As part of the European month of cybersecurity, the think tank Digital Renaissance and antivirus software publisher Kaspersky organized a thematic morning on the issue of data security and information systems in the healthcare world.
Gilles Castéran, executive director of Accenture Security France; Stéphane Pierrefitte, Director of Information Systems, GHU Paris Psychiatrie Neurosciences; Bertrand Trastour, responsible for activities B-to-B (business to business) from Kaspersky France and Ms. Annabelle Richard, Associate Counsel at Pinsent Masons, questioned the specific challenges of cybersecurity in health.
"350 euros is the price of a medical file on the black market," Bertrand Trastour explained. If the amount may seem ridiculous, "it is 2.5 times higher than for any other document and this represents astronomical sums in case of cyber attack of magnitude," he detailed.
"In the hospital world, we have gone from 1 to 2 major attacks per month, to 1 to 2 attacks per week since 2017. The number of computer attacks has tripled and a strong pressure is now weighing on the national territory, and this trend is confirmed in all European countries. "
To counter these attacks, Kaspersky's expert emphasized the issues of cybersecurity in health with, first and foremost, the training of teams in security; raising the awareness of CIOs and human resources of health facilities to "support the rise of staff skills" and educating these users to understand cyber threats.
A point of view shared by Gilles Castéran, according to which "we must bring health professionals to see the interest of digital and data security, presenting them the benefits for the system".
While several universities set up specialized courses and deliver diploma courses in e-health, the specific issue of cybersecurity remains the preserve of a few experts.
According to a study conducted by Yougov for Kaspersky France, published in July 2019, 55% of healthcare professionals believe that they do not have the necessary resources to guarantee a sufficient level of security and confidentiality of health data and 32% of them admit lack of knowledge and training on the subject.
Managed to handle patient data on a daily basis, health professionals are 70% concerned about cybersecurity and privacy issues, the Yougov study for Kaspersky reported.
However, "to find the solutions and succeed in maintaining an operational organization, while it has undergone an attack", the health professional must understand "the basics of security," said Gilles Castéran.
Invited to testify to the implementation of the rules of security at the hospital, Stéphane Pierrefitte, director of information systems of the GHU Paris Psychiatric Neurosciences, noted "difficulties of a cultural rather than technical nature".
"It is necessary to install a real climate of trust, for staff and for patients, but in this dimension how to connect without creating new flaws?", He asked.
"We are working with today's technologies and tools, and this is a chance, but problems can also arise from the medical devices and tools of actors outside the hospital," he added.
Gilles Castéran also deplored "these cyber threats that have an increasingly strong impact and are increasingly sophisticated and targeted." In addition, the Accenture manager confirmed that 40% of these cyber threats stem from the 'outside' environment at the health facility.
To respond effectively to this threat, "security passes by the human" advocated Bertrand Trastour, head of Kaspersky. Recruitment of cybersecurity specialists, training of staff and sensitization of all actors in the chain, "the user is not the weakest link, he can be the strongest link if he is properly trained", he defended.
Meanwhile, if the legislator has advanced on the issue since 2018 with the entry into force of the law transposing the European directive 2016/1148 of 6 July 2016, said NIS directive (Network and Information Security) and the European Data Protection Regulation (RGPD) 2016/679, "the health sector has a lot of data security texts but it is managed by different institutions", which makes the framework legal "difficult", she lamented Me Annabelle Richard.
"Security is only effective if it is managed in a multidisciplinary way by the technical, legal and medical teams," the lawyer said. "From a legal point of view, there is a contractualization of the relationship between all the actors of the ecosystem and all must be informed and be aware of the real risks induced by the cyber threat".
Annabelle Richard also called for anticipation. "You have to practice implementing security processes in the event of a cyberattack to maintain a good level of security.As for a stroke, during a cyberattack, the first hours are the most important," he said. she explains.
Paradoxically, the safety barriers and the "heaviness" of the process can create distrust among health professionals, rather than the confidence they must embody.
"We must now think that the imperative of safety does not slow down the work of the teams and does not represent a brake," warned Gilles Castéran, calling for "cyber-resilience of the health system, as a whole ".