Cybersecurity and health: “the challenge is not only financial but also human”

“To properly secure healthcare IT infrastructures, an investment budget is necessary for implementing appropriate solutions and hiring qualified personnel. The France Relance plan addresses the financial aspect, which is a good first step. However, without sufficient human resources, projects cannot be implemented effectively. We must focus on recruitment while ensuring awareness and training across all hospital professions. Cybersecurity has now become a governance matter.””

In an exclusive interview with Health & Tech Intelligence, François Lancereau, a healthcare specialist at WALLIX, a European cybersecurity software company specializing in privileged access and identity management, discusses the current challenges faced by healthcare institutions. 

“Europe must establish itself and set its own rules.”

WALLIX and its healthcare sector activities 

Please briefly introduce WALLIX and your healthcare sector operations.

François Lancereau :

Our expertise lies in securing privileged access and identities. We operate in over 90 countries with more than 2,000 clients worldwide. While maintaining a strong presence in France, we have expanded internationally throughout our 20-year history. The company was established in 2003. This global reach allows us to navigate different regulatory environments. For example, the same product may have various applications depending on whether our client is based in the United States or France. 

Our solutions, WALLIX PAM & WALLIX ONE PAM (Privileged Access Management), secure all user access, both human and machine, within an organization according to the principle of least privilege. This enables tracking who does what, where, when, and how. 

Our primary sectors include industry, healthcare, and financial services, with expertise in industrial IoT. Connected equipment such as factory production machines, laboratory robots, and MRI scanners is critical technology often running on legacy Windows systems. 

Several hospitals we have partnered with in recent years discovered concerning patterns in user behavior after implementing WALLIX PAM, particularly among service providers. They could now monitor connection periods and identify equipment with recurring failures. Since deploying our security gateway, these devices no longer experience failures. Our solution promotes accountability. We do not prevent work, but rather make it secure. 

The necessity of recruiting specialized personnel 

Cyberattacks against healthcare organizations are increasing, with the Centre Hospitalier Sud Francilien (CHSF) incident being a recent and highly publicized example. Do you believe hospital budget allocations for cybersecurity are adequate? 

François Lancereau:

The current hospital budgets are insufficient. Notably, when hospitals first needed to appoint CIOs, these roles were often assigned to physicians with some affinity for technology. This approach has evolved significantly. Those physicians developed genuine IT expertise, or the positions were reassigned to qualified professionals. This transition began before COVID-19, but the numerous attacks against the sector during and after the pandemic helped establish the collective understanding that these roles require genuine expertise. 

Previously, CISOs were perceived as harbingers of doom, constantly warning about the need for dedicated cybersecurity budgets, the implementation of specific practices, and staff awareness initiatives. They were typically told there was neither budget nor time for their recommendations until disaster struck and proved them right. Had their advice been heeded, certain situations could have been prevented or contained. 

Financial resources enable both material and human capacity. The France Relance plan assists institutions with capital investments, but they must recognize the equal need for qualified personnel to manage these systems. 

The issue extends beyond budgets to encompass resources broadly defined, including competent, trained personnel. The advantage today is that cybersecurity now commands attention in ways previously unseen. Everyone understands the potentially catastrophic effects of cyberattacks on hospital services. For instance, if attackers turn off operating theater ventilation systems, immediate closure becomes necessary as non-ventilated theaters lose sterility. If a patient is undergoing surgery during such an attack and systems fail, the consequences could be devastating. 

Organizational ownership of cybersecurity 

Who should take responsibility for cybersecurity within healthcare facilities to prevent such attacks? 

François Lancereau :
The problem is not about designating a single responsible party. That approach merely passes responsibility until someone, typically the CISO, becomes the designated scapegoat when incidents occur. This subject requires genuine governance to make it a shared organizational concern. Isolated approaches are no longer viable. 

The issue must be addressed holistically. While the CISO plays a crucial role in making recommendations to secure various functions, they need support from the IT department and clinical staff, including nurses, physicians, and laboratory personnel. 

The challenge lies in achieving universal buy-in. Changing established work practices is a difficult task. Therefore, awareness and training are essential components of cybersecurity initiatives. Without effective change management, projects risk failure. Everyone within the organization must take ownership of security to prevent vulnerabilities. 

Regarding attack anticipation, some facilities currently employ VPNs (Virtual Private Networks) to monitor ingress and egress. For example, cleaning staff may be required to badge in and out when they enter. But what assurance do we have regarding their identity? Furthermore, such badges may grant unrestricted access throughout the facility. This represents a fundamental problem. We lack visibility into actual activities within the organization, and there is no feedback mechanism. Consider Uber’s breach in late 2016 and again last September. Despite being a large American company with substantial resources, they required two years to discover they had been compromised, despite having no evidence. 

Today, we must secure all potential entry points for attackers. As long as human elements exist, risks remain. The question is not if an attack will occur, but when.

Regulatory considerations 

Should specific regulations be implemented? Should the European Cyber Resilience Act, which is being drafted for connected devices, be expanded? 

François Lancereau :
Regulations serve a purpose, but enforcement is critical. It would be unrealistic to ask you to complete fifty tasks in a single day. Nevertheless, certain areas require legislation. For example, many biomedical devices manufactured by foreign vendors operate under different regulatory frameworks than ours. Some will need to comply with French legislation. They can no longer operate as they wish, despite a transitional period. 

Some of our clients have already contacted WALLIX specifically to explore interface options with our solutions to enable activity tracking, as every healthcare facility is now expected to maintain awareness of internal operations. 

Previously, these manufacturers could evade specific controls or regulations; however, this is no longer possible. European regulations help establish the principle that “they no longer have a choice.” Institutions no longer adapt to manufacturers; manufacturers must adapt to institutional requirements. We have initiated discussions with numerous vendors to facilitate this transition. In this context, French and European legislation proves especially valuable. As mentioned earlier, the primary need for hospitals remains adequate resources internally. 

The French Recovery Plan’s impact 

A revised HDS certification standard is currently under development, and the new French digital health roadmap for 2023-2027 is expected to prioritize cybersecurity. What are your expectations regarding these regulatory changes?

François Lancereau :
We must consider security “by design.” When developing solutions, security considerations should be integrated from inception, or at the very least, the system should be designed for straightforward security implementation. How do we verify provenance and system security when installing and connecting cameras to IT infrastructure in operating theaters? We must control everything entering the hospital environment and ensure the safety and security of the equipment. 

At WALLIX, we have developed awareness programs for major educational institutions, targeting tomorrow’s business leaders and technical and administrative managers. When someone accesses their email and encounters suspicious messages, their instinct should be to avoid opening them, alert IT personnel, and delete them. When conducting phishing tests within organizations, we find that susceptible individuals are not always who we expect. They might be managers or receptionists, with varying impacts depending on their role. 

We aim to develop these reflexes in emerging generations beyond basic education. The concept involves raising awareness from early childhood, beginning in primary school, as children engage with digital tools at increasingly younger ages. Sound cybersecurity practices must become instinctive, much like teaching children to look both ways before crossing the street. 

Have you observed an evolution in general cybersecurity awareness? 

François Lancereau :
Until recently, while everyone acknowledged the utility of PAM (Privileged Access Management) solutions, there was limited recognition of their necessity. That is no longer debatable. It is now evident that these solutions are essential for managing identities and monitoring internal activities, including the actions of service providers. Hospitals typically have hundreds of service providers logging in daily, resulting in a constant flow of people entering and exiting. Such solutions enable camera monitoring, access controls, anomalous behavior detection, and blocking mechanisms. 

In this regard, the France Relance plan provides significant assistance, enabling hospitals to acquire previously unaffordable solutions due to financial constraints. The only limitation is that it allows for financing at a specific moment, whereas ongoing investment will be necessary in the years to come. 

Nevertheless, the France Relance plan has been invaluable for numerous healthcare institutions. While its implementation was delayed, its arrival represents meaningful progress. 

Ransom payments: “A unified EU-wide rejection is necessary.“

What is your position on ransom payments? 

François Lancereau :
Paying ransoms demanded by attackers is problematic. Once the government validates the principle of ransom payments by insurance companies, which may serve those companies’ interests, it creates an ideal scenario for cyber attackers. Consequently, every hacker worldwide will likely target France. 

This underscores the importance of European regulations. While France has made significant advancements in this area, we face American tech giants that have historically operated with minimal constraints. Europe must establish itself and dictate its own rules. France alone cannot achieve this. A unified rejection is necessary throughout the European Union. 

Read the complete interview on the Health & Tech Intelligence website (in French)