What is the purpose of a CyberCamp Santé?
Since 2013, I have been developing a human approach to cyber risk, with a focus on behaviors and collaboration. Because faced with such an organized threat, the response can only be collective. Ramsay Group, Rouen University Hospital, European Medicines Agency, Narbonne Hospital, Albertville-Moûtiers Hospital, a company that packages the anti-Covid vaccine, Dax, Villefranche-sur-Saône and Arles hospitals, and finally Parisian hospitals: this is the sad list of cyber attacks against the health industry over the last two years.
This is an electroshock for healthcare structures (public establishments, private clinics or ESPIC) and manufacturers (program publishers, medical device manufacturers, pharmaceutical laboratories, etc.) who must now be able to react to protect patients from this threat.
At Doshas Consulting, we did not wait for these unfortunate events to make securing personal health data a critical concern at the core of our expertise. Whether we are working for large groups, hospitals or start-ups, our experience confirms that only a secure environment can guarantee the confidence of system users (healthcare professionals and patients).
While a recent study shows that medical devices are also becoming potential targets for hackers, the vast majority of healthcare professionals are still unaware of the potential dangers. Hence the importance of a CyberCamp Santé to allow them to exchange and reflect together on the issues and consequences of cybersecurity. This awareness-raising is essential in order to reach the greatest number of stakeholders, and will include a specific workshop dedicated to serious games.
Colonel and Head of the Digital Proximity Division
Directly attached to the Gendarmerie Command in Cyberspace (ComCyber-GEND), Colonel Watin-Augouard heads one of its 4 divisions which is in charge of the link with the population, with among others – magendarmerie.fr and Perceval, the online banking fraud reporting platform, which received 320,000 reports in 2020.
Discover his testimony
Trained at the Armed Forces Health Service (SSA) in Lyon, Didier Mennecier contributed to its digital transition before taking over the management of its Information Systems and Digital in 2017. Since July 1, 2021, he has been director of the Hôpital d’Instruction des Armées (HIA) Desgenettes in Lyon.
Discover his testimony
Deputy Director of the Arles Hospital in charge of finance, activity and information system
Passionate about digital transformation challenges of the public hospital, he had to pilot the management of a ransomware cyber attack in the 2nd half of 2021. He will review the costs of a cyber attack based on the experience of the Arles Hospital.
Discover his testimony
“Digital is the guiding principle
of my medical practice “
Defining himself as a geek doctor, Didier Mennecier has always been very keen on new technologies in his medical practice as a hepato-gastro-enterologist. Website, blog, mobile apps and dedicated Facebook page, he has actively participated in the deployment of digital in hospitals even if it means that he is sometimes seen as an “alien” by
What role does digital technology play in your medical practice?
“As a hepato-gastroenterology practitioner, I became interested in digital at a time when the health microcosm was exploring the topic very little. In 1999, I have joined the association Les médecins Maîtres-Toile which allowed me to create my first website hepatoweb, designed as a useful tool for my professional practice. Over time, it truly became an interactive information center for my patients, with the launch of mobile apps to complement it. During the first decade of this century, digital health has made very little progress. It had to wait for the generalization of smartphones and social networks to see a major advance in uses and a change in mindsets. Between 2012 and 2013, I had the feeling of being an “alien” in my medical practice. Since then, digital has taken a prominent place in health and I continue to evolve by following technical and digital innovations, which keep being the guiding thread of my professional activity.”
Director of the Hôpital d’Instruction des Armées (HIA) Desgenettes in Lyon.
Do digital tools allow you to be closer to patients?
“I remember that when I presented the value of participating in a Facebook discussion group, at a national hepatology conference in 2012, my words came across as totally disruptive to my colleagues. For them, this way of acting was at best insignificant, at worst dangerous… In reality, there is a very important self-discipline of the users and when a bad information circulates, it is immediately deactivated. This attitude can be explained by the very strong link between patients and their general practioner or specialist. Let’s not forget that the very patients have boosted the health professionals in their appropriation of digital technology. I am still involved in a page dedicated to Crohn’s disease and ulcerative colitis, a way for me to maintain this relationship of trust and proximity with them.
How to promote their prescription ?
“I participated in a working group for the French National Authority for Health (HAS) that submitted 101 proposals on good practices and the use of mobile applications, since these recommendations are necessary to facilitate their prescription. Without them, a doctor who is not used to connected tools will not take the risk of prescribing them to a patient to help him or her manage his or her pathology. With three levels of validated mobile applications, the Digital Health Space (ENS) in “My Health 2022”, with its “Health Store”, will enable a tremendous leap forward in their deployment.”
According to your knowledge of the hospital environment, are there any obstacles to the proper use of digital in institutions ?
“Hospital facilities face two main challenges in digital innovation. The first one is the lack of consideration for digital issues in initial training. As a proof, I give courses in faculty, for DU in e-health where doctors are registered. It would seem interesting to me that interns, wishing to use digital technology in their future professional practice, have the possibility of doing a six-month internship in an engineering school. Especially since some specialties, such as surgery or intensive care units, are more advanced on the topic.
The second element that distorts the situation is the non-interoperability of the institutions’ information systems with external solutions. So even if the staff is trained, they may do poorly due to lack of API with the patient record!
In addition to these difficulties, there is the growing threat of cyber-attacks, which hinders digital use in hospitals that are generally not well protected. The health crisis has only reinforced their fragility and hackers have taken advantage of these tense moments to increase their attacks, by 256% in 2020!”
What do you expect from the second edition of CyberCamps Santé?
“The European dimension of this event, with participants from different countries, let us to think together about launching a project that would allow us to offer, with companies based in Europe, solutions to help hospitals upgrade their IT protection and encourage them to engage in a cyber protection approach. This would be a way to protect against major international attacks.”
Forerunner in e-Health as a hepato-gastroenterologist and defining himself as a geek doctor, Didier Mennecier has developed since 2000, the hepatoweb website as well as from 2013 applications for practitioners and patients.
Creator of the blog https://www.medecingeek.com, he is a member of many think thanks such as the Club Digital Santé and the Lab e-Santé. His expertise in e-Health earned him an award from the National Academy of Medicine in 2015.
From 2013, he has actively participated in the transformation of the information systems of the French Army Health Service, as Director of Information Systems and Digital (DSIN) while continuing a clinical and academic activity. Since July 1, 2021, he has been director of the Hôpital d’Instruction des Armées Desgenettes in Lyon.
“A cyber attack?
It doesn’t just happen to others!”
Despite campaigns to raise awareness of computer security among staff and major investments in security infrastructure, the Villefranche sur Saône Hospital Center suffered a large-scale cyber attack in February 2021. Director of digital services for the Rhône Nord Beaujolais Dombes GHT, of which the North West Hospital is the support institution, Nasser Amani talks about the importance of communicating and sharing his experience in order to prevent other hospitals from experiencing the same misadventure.
Practicing in the health sector for 22 years, what are the major evolutions that you have noticed concerning cybersecurity ?
“Health care institutions initially went through a fairly long period, about 15 years, during which they had to be secure and not very open to the outside world. With the establishment of the “groupements hospitaliers de territoire” (GHT), they were obliged to communicate with other establishments, including town medicine, and thus share their medical information. Naturally, openness means greater vulnerability and an increase in potential breaches! This is why I was quickly made aware of cybersecurity, as Director of Digital Services for the Rhône Nord Beaujolais Dombes GHT. The latest significant development I’ve noticed is the acceleration of the notion of usage in the computerization of patient files and the sharing of information systems, since previously the solutions deployed were not always widely used and paper was often resistant to digital tools.”
Director of digital services for the GHT Rhône Nord Beaujolais Dombes
How can we make staff aware of the importance of computer security in order to protect hospitals from cyber attacks, such as the one you experienced at the Villefranche sur Saône hospital in February 2021?
“Reality shows that the awareness of IT teams is unfortunately not sufficiently developed, even though various national programs have been recommending it for years. In my opinion, the pre-requisites to be reached in HOP’EN and SUN-ES are the basis of a good security policy. However, they are more or less applied, depending on the skills, budgetary and technical constraints and the different actors. According to our experience at the North West Hospital, what has accelerated the awareness of security for all IS users, whether they are nurses or administrative staff, is the very cyber-attack that we suffered at our support establishment, the Villefranche sur Saône Hospital. And this occurred despite the prevention campaigns carried out by our CISO: it was not enough to protect us from a generalized and total breakdown of our IS.
Is such an electroshock necessary to change mentalities?
“Unfortunately, this is exactly what happened to us and I fear that this is very often the case. There is still a lot of work to be done on training the users of our information systems. This cyber attack has raised awareness and accelerated security measures within our GHT. It has shown that security awareness is everyone’s business, since the primary security breach was caused by a user’s mishandling. Naturally, I would have preferred it to have happened differently…”
Hence your decision to communicate widely about this ransomware, in an effort to educate?
“That’s right. From the very first hours of the attack, we took the step of issuing a press release to make users, politicians, all institutional players and the general public aware of the extent of the threat. All the more that Covid waves did not get us used to fight against such criminal acts as well. If I willingly participate in events such as the CyberCamp Santé, it is to educate people and put a stop to certain preconceived ideas. We often hear that public hospitals are not secure, which is completely false! They are, which does not prevent them from being exposed to risks like any other company. Political representatives quickly took the issue up. After the visit of the Minister of Solidarity and Health, Olivier Véran, the same week as the cyber attack, we had a videoconference with the President of the Republic, Emmanuel Macron, who took the opportunity to announce his cyber plan. It was important to show that no one is safe, even highly computerized establishments that are often ahead of the game, as was the Villefranche sur Saône Hospital. We have communicated a lot to act as a detonator. The threat exists, we must be aware of it and do everything possible to limit it. According to the feedback from some of my colleagues, the message is bearing fruit, serving in particular to unblock budgets in favor of security, and that’s good!
What about the European level?
“The Network and Information System Security (NIS) directive, which now applies to GHT support institutions, is a step in the right direction. However, it remains complicated to apply. I often argue in favor of continuing education for our engineers and CISO staff, because the field of security requires skills in terms of auditing, implementing action plans and defining a security strategy policy. I am also in favor of integrating an IS security component into all university courses. Awareness is not just for the healthcare world, it affects all of society.”
Nasser Amani has been working in the digital health sector since July 2000. He has led numerous projects and discussions on computerized patient records and data exchanges between health professionals, hospitals and community medicine.
Director of digital services for the Rhône Nord Beaujolais Dombes GHT – whose support establishment, the Villefranche sur Saône hospital, was the victim of a cyber attack in February 2021 – he heads a team of 34 people who maintain the operational conditions of the IS for the entire GHT.
During his career, he has also worked on the deployment of tools and business applications in the 300 health or medico-social establishments of the French Red Cross.
“To raise collectively
the hospitals level of maturity.”
Convinced that digital transformation is the future of healthcare institutions, Rodrigue Alexander has committed the Arles Hospital, of which he is deputy director, to the “paperless hospital” approach. His testimony of the ransomware cyberattack on his computer system in August 2021 should even convince the most reluctant leaders of the need to raise awareness of the risks involved and the resources to counter this growing threat.
Finance, Operations and IS, the department you have held at Arles Hospital, since 2017, has a very broad scope. Is this, in your opinion, a prerequisite for the successful digital transformation of an institution?
“It’s not compulsory, but it helps a lot on a day-to-day basis, especially in terms of convincing staff of the benefits of change and removing some of the resistance. I am passionate about digital transformation and convinced that it is the future of hospitals, in terms of improving the quality of care, efficiency and harmonious working conditions for professionals. The department I work in also includes management control, admissions and billing, social services, archives and medical secretariats. It therefore gives me a fairly broad vision of the digital transformation of the establishment. When I took up my position in 2017, I very quickly found myself with an enormous number of documents to initial and slips to sign for the public treasury. I then committed the Arles Hospital to the “paperless hospital” approach, by setting up a dematerialization of exchanges between the authorizing officer and the accountant for the financial department, as well as a complete digitalization with digital dictation, voice recognition, secure messaging and electronic signature in the entire chain of medical reports, operating consents and all the mail production.”
Deputy director of the CH of Arles in charge of finance, activity and information system
And then, on August 2, 2021, your institution falls victim of a large-scale ransomware computer attack…
“Alongside the functional projects that are visible, there are also all the technical projects that are the hidden face of the iceberg. Before August 2021, we had already started to work on an IT security logic which, unfortunately, was not enough to protect us from malicious attackers. So we woke up one Monday morning to see a massive cyberattack that took down, via ransomware, our entire IT system.”
That day, how did you react?
“The day the sky falls on your head, you must first try to understand what is happening to you. Our first reflexes were to follow a fairly standard security procedure, namely cutting off Internet access and disabling all links with our core network, isolating it to avoid contagion, as with a medical virus. Very quickly afterwards, we completed a mandatory declaration process enabling us to qualify the nature of the damage within a day. And above all, since we are a hospital and not an e-commerce site, we activated the business continuity plan to ensure that the IT inconveniences would not have harmful consequences for patients.”
Was the transition to the downgraded procedure difficult ?
“In our misfortune, we have been lucky enough to reap the benefits of the work we have been doing for the past two years on quality procedures. The drafting of a business continuity plan (BCP) as part of the HOP’EN program has been very useful. These achievements have prevented us from adding new technical problems to the continuity of care. Through a crisis unit and meetings between professionals several times a day to measure the extent of the damage, we have managed to readjust procedures when they were not sufficient and to prioritize workarounds. One example among dozens, on the first evening, the question of the interpretation of the imaging examinations of the patients taken in charge in the emergency room arose. To answer this question, we used a cab subscription, ensuring the transport of the results of each examination, burned on CD, to the radiology department of the Nîmes University Hospital, located 30 minutes away.”
What is your assessment of this cyberattack?
“Even if our technical anticipation was consistent with the resources devoted to the technological evolution of our information system and helped us on D-day, when we find ourselves in the middle of the cyclone, we are forced to note that the level of maturity of hospitals is quite low to cope with this type of attack, compared to other sectors that are much better armed. I am thinking in particular of the massive investments made by banking institutions. In comparison, our small structures are light years away from the security procedures that this new risk requires! However, this cyber attack has accelerated IT security and user awareness projects, with actions dedicated to phishing and the use of serious games. Like vaccination, these informative campaigns are aimed at maintaining a sufficiently high level of antibodies within the hospital body.”
Why did you agree to participate in the second edition of CyberCamps Santé?
“For a while, it was a bit shameful to admit having been hacked, and for the directors of institutions or CIOs, it was the prerogative of the bad ones. There wasn’t enough awareness of the extent of the risk. Since we have been a victim, I have been talking about it in a totally relaxed way to share our experience and show the complexity of a cyber attack. I am convinced that it is through greater communication about the risks incurred by each establishment that we will increase our collective level of maturity and that we will turn attackers away from the healthcare sector!”
A hospital director by training, Rodrigue Alexander is passionate about the challenges of digital transformation in public hospitals. After serving as deputy director in charge of performance and information systems at CHI Compiègne-Nyon, he joined the management of CH d’Arles, where he has been in charge of finance, business and information systems since 2017. At this institution, he piloted over the second half of 2021, the management of a ransomware cyberattack that occurred in early August. A disaster recovery plan was put in place using various technologies and a much more robust information system was rebuilt. The feedback of this specialist is particularly valuable to know the true cost of a cyber attack.