX, a European IT security software company specializing in digital access and identity management, discusses the issues and challenges of cybersecurity in healthcare institutions.
“The EU has every interest in imposing itself to dictate its rules”
📌 Key elements of the discussion :
- François Lancereau believes that hospitals’ current cybersecurity budgets are “not sufficient” but points out that the France Recovery Plan has been a life-savior for a large number of healthcare institutions: it has enabled them to acquire solutions that they could not previously obtain;
- He insists that the acquisition of human resources competent in computer science is also essential;
- “The subject of IT security must be addressed globally” within the organization (governance issues), and not just by the CISO for example, he notes: “it is necessary that all the people in the organization take ownership of the subject to avoid breaches;
- One of the difficulties is to make all the staff aware of good practices: “without real change management, the cybersecurity project could be a failure”;
- In the past, some American or Japanese manufacturers were able to avoid certain controls or rules, but today this is no longer possible. “This is where European regulations help: we are moving towards the principle of “they no longer have a choice”. It’s no longer the facilities that adapt to the manufacturers, it’s the manufacturers that adapt to the facilities’ needs.” WALLIX has already begun discussions with many of them “to initiate this change;
- François Lancereau also insists on the importance of integrating security aspects “by design“: “We have to supervise everything that is going to enter the hospital, make sure that the equipment can be made safe and/or secure“;
- For François Lancereau, the payment of ransoms is “an aberration”: “Europe has more than any other interest in imposing itself in order to dictate its rules (…) A massive “no” is needed throughout the EU”;
- Finally, he stresses the importance of developing good computer security reflexes among the new generations, starting in elementary school.
Secure all user access “according to the principle of least privilege
Could you present in a few words WALLIX and more particularly your activities in the health sector?
François Lancereau : Our specialty is securing access and digital identities. We are present in more than 90 countries with more than 2,000 customers worldwide. We have a strong presence in France, but we have been able to expand internationally over the past 20 years (the company was founded in 2003). This allows us to deal with the different disparities that exist in terms of regulations on the market: with the same product, we do not necessarily have the same applications depending on the origin of our customer (United States or France for example).
Our solution, WALLIX PAM4ALL (PAM: Privileged Access Management), aims at securing all the accesses of the users – human or machines – of an organization, according to the principle of least privilege. This makes it possible to identify who does what, where, when and how.
Our preferred sectors are industry, healthcare and financial services, with a strong expertise in industrial IoT (connected equipment / examples: factory production machines, scanners, robots in laboratories, MRIs, etc.): critical technologies that often run on very old versions of Windows.
Some of the hospitals with which we have contracted over the past few years realized – when they installed WALLIX PAM4ALL – the behavior of their users, particularly their service providers: reporting connection periods, identifying equipment that tended to have regular failures. Since the bastion is in place, they have noticed that these devices no longer have any failures, that everything is fine. With our solution, we make people responsible: we don’t prevent them from working, the goal is to make them secure.
Awareness of the need to recruit expert profiles
Cyber attacks are on the rise in the healthcare sector, the latest being the highly publicized attack at the Centre Hospitalier Sud Francilien (CHSF). In your opinion, are hospitals’ budget allocations sufficient to ensure their cyber protection?
Current hospital budgets are not sufficient. It is also important to understand that when it was originally necessary to appoint CIOs in hospitals, this role was often assigned automatically to doctors who had more or less of an affinity for IT. This organization has changed a lot since then: either some of these doctors have become IT experts, or the position has been assigned to people whose job it was. The process began before the Covid pandemic, and then, because of the various attacks that have taken place in the sector during and since the crisis, we have managed to integrate into the collective unconscious that it is necessary to assign this role to expert people who know what they are talking about.
Previously, CISOs were seen as doomsayers, warning of the need to have a dedicated cybersecurity budget, to implement this or that practice, to raise staff awareness, etc. They were generally told that there was neither the budget nor the time to implement their recommendations. They were usually told that there was neither the budget nor the time to implement their recommendations. Until disaster struck and they were proven right. If they had been listened to from the beginning, certain situations could have been avoided or at least contained.
The financial means allow us to have material but also human means. The France Relance plan helps institutions with the “capital” aspect, but they must understand that they also need to have the human resources to deal with these issues.
So the issue is not just about the budget, but about the “means” aspect in the broadest sense: having competent, trained people… The advantage today is that we now have a real ear for cybersecurity issues, an attention that we didn’t have before. Everyone understands that a cyber attack could have catastrophic effects on hospital services. For example, if hackers knock out the ventilation system in operating theatres, they have to close the theatre immediately, because a non-ventilated theatre is no longer sterile: if a patient is on the operating table at the time of the attack and everything stops, the consequences can be dramatic.
The need for real governance so that the issue becomes common
Who do you think should take ownership of this issue in healthcare facilities to prevent such attacks?
The problem is not “who”, otherwise everyone passes the buck until one of them catches it, for example the CISO: and if anything happens, he or she will have to take full responsibility. The subject must be taken with a real governance issue so that it becomes a common issue. It is no longer possible for everyone to act in their own corner.
The subject must be addressed in a global way. The CISO will have a role to play in making recommendations, because it is his job to secure the various professions, but he needs the support of the IT department and the staff (nurses, doctors, people who work in the laboratory, etc.).
What’s complicated is getting everyone on board. It is difficult to change work habits. Awareness and training are therefore essential when implementing cybersecurity projects. Without real change management, the project could fail. All the people in the organization must take ownership of the subject to avoid breaches.
Regarding the anticipation of attacks, there are a certain number of establishments that can currently use solutions such as the VPN (Virtual Private Network) to know who enters and who leaves. For example, when a person comes to clean, he/she can badge in and badge out. But what guarantee do we have that it is the person who is cleaning? Especially since with this kind of badge, this person can go anywhere in the establishment. That’s one of the main problems: we don’t know what people are actually doing in the organization. There’s no feedback. For example, Uber got hacked in late 2016 (and also last September…). It’s a large US company, with a lot of resources, but it took them 2 years to know they had been hacked. They had no evidence.
Today, we must be able to secure all the potential entry points for hackers. As long as there are humans, there will be risks. It’s not a question of “if” I’m going to be attacked, but “when”.
“Regulations are good, enforcing them is better”
Should specific regulations be put in place? Do you think that the Cyber Resilience Act, which is currently being drafted at European level for connected objects, should be extended?
Regulations are good, enforcing them is better. If I ask you to do 50 tasks in one day, it is not possible. But there are indeed things that need to be legislated. For example, there are many biomedical devices manufactured by foreign publishers that are subject to different laws than ours. Some of them will have to comply with French legislation: they can no longer act as they wish, but there is a period of uncertainty.
Some of our customers are already in contact with us (WALLIX) precisely so that we can see how to interface our solutions in order to be able to trace what they are doing because today, any health establishment is supposed to know what is going on at home.
Until now, these manufacturers had the possibility to escape certain controls or rules. Today, this is no longer possible. This is where the European regulation helps: we are converging towards the principle of “They no longer have a choice”. It is no longer the institutions that adapt to the manufacturers, but the manufacturers who adapt to the needs of the institutions. This is why we have already started discussions with many of them to initiate this change. It is in this context that French and European legislation are very important.
On the other hand, internally, for the hospitals, as I was saying, it is above all the means that they need.
“The France Recovery Plan has been a lifesaver for a large number of hospitals.
An updated version of the HDS certification standard is under construction and the new French roadmap for digital health 2023-2027 should place cybersecurity among the priorities: What are your expectations regarding these regulatory changes?
You have to think about security “by design”: when you build a solution, you have to ask yourself right from the start how to ensure that it is secure, or at least how to make it easy to secure. In the operating room, if you install a camera and connect it to the IT infrastructure, how do you know where it comes from and whether the system is secure? You have to control everything that comes into the hospital, make sure that the equipment is “safe” and/or secure.
At WALLIX, for example, we have developed awareness-raising sessions within the major schools for those who will be tomorrow’s business leaders, the future technical and administrative managers. When someone logs on to their email and sees a strange email, their first instinct should be not to open it, to tell their IT department and to delete it. When we perform a phishing test in organizations, we notice that the people who respond to phishing are not always the ones we think of. It can be a manager or a receptionist: the impacts are not the same depending on the profile.
Our goal is to develop these reflexes in the new young generations, by going beyond learning the basics. The idea is to raise awareness from the earliest age, from elementary school onwards, because children start using digital tools very early on. Good cybersecurity practices must become a reflex, like teaching children to cross the street by looking right and left.
Do you feel that there has already been an evolution in general awareness on the subject of cybersecurity?
In addition, until now, everyone thought that PAM (Privileged Access Management) solutions were indeed useful, but there was no real awareness of their necessity. That’s no longer the issue: it’s now obvious that you need these solutions to manage identities and know what’s going on internally, but also what the service providers are doing, because a hospital has several hundred service providers who log on every day. It’s a hive of people coming in and out. Having these kinds of solutions allows us to have cameras, access controls, detect strange behavior and put in place blocking mechanisms.
In this sense, the France Relance plan really helps: it has enabled hospitals to acquire solutions that they could not previously purchase due to a lack of financial resources. The only drawback is that it allows for financing at a “T” moment. There is a recurring element to be expected in the years to come.
In any case, the France Relance plan has been a lifesaver for a large number of healthcare institutions. It’s a shame that it took so long, but now it’s here, it’s a step forward.
Ransom payments: “a massive EU-wide no” is needed
What is your opinion on ransom payments?
Personally, I think it is an aberration to pay the ransom demanded by the hackers. As soon as the State validates the principle of ransom payments by insurance companies (this may be of interest to these companies), from a cyber-attacker’s point of view, it is a godsend. All the hackers in the world will turn to France!
This is where European regulations are essential. We are very advanced on this subject in France, but on the other side we have the American giants (GAFAM) who until now have done whatever they wanted. Europe has more than any other interest in imposing itself to dictate its rules. France alone can do nothing: a massive “no” is needed at the level of the entire European Union.