The Pillars of Tomorrow's Resilient e-Health System

An interview with:

• Jean-Noël de Galzain, founder and CEO of WALLIX
• Philippe Loudenot, former member of the French Healthcare Ministry

“Cybersecurity is not a question for CIOs but of governance,” says Philippe Loudenot in an interview for the French healthcare publication, Tic Santé.

How mature are hospital managers with regard to this approach to cybersecurity?

Philippe Loudenot: We are not there yet, there is still work to be done. Among the 3,000 health establishments in France, the level of maturity varies from one establishment to another. However, the awareness is there, as a direct result of the major cyber-attacks that have shaken the health sector in recent times. One thinks in particular of the Rouen University Hospital, victim of a ransomware attack in November last year which brought all equipment to a halt including not only computers, but also lifts, medical imaging, and analysis systems. Proof that cybersecurity doesn’t concern just the IT department but all departments of the hospital. Everything is now interconnected and entire sections of the hospital are “digitally dependent.” The hospital of tomorrow is digital; we can no longer think of cybersecurity in silos. The biggest risk facing the hospital is concurrent incidents. Can you imagine if the fire at the Lubrizol factory had taken place at the same time as the cyber-attack on Rouen University Hospital? Or if a cyber-attack of the same magnitude hit one of our hospitals right now, in the middle of a pandemic? Cybersecurity must be addressed globally.

What do you think of this approach?

Jean-Noël de Galzain: Taking a non-governance approach to cybersecurity inevitably leaves gaping cybersecurity holes in the hospital’s IT system. IT teams are already stretched to the limit to keep technology operational and secure, and there are unfortunately not enough resources to take a detailed approach. We need to think about governance for securing the overall IT infrastructure, managing the digital identities of users connecting to the hospital’s IT systems, and data protection. This is the key to an infrastructure that is resilient to cyber-attacks.

In terms of impact, it is clear that managers have a duty to keep the IT system up and running. The stakes can be lethal, as was the case in Düsseldorf a few weeks ago. The clinic’s admission system broke down because of a cyber-attack which interfered with the care of a Covid-19 patient who died while being transferred to another clinic in the city. Failure to integrate cybersecurity into the governance of the hospital is potentially life-threatening, and managers must understand that they have a responsibility to do so.

ENISA, the European Cyber Security Agency, has published a cybersecurity guide for European hospitals, released in February 2020. The guide provides recommendations and best practices for including cybersecurity issues in the procurement processes for hospital equipment.

What do you think of this initiative? Regarding your fight for the creation of a trusted European digital space, is it not too late? Tomorrow, can or even should we envisage a management/standardization of cyber health security at the European level?

Jean-Noël: It is never too late for such initiatives. It should be noted that ENISA is a fairly recent organization (2004) and is taking a stand on many issues. It deals with major technological issues such as cybersecurity, 5G, the Internet of Things (IoT) and data hosting. Moreover, it has already implemented the Cybersecurity Act last year and is therefore not lacking in terms of concrete actions. Whether this initiative is useful or not for health practitioners is not the issue. We must consider digital standards at the European level, beyond those of the Cloud Act. This “data pump” set up years ago by Big Tech systematically siphons off patient data and then turns it into a business. We, the players in cybersecurity, it is our duty to ensure that our healthcare institutions have a trusted digital space to store this data, the most personal and precious data there is, and then to use algorithms that will be ours, in order to advance research and develop vaccines as quickly as possible. Working with ENISA means moving towards this digital standardization that we need today.

How do we achieve digital standardization? Through interoperability. We need to work together to ensure that our solutions work together to adapt to the needs of healthcare business managers and those of all sectors. It is from this observation that the Comité Stratégique de Filière, or the GAIA-X project, the European meta-cloud, were born. Their vocation is to create a true ecosystem of trustworthy European digital technology, capable of adapting to the American giants, in order to enable the expansion of reliable and secure digital technology.

Philippe, what do you think of this initiative? Do you think this guide will be followed by French hospitals? Are they listening to European organizations such as ENISA? Tomorrow, can or should we even envisage a management/standardization of cyber health security at the European level?

Philippe: This is an excellent initiative. Even if the guide is not yet widespread among French hospitals, it exists and we are promoting it. It joins the roadmap for digital healthcare of the Agence du Numérique en Santé (ANS) and the Délégation du Numérique en Santé (DNS), national organizations focused on the digitization of the healthcare sector, with the main objective of setting up governance across the 3,000 healthcare establishments with the aim of standardizing digital uses and cybersecurity processes, which can be very challenging.

The aim today is to go further than ENISA in standardization, the scope of the guide being limited to the IT infrastructure. What the health sector needs is a standardization of processes. As with cars that must pass regular technical inspections, digital equipment in hospitals should pass security checks periodically. We otherwise end up with devices that are sometimes more than 20 years old, due to lack of resources. Yet an obsolete IT system is highly vulnerable and, in the event of a cyber-attack, the financial consequences will be much greater than the cost of upgrading it with the minimum security required. Cybersecurity should be seen as a performance driver, not a cost center.

In the same vein, the Food and Drug Administration (FDA) in the United States is reporting on devices in the biomedical sector that could be vulnerable to cyber-attacks. In France, to a lesser extent, we have Cyberveille Santé, which aims to support manufacturers of medical devices, as well as energy management, lifts, and all connected equipment in hospitals, for whom cybersecurity is not their core business, by proposing prerequisites. This is what we call cybersecurity “by design”.

We have seen that many cyber-attacks on hospitals come from phishing. Take for example Montpellier University Hospital where in March 2019 more than 600 computers were infected. The cause? A hospital employee who accidentally clicked on a malicious link in a phishing e-mail.

What are hospitals doing to raise awareness of cybersecurity among their employees?

Philippe: This is indeed an important topic, and it is important to adapt awareness messages to the target audience. Each actor in the health ecosystem (staff, health professionals, hospital management, etc.) has a different vision of the structure for which they work. It is therefore necessary to take into account the difficulties of each person’s job.

In an ideal world, we would be aware of cybersecurity from primary school onwards. There would be cybersecurity training in medical school curriculum, especially in courses for future hospital managers, to teach that cyber risk is just as important as financial or human risk, if not more so because cyber risk is often a catalyst for another risk: the concurrent incidents we spoke about earlier.

In concrete terms, to date we can count on Cybermalveillance.gouv actions to bring cybersecurity awareness to as many people as possible. In the hospital world, shortly before the health crisis, we launched the “Cyber Vigilance” awareness campaign, which was slowed down with the impacts of Covid-19. In my opinion, the most effective and most concrete efforts to date are cyber-crisis management exercises that simulate complete digital equipment failures and test the response plans of health establishments.

Can human error be overcome with technology?

Jean-Noël: Yes it is possible, but we have to keep in mind that there is no such thing as Zero Risk and that a digital tool will never replace a human being, especially in the world of healthcare, where each patient is unique. It is the experience of the health professional at any given moment that will enable the right decision to be made.

To protect a hospital’s IT system, it is essential to have password management, data access protection, and identity governance solutions, but to maximize the level of security, users of these solutions must be made aware and trained.

As Philippe says, it is indeed important to have popular education on cybersecurity from a very young age to combat the human errors that we are facing today. In the Comité Stratégique de Filière strategic committee we understand and have already made proposals to the Ministry of Education to add cybersecurity training in school, from primary schools up through graduate level. These proposals are on the right track and we hope to see them implemented quickly.

How have hospitals handled lockdowns with the introduction of new digital uses such as remote working, teleconsultation, etc. creating so many new entry points for hackers?

Philippe: Out of 3,000 health facilities, some were better prepared than others, but it can be said that no one was really ready. On the other hand, we saw a surge of “cyber solidarity”. Cybersecurity actors generously offered their solutions to help quickly secure teleworking or to reinforce the detection of cyber-attacks, for example. I would like to sincerely thank them; this is a phenomenon I did not expect.

I would also like to point out that the wave of cyber-attacks has not been as dramatic as we feared in the media. Health organizations here are obligated to report security incidents and the press picks it up because it is a frightening subject. What happened in Düsseldorf was certainly terrible, but an attack on the scale of WannaCry would have killed between 600 and 900 people, according to cybersecurity researchers. Except that at the time, it went unnoticed. The balance sheet on our French hospitals is therefore rather positive and those affected, such as the AP-HP hospital group for example, does not mean the numbers are that bad, in fact. The ransomware of which the AP-HP was a victim was very well handled. However, they had a legal obligation to declare it and the “headline effect” has raised the awareness of some hospital directors.

How did your healthcare sector clients prepare for the lockdowns?

Jean-Noël: In line with Philippe’s remarks, globally hospitals have resisted well, even if nobody was really prepared for complete lockdowns. We were all equally unprepared for the first wave and we are better equipped for the second. All the hospitals that hadn’t made enough progress with their digital transformation had to work three times as hard to manage the impacts of lockdown. We, as cybersecurity actors, made our solutions available, offered license extensions, and expanded day and night support to help hospitals when needed, but the hospital purchasing centers also did a lot of work to very quickly propose catalogues of cybersecurity solutions to respond to the urgency of the situation. Today, even if we have not yet achieved the level of standardization we want, hospitals can still rely on government organizations such as ANSSI or the France Cybersecurity Label to implement certified and therefore safe solutions quickly, without second guessing.

I also agree that the slightest cyber-attack on a hospital is reported in the press. However, it must serve as a warning about cyber risks.

And tomorrow, post-COVID, cybersecurity in hospitals will be…

The health crisis has acted as an accelerator in the digital transformation of hospitals. What about cybersecurity? What will it change in concrete terms (new approach, new tools…)?

Philippe: There is still a relatively large margin for progress. Stimulus plans will help us to continue and sustain the digital transformation of hospitals and cybersecurity efforts. And it is not only hospitals that are affected by the digital transformation, but the entire healthcare system, including clinics and healthcare professionals. The biggest challenge will be to make CISOs understand that cybersecurity is not just a matter of complying with regulatory requirements. A “one-shot” action is not enough; actions must be sustainable. Compliance must adapt to the changing state of the art. Once again, we can take the example of safety testing for cars. Compliance must be reassessed every year.

Jean-Noël: The first step after experiencing an event of this nature is to bring the different components of the digital ecosystem closer together, namely, users and cybersecurity specialists. This role will be taken on by the state through its recovery plans, which will lead to a safer and more useful digital environment in the future. In particular, I was able to work on the cybersecurity aspect of the Cyber Acceleration Plan that will soon be announced by the President Macron. The strategic committee will also mobilize to raise the overall level of risk management in healthcare institutions.

In the longer term, the objective will be the standardization of digital and cybersecurity. However, given the scale of the task and the resources we have, in an industry that is not yet mature and yet critical, we will have to be pragmatic. Hospitals will need to rely on cybersecurity solutions providers who will become true strategic partners to address all their needs within their limited budgets.

For our part, we are going to focus our efforts on interoperability to facilitate the integration of our solutions to ensure regulatory compliance but also to carry out ongoing security audits. We will ensure that healthcare institutions regain control of their IT systems through a Zero Trust approach to cybersecurity.