Health: How to secure a hyper exposed sector
The topic of connected health was on the round table agenda at Les Assises de la Sécurité et des Systèmes d’Information last October in Paris.
Under the leadership of moderator Philippe Houdenot of the Ministry of Social Affairs, Charles Blanc-Rolin, CISO of a regional hospital grouping; Auriane Lemesle, e-health in manager in Pays de la Loire; and Jean-François Parguet, technical director at the Ministry of Health, spoke of the technological obstacles encountered by the healthcare sector with resect to optimal security of French e-health.
Connected health services: An alarming landscape
Cyber security is weak in French hospitals, regardless of their size or type, and so, many have been hacked by ransomware. Software is obsolete and budgets minimal for technological equipment whether at large university hospitals or small nursing homes. The Ministry of Health suggests a sociological reason for this situation.
The healthcare sector in France consists of 240 000 doctors, 700 000 nurses, 3 000 hospitals, of which 900 regional hospital groupings, and 100 000 other structures. There are two million professionals, 33 regulated professions, 300 000 private practitioners and 400 000 legal entities.
Such a diverse population, a true French characteristic, does not allow the imposition of unified operation. Doctors can opt out and are free to manage their practice or structure as they see fit. An observatory dedicated to cyber incidents in healthcare structures in France has been underway for two years with 700 incidents identified the first year, averaging 30 per month.
A number of structures requested assistance to manage the incidents with 84% of reports from healthcare institutions themselves. This is mandatory. Forty-one percent of incidents affected patients’ personal information. But, on a positive note: only 43% of events were linked to malicious acts.
The complexity also derives from the fact that the GDPR and CNIL are invoked when it comes to patient data. The question of OIV (operators of vital importance) is also raised. Given the stakes, cyber security cannot be left up to chance in connected health services.
Cyber secure solutions for connected health services
The website cyberveillesante.fr offers a digital watch of the healthcare sector in France, with private forums for CISOs (chief information system officers).
It also offers public tools: a toolkit, emergency response sheets for incidents – useful for small structures. Cyber monitoring was also launched six months ago for connected health services.
Santé numérique 2022: A springboard for better e-health
As part of the Santé numérique 2022 objective, connected health services players continually study the deep web, scanning site vulnerability for parts exposed on the web.
By noting vulnerability every six months, the structure compares similar institutions in order to map levels of exposure. It is important to help hospital CISOs in the long term. All this is taking place in a context where France is behind due to budgets constraints in hospitals. So, the plan Santé numérique 2022 serves as a lever for these processes.
Following curative treatment, it will be necessary to consider guidelines in order to prevent incidents since preventing damage would be less expensive than dealing with a computer incident. The systems must be interoperable. However, the lack of human resources and obsolete systems are real obstacles to these objectives.
One special feature of biomedical device software is that it is impossible to apply patches, or install firewalls or anti malware. The devices are often specific to medical specialties and have to last longer than in a company or public service. Internal networks are sealed.
H2- Connected health services stakeholders, State and Europe: Areas for work
The Pays de la Loire Regional Health Agency offers a fine example, working on prevention and raising awareness of secure connected health services, and sharing information and good practices.
Training and webinars are organised in response to needs or incidents, and non-intrusive anti-malware solutions are tested. In a rather fun way, digital security escape games for connected health services are offered. While this dynamism seems to have taken off in a region like Pays de la Loire, disparities still exist between regions.
Europe, on the other hand, is looking to biomedical device regulations where cyber security will be taken into account. This is good news for health institution CISOs who, on private forums, frequently discuss the best devices to purchase upstream of calls for tenders to prevent faults.
The Ministry of Health is studying 13 establishments that will undergo three mandatory audits, plus a crisis exercise. The stakes are high as more and more care services are totally digital dependent.
Speakers: Charles Blanc-Rolin, GHT 15; Auriane Lemesle, GCS E-SANTE PAYS DE LA LOIRE; Jean-François Parguet.