Already strong obligations
Hospitals are among the most vitally important operators and must, as required by the French Military Planning Law (LPM), strengthen the security of their information systems. This law provides for the security of organisations' information systems to be upgraded to prevent, for example, a cyberattack from disrupting the continuity of service in operating theatres, taking control of an entire hospital or its electrical network, altering the functions of a connected healthcare device or falsifying vital patient data, with consequences not only for the proper functioning of the nation but also for the lives of patients themselves.
The entry into force of the LPM will require significant investment on the part of critical industries, and the French Cybersecurity Agency (ANSSI) estimates that they will need three years to fully roll out the cybersecurity controls laid down.
Healthcare organisations must, therefore, systematically devote 5-10% of their budget to information systems security, and the government is also making it compulsory for all training courses for healthcare professionals to include cybersecurity awareness training.
The hosting of health data collected during preventive, diagnostic, therapeutic or social monitoring activities is also subject to compliance with certain conditions, which must be met by obtaining approval under Article L. 1111-8 of the French Public Health Code.
As a result, only HDS-certified operators can store data. This certification requires compliance with certain standards and requirements, and the hosting service must be covered by a contract containing a number of compulsory clauses.
As part of their digital transition, players in the healthcare and medical-social sector must take cyber risk into account. To be effective, this requires both technical management (mobilisation of the IT Department and the CISO) and legal supervision (Legal Department and DPO).
Several objectives have been set:
Effectively prevent threats (contractualisation of relationships with subcontractors, drafting of procedures and charters, etc.)
Demonstrate compliance with applicable regulations (GDPR, legislation specific to the healthcare sector, etc.)
React to attacks when they occur, both from a technical point of view (e.g. BCP/PRA) and from a legal point of view (activation of insurance, notifications, informing people, crisis communication, managing the responsibilities of service providers, etc.)
New resources allocated
The French government is now allocating a total budget of more than €375 million to healthcare institutions to combat cyber threats. The French Cybersecurity Agency (ANSSI) and the French Digital Health Agency (ANS) are also offering human resources support to strengthen the security of their information systems.
The aim: to improve the security of HIS. This funding will speed up the roll-out of the French ‘National Cyber Surveillance Service for Healthcare’ in partnership with the French Digital Health Agency (ANS) and develop the resources of the ‘Cyberwatch for Healthcare’ system to increase the response and support capabilities of ANS structures in the event of incidents or cyberattacks.
Managing and anticipating cyber risk
We have some of the best healthcare protection in the world. Let's make sure the same applies to the protection of our healthcare systems in the future. Managing cyber risk in healthcare is a key issue for our future. Cybersecurity requires dynamic risk analysis and mapping. This must be the cornerstone of any action plan. It aims to define all the actions needed to achieve a level of risk that can be accepted with full knowledge of the facts, at the right decision-making level. The tool enables risk mapping to be modelled, making the situation more concrete. The intuitive visual aspect makes it easier to share information between different parts of the organisation.
Information sharing and active cooperation
‘We strive to provide support for organisations and to put into practice our watchword: sharing. Many decision-makers think that sharing information makes them more vulnerable. But the opposite is true. Defenders have everything to gain from sharing information, and that's what we're proposing: studying attack methods, attacker profiles and potential vulnerabilities, and compiling them in a library for the benefit of all players in the industry’, explains Pierre Oger, CEO and Founder of EGERIE.
Risky situations can rarely be grasped without external information and can never be resolved alone. To protect ourselves, we need to share an circulate risk assessments, so that the whole community can benefit through a rebound effect.‘There are striking similarities with soldiers: a soldier never goes to the front alone. They need others to advance, adapt to the situation and take decisions. In other words, each soldier is both a transmitter of useful information and a receiver of information from the community’, emphasises Pierre Oger.
If we want to anticipate the next crisis, which is sure to come, it’s just a matter of time, we need to ensure that cybersecurity is at the heart of governance. Taking an interest in forward-looking scenarios of attack patterns that could affect IS in the future will not prevent cyberattacks, but it will enable us to react quickly and better, and ensure the resilience of our vital systems.
‘The future of risk analysis will be increasingly industrialised. The only way of ensuring quick decision-making is to be assisted by an artificial intelligence tool, which improves the entire analysis, governance and risk management process. Today, the challenge of risk analysis lies in its modelling. We need to automate it even further so that we can build even more sophisticated and accurate attack trees that meet the ever-changing needs of end-users’, adds Pierre Oger.
Cybersecurity management is as much about ensuring the technical security of information systems as it is about raising awareness of the risks involved among all the stakeholders in an institution. Senior management must send out a clear message and set out clear ambitions for managing cybersecurity risks. However, it is only by involving the medical and healthcare communities that healthcare institutions will be able to deal with the risks of cyberattacks.
