What is the purpose of a CyberCamp Santé?

At Doshas Consulting, we did not wait for these unfortunate events to make securing personal health data a critical concern at the core of our expertise. Whether we are working for large groups, hospitals or start-ups, our experience confirms that only a secure environment can guarantee the confidence of system users (healthcare professionals and patients).

While a recent study shows that medical devices are also becoming potential targets for hackers, the vast majority of healthcare professionals are still unaware of the potential dangers. Hence the importance of a CyberCamp Santé to allow them to exchange and reflect together on the issues and consequences of cybersecurity. This awareness-raising is essential in order to reach the greatest number of stakeholders, and will include a specific workshop dedicated to serious games.

“Digital is the guiding principle
of my medical practice “

Do digital tools allow us to be closer to patients?

“I remember that when I presented at a national hepatology conference in 2012 the value of participating in a Facebook discussion group, my words came across as totally disruptive to my colleagues. For them, this way of acting was at best insignificant, at worst dangerous… In reality, there is a very important self-discipline of the users and when a bad information circulates, it is immediately deactivated. This attitude can be explained by the very strong link between patients and their GP or specialist. Let’s not forget that it is the patients who have boosted the health professionals in their appropriation of digital technology. I am still part of a page dedicated to Crohn’s disease and ulcerative colitis, a way for me to maintain this relationship of trust and proximity with them.

How can we encourage their prescription?

“I participated in a working group for the French National Authority for Health (HAS) that submitted 101 proposals on good practices and the use of mobile applications, since these recommendations are necessary to facilitate their prescription. Without them, a doctor who is not used to connected tools will not take the risk of prescribing them to a patient to help him or her manage his or her pathology. With three levels of validated mobile applications, the Digital Health Space (ENS) in “My Health 2022”, with its “Health Store”, will enable a tremendous leap forward in their deployment.”

Based on your knowledge of the hospital environment, are there any barriers to the proper use of digital technology in
institutions?

“Hospital facilities face two main challenges in digital innovation. The first is the lack of consideration for digital issues in initial training. As a proof, I give courses in faculty, for DU in e-health where doctors are registered. It would seem interesting to me that interns, wishing to use digital technology in their future professional practice, should have the possibility of doing a six-month internship in an engineering school. Especially since some specialties, such as surgery or intensive care units, are more advanced on the subject.

The second element that distorts the situation is the non-interoperability of the institutions’ information systems with external solutions. So even if the staff is trained, they may do poorly due to lack of API with the patient record!

In addition to these difficulties, there is the growing threat of cyber-attacks, which hinders digital use in hospitals that are generally not well protected. The health crisis has only reinforced their fragility and hackers have taken advantage of these tense moments to increase their attacks, which increased by 256% in 2020!”

What do you expect from the second edition of CyberCamps Santé?

“The European dimension of this event, with participants from different countries, may allow us to think together about launching a project that would allow us to propose, with companies based in Europe, solutions to help hospitals upgrade their IT protection and encourage them to engage in a cyber protection approach. This would be a way to protect against major international attacks.”

“A cyber attack?
It doesn’t just happen to others!”

How can we make staff aware of the importance of computer security in order to protect hospitals from cyber attacks, such as the one you experienced at the Villefranche sur Saône hospital in February 2021?

“Reality shows that the awareness of IT teams is unfortunately not sufficiently developed, even though various national programs have been recommending it for years. In my opinion, the pre-requisites to be reached in HOP’EN and SUN-ES are the basis of a good security policy. However, they are more or less applied, depending on the skills, budgetary and technical constraints and the different actors. According to our experience at the North West Hospital, what has accelerated the awareness of security for all IS users, whether they are nurses or administrative staff, is the cyber-attack that we suffered at our support establishment, the Villefranche sur Saône Hospital. And this, despite the prevention campaigns carried out by our CISO, were not enough to protect us from a generalized and total breakdown of our IS.

Is such an electroshock necessary to change mentalities?

“Unfortunately, this is exactly what happened to us and I fear that this is very often the case. There is still a lot of work to be done on training the users of our information systems. This cyber attack has raised awareness and accelerated security measures within our GHT. It has shown that security awareness is everyone’s business, since the primary security breach was caused by a user’s mishandling. Naturally, I would have preferred it to have happened differently…”

Hence your decision to communicate widely about this ransomware, in an effort to educate?

“That’s right. From the very first hours of the attack, we took the step of issuing a press release to make users, politicians, all institutional players and the general public aware of the extent of the threat. All the more so since, faced with the various waves of Covid, we did not need to fight against such criminal acts as well. If I willingly participate in events such as the CyberCamp Santé, it is to educate people and put a stop to certain preconceived ideas. We often hear that public hospitals are not secure, which is completely false! They are, which does not prevent them from being exposed to risks like any other company. Political representatives quickly took up the subject. After the visit of the Minister of Solidarity and Health, Olivier Véran, the same week as the cyber attack, we had a videoconference with the President of the Republic, Emmanuel Macron, who took the opportunity to announce his cyber plan. It was important to show that no one is safe, even highly computerized establishments that are often ahead of the game, as was the Villefranche sur Saône Hospital. We communicated a lot to act as a detonator. The threat exists, we must be aware of it and do everything possible to limit it. According to the feedback from some of my colleagues, the message is bearing fruit, serving in particular to unblock budgets in favor of security, and that’s good!

What about the European level?

“The Network and Information System Security (NIS) directive, which now applies to GHT support institutions, is a step in the right direction. However, it remains complicated to apply. I often argue in favor of continuing education for our engineers and CISO staff, because the field of security requires skills in terms of auditing, implementing action plans and defining a security strategy policy. I am also in favor of integrating an IS security component into all university courses. Awareness is not just for the healthcare world, it affects all of society.”

“To raise collectively
the level of maturity of hospitals”.

And then, on August 2, 2021, your institution falls victim to a large-scale ransomware computer attack…

“Alongside the functional projects that are visible, there are also all the technical projects that are the hidden face of the iceberg. Before August 2021, we had already started to work on an IT security logic which, unfortunately, was not enough to protect us from malicious attackers. So we woke up one Monday morning to a massive cyberattack that took down, via ransomware, our entire IT system.”

That day, how did you react?

“The day the sky falls on your head, you must first try to understand what is happening to you. Our first reflexes were to follow a fairly standard security procedure, namely to cut off Internet access and disable all links with our core network, isolating it to avoid contagion, as with a medical virus. Very quickly afterwards, we completed a mandatory declaration process enabling us to qualify the nature of the damage within a day. And above all, since we are a hospital and not an e-commerce site, we activated the business continuity plan to ensure that the IT inconveniences would not have harmful consequences for patients.”

Was the transition to the downgraded procedure difficult?

“In our misfortune, we have been lucky enough to reap the benefits of the work we have been doing for the past two years on quality procedures. The drafting of a business continuity plan (BCP) as part of the HOP’EN program has been very useful. These achievements have prevented us from adding new technical problems to the continuity of care. Through a crisis unit and meetings between professionals several times a day to measure the extent of the damage, we have managed to readjust procedures when they were not sufficient and to prioritize workarounds. One example among dozens, on the first evening, the question of the interpretation of the imaging examinations of the patients taken in charge in the emergency room arose. To answer this question, we used a cab subscription, ensuring the transport of the results of each examination, burned on CD, to the radiology department of the Nîmes University Hospital, located 30 minutes away.”

What is your assessment of this cyberattack?

“Even if our technical anticipation was consistent with the resources devoted to the technological evolution of our information system and helped us on D-day, when we find ourselves in the middle of the cyclone, we are forced to note that the level of maturity of hospitals is quite low in the face of this type of attack, compared to other sectors that are much better armed. I am thinking in particular of the massive investments made by banking institutions. In comparison, our small structures are light years away from the security procedures that this new risk requires! However, this cyber attack has accelerated IT security and user awareness projects, with actions dedicated to phishing and the use of serious games. Like vaccination, these informative campaigns are aimed at maintaining a sufficiently high level of antibodies within the hospital body.”

Why did you agree to participate in the second edition of CyberCamps Santé?

“For a while, it was a bit shameful to admit to having been hacked and for the directors of institutions or CIOs, it was the prerogative of the bad ones. There wasn’t enough awareness of the extent of the risk. Since we have been a victim, I have been talking about it in a totally relaxed way to share our experience and show the complexity of a cyber attack. I am convinced that it is through greater communication about the risks incurred by each establishment that we will increase our collective level of maturity and that we will turn attackers away from the healthcare sector!”