What is the purpose of a CyberCamp Santé?
Since 2013, I have been developing a human approach to cyber risk, with a focus on behaviors and collaboration. Because faced with such an organized threat, the response can only be collective. Ramsay Group, Rouen University Hospital, European Medicines Agency, Narbonne Hospital, Albertville-Moûtiers Hospital, a company that packages the anti-Covid vaccine, Dax, Villefranche-sur-Saône and Arles hospitals, and finally Parisian hospitals: this is the sad list of cyber attacks against the health industry over the last two years.
This is an electroshock for healthcare structures (public establishments, private clinics or ESPIC) and manufacturers (solution publishers, medical device manufacturers, pharmaceutical laboratories, etc.) who must now be able to react to protect patients from this threat.
At Doshas Consulting, we did not wait for these unfortunate events to make securing personal health data a critical concern at the core of our expertise. Whether we are working for large groups, hospitals or start-ups, our experience confirms that only a secure environment can guarantee the confidence of system users (healthcare professionals and patients).
While a recent study shows that medical devices are also becoming potential targets for hackers, the vast majority of healthcare professionals are still unaware of the potential dangers. Hence the importance of a CyberCamp Santé to allow them to exchange and reflect together on the issues and consequences of cybersecurity. This awareness-raising is essential in order to reach the greatest number of stakeholders, and will include a specific workshop dedicated to serious games.
Colonel and Head of the Digital Proximity Division
Directly attached to the Command of the Gendarmerie in cyberspace (ComCyber-GEND), Colonel Watin-Augouard leads one of its 4 divisions, in charge of the link with the population, with – among others – magendarmerie.fr and Percevalthe online bank fraud reporting platform, which received 320,000 reports in 2020.
Discover his testimony
Director of the Hôpital d’Instruction des Armées Desgenettes
Trained at the Armed Forces Health Service (SSA) in Lyon, Didier Mennecier contributed to its digital transition before taking over the management of its Information Systems and Digital in 2017. Since July 1, 2021, he has been director of the Hôpital d’Instruction des Armées (HIA) Desgenettes in Lyon.
Discover his testimony
Deputy Director of the Arles Hospital in charge of finance, activity and information system
Passionate about the digital transformation challenges of the public hospital, he had to pilot the management of a ransomware cyber attack in the 2nd half of 2021. He will review the costs of a cyber attack based on the experience of the Arles Hospital.
Discover his testimony
“Digital is the guiding principle
of my medical practice “
Defining himself as a geek doctor, Didier Mennecier has always been very keen on new technologies in his medical practice as a hepato-gastro-enterologist. Website, blog, mobile applications and dedicated Facebook pages, he has actively participated in the deployment of digital technology in the hospital environment, even if it means sometimes being seen as an “alien” by the public. his colleagues!
What role does digital technology play in your medical practice?
“As a hepato-gastroenterology practitioner, I became interested in digital at a time when the health microcosm was exploring the topic very little. In 1999, I joined the association Les médecins Maîtres-Toile which allowed me to create my first website http://www.hepatoweb.comdesigned as a useful tool for my professional practice. Over time, it has truly become an interactive information center for my patients, with the launch of mobile applications to complement it. In the first decade of this century, digital health made very little progress. We had to wait for the generalization of smartphones and social networks to see a major advance in the uses and a change in mentalities. Between 2010 and 2013,
Director of the Hôpital d’Instruction des Armées (HIA) Desgenettes in Lyon.
Do digital tools allow us to be closer to patients?
“I remember that when I presented at a national hepatology conference in 2012 the value of participating in a Facebook discussion group, my words came across as totally disruptive to my colleagues. For them, this way of acting was at best insignificant, at worst dangerous… In reality, there is a very important self-discipline of the users and when a bad information circulates, it is immediately deactivated. This attitude can be explained by the very strong link between patients and their GP or specialist. Let’s not forget that it is the patients who have boosted the health professionals in their appropriation of digital technology. I am still part of a page dedicated to Crohn’s disease and ulcerative colitis, a way for me to maintain this relationship of trust and proximity with them.
How can we encourage their prescription?
“I participated in a working group for the French National Authority for Health (HAS) that submitted 101 proposals on good practices and the use of mobile applications, since these recommendations are necessary to facilitate their prescription. Without them, a doctor who is not used to connected tools will not take the risk of prescribing them to a patient to help him or her manage his or her pathology. With three levels of validated mobile applications, the Digital Health Space (ENS) in “My Health 2022”, with its “Health Store”, will enable a tremendous leap forward in their deployment.”
Based on your knowledge of the hospital environment, are there any barriers to the proper use of digital technology in
“Hospital facilities face two main challenges in digital innovation. The first is the lack of consideration for digital issues in initial training. As a proof, I give courses in faculty, for DU in e-health where doctors are registered. It would seem interesting to me that interns, wishing to use digital technology in their future professional practice, should have the possibility of doing a six-month internship in an engineering school. Especially since some specialties, such as surgery or intensive care units, are more advanced on the subject.
The second element that distorts the situation is the non-interoperability of the institutions’ information systems with external solutions. So even if the staff is trained, they may do poorly due to lack of API with the patient record!
In addition to these difficulties, there is the growing threat of cyber-attacks, which hinders digital use in hospitals that are generally not well protected. The health crisis has only reinforced their fragility and hackers have taken advantage of these tense moments to increase their attacks, which increased by 256% in 2020!”
What do you expect from the second edition of CyberCamps Santé?
“The European dimension of this event, with participants from different countries, may allow us to think together about launching a project that would allow us to propose, with companies based in Europe, solutions to help hospitals upgrade their IT protection and encourage them to engage in a cyber protection approach. This would be a way to protect against major international attacks.”
A forerunner in e-Health as a hepato-gastroenterologist and self-defined as a geek doctor, Didier Mennecier developed the website http://www.hepatoweb.com in 2000, as well as applications for practitioners and patients since 2013. Creator of the blog https://www.medecingeek.com, he is a member of numerous think tanks such as the Club Digital Santé and the Lab e-Santé. His expertise in e-Health earned him an award from the National Academy of Medicine in 2015. From 2013, he actively participated in the transformation of the information systems of the French Army Health Service, as Director of Information Systems and Digital (DSIN) while continuing a clinical and academic activity. Since July 1, 2021, he has been director of the Hôpital d’Instruction des Armées Desgenettes in Lyon.
“A cyber attack?
It doesn’t just happen to others!”
Despite campaigns to raise awareness of computer security among staff and major investments in security infrastructure, the Villefranche sur Saône Hospital Center suffered a large-scale cyber attack in February 2021. Director of digital services for the Rhône Nord Beaujolais Dombes GHT, of which the North West Hospital is the support institution, Nasser Amani talks about the importance of communicating and sharing his experience in order to prevent other hospitals from experiencing the same misadventure.
Having been in the healthcare industry for 22 years, what are the major developments you have seen in cybersecurity?
“Health care institutions initially went through a fairly long period, about 15 years, during which they had to be secure and not very open to the outside world. With the establishment of the “groupements hospitaliers de territoire” (GHT), they were obliged to communicate with other establishments, including town medicine, and thus share their medical information. Naturally, openness means greater vulnerability and an increase in potential breaches! This is why I was quickly made aware of cybersecurity, as Director of Digital Services for the Rhône Nord Beaujolais Dombes GHT. The latest significant development I’ve noticed is the acceleration of the notion of usage in the computerization of patient files and the sharing of information systems, since previously the solutions deployed were not always widely used and paper was often resistant to digital tools.”
Director of digital services for the GHT Rhône Nord Beaujolais Dombes
How can we make staff aware of the importance of computer security in order to protect hospitals from cyber attacks, such as the one you experienced at the Villefranche sur Saône hospital in February 2021?
“Reality shows that the awareness of IT teams is unfortunately not sufficiently developed, even though various national programs have been recommending it for years. In my opinion, the pre-requisites to be reached in HOP’EN and SUN-ES are the basis of a good security policy. However, they are more or less applied, depending on the skills, budgetary and technical constraints and the different actors. According to our experience at the North West Hospital, what has accelerated the awareness of security for all IS users, whether they are nurses or administrative staff, is the cyber-attack that we suffered at our support establishment, the Villefranche sur Saône Hospital. And this, despite the prevention campaigns carried out by our CISO, were not enough to protect us from a generalized and total breakdown of our IS.
Is such an electroshock necessary to change mentalities?
“Unfortunately, this is exactly what happened to us and I fear that this is very often the case. There is still a lot of work to be done on training the users of our information systems. This cyber attack has raised awareness and accelerated security measures within our GHT. It has shown that security awareness is everyone’s business, since the primary security breach was caused by a user’s mishandling. Naturally, I would have preferred it to have happened differently…”
Hence your decision to communicate widely about this ransomware, in an effort to educate?
“That’s right. From the very first hours of the attack, we took the step of issuing a press release to make users, politicians, all institutional players and the general public aware of the extent of the threat. All the more so since, faced with the various waves of Covid, we did not need to fight against such criminal acts as well. If I willingly participate in events such as the CyberCamp Santé, it is to educate people and put a stop to certain preconceived ideas. We often hear that public hospitals are not secure, which is completely false! They are, which does not prevent them from being exposed to risks like any other company. Political representatives quickly took up the subject. After the visit of the Minister of Solidarity and Health, Olivier Véran, the same week as the cyber attack, we had a videoconference with the President of the Republic, Emmanuel Macron, who took the opportunity to announce his cyber plan. It was important to show that no one is safe, even highly computerized establishments that are often ahead of the game, as was the Villefranche sur Saône Hospital. We communicated a lot to act as a detonator. The threat exists, we must be aware of it and do everything possible to limit it. According to the feedback from some of my colleagues, the message is bearing fruit, serving in particular to unblock budgets in favor of security, and that’s good!
What about the European level?
“The Network and Information System Security (NIS) directive, which now applies to GHT support institutions, is a step in the right direction. However, it remains complicated to apply. I often argue in favor of continuing education for our engineers and CISO staff, because the field of security requires skills in terms of auditing, implementing action plans and defining a security strategy policy. I am also in favor of integrating an IS security component into all university courses. Awareness is not just for the healthcare world, it affects all of society.”
Nasser Amani has been working in the digital health sector since July 2000. He has led numerous projects and discussions on computerized patient records and data exchanges between health professionals, hospitals and community medicine. Director of digital services for the Rhône Nord Beaujolais Dombes GHT – whose support establishment, the Villefranche sur Saône hospital, was the victim of a cyber attack in February 2021 – he heads a team of 34 people who maintain the operational conditions of the IS for the entire GHT. During his career, he has also worked on the deployment of tools and business applications in the 300 health or medico-social establishments of the French Red Cross.
“To raise collectively
the level of maturity of hospitals”.
Convinced that digital transformation is the future of healthcare institutions, Rodrigue Alexander has committed the Arles Hospital, of which he is deputy director, to the “paperless hospital” approach. His account of the ransomware cyberattack on his computer system in August 2021 should convince even the most reluctant of the need to raise awareness of the risks involved and how to counter this growing threat.
Finance, Operations and IS, the department you have held at Arles Hospital, since 2017, has a very broad scope. Is this, in your opinion, a prerequisite for the successful digital transformation of an institution?
“It’s not compulsory, but it helps a lot on a day-to-day basis, especially in terms of convincing staff of the benefits of change and removing some of the resistance. I am passionate about digital transformation and convinced that it is the future of hospitals, in terms of improving the quality of care, efficiency and harmonious working conditions for professionals. The department I work in also includes management control, admissions and billing, social services, archives and medical secretariats. It therefore gives me a fairly broad vision of the digital transformation of the establishment. When I took up my position in 2017, I very quickly found myself with an enormous number of documents to initial and slips to sign for the public treasury. I then committed the Arles Hospital to the “paperless hospital” approach, by setting up a dematerialization of exchanges between the authorizing officer and the accountant for the financial department, as well as a complete digitalization with digital dictation, voice recognition, secure messaging and electronic signature on the entire chain of medical reports, operating consents and all the production of mail.”
Deputy Director of the Arles Hospital in charge of finance, activity and information system
And then, on August 2, 2021, your institution falls victim to a large-scale ransomware computer attack…
“Alongside the functional projects that are visible, there are also all the technical projects that are the hidden face of the iceberg. Before August 2021, we had already started to work on an IT security logic which, unfortunately, was not enough to protect us from malicious attackers. So we woke up one Monday morning to a massive cyberattack that took down, via ransomware, our entire IT system.”
That day, how did you react?
“The day the sky falls on your head, you must first try to understand what is happening to you. Our first reflexes were to follow a fairly standard security procedure, namely to cut off Internet access and disable all links with our core network, isolating it to avoid contagion, as with a medical virus. Very quickly afterwards, we completed a mandatory declaration process enabling us to qualify the nature of the damage within a day. And above all, since we are a hospital and not an e-commerce site, we activated the business continuity plan to ensure that the IT inconveniences would not have harmful consequences for patients.”
Was the transition to the downgraded procedure difficult?
“In our misfortune, we have been lucky enough to reap the benefits of the work we have been doing for the past two years on quality procedures. The drafting of a business continuity plan (BCP) as part of the HOP’EN program has been very useful. These achievements have prevented us from adding new technical problems to the continuity of care. Through a crisis unit and meetings between professionals several times a day to measure the extent of the damage, we have managed to readjust procedures when they were not sufficient and to prioritize workarounds. One example among dozens, on the first evening, the question of the interpretation of the imaging examinations of the patients taken in charge in the emergency room arose. To answer this question, we used a cab subscription, ensuring the transport of the results of each examination, burned on CD, to the radiology department of the Nîmes University Hospital, located 30 minutes away.”
What is your assessment of this cyberattack?
“Even if our technical anticipation was consistent with the resources devoted to the technological evolution of our information system and helped us on D-day, when we find ourselves in the middle of the cyclone, we are forced to note that the level of maturity of hospitals is quite low in the face of this type of attack, compared to other sectors that are much better armed. I am thinking in particular of the massive investments made by banking institutions. In comparison, our small structures are light years away from the security procedures that this new risk requires! However, this cyber attack has accelerated IT security and user awareness projects, with actions dedicated to phishing and the use of serious games. Like vaccination, these informative campaigns are aimed at maintaining a sufficiently high level of antibodies within the hospital body.”
Why did you agree to participate in the second edition of CyberCamps Santé?
“For a while, it was a bit shameful to admit to having been hacked and for the directors of institutions or CIOs, it was the prerogative of the bad ones. There wasn’t enough awareness of the extent of the risk. Since we have been a victim, I have been talking about it in a totally relaxed way to share our experience and show the complexity of a cyber attack. I am convinced that it is through greater communication about the risks incurred by each establishment that we will increase our collective level of maturity and that we will turn attackers away from the healthcare sector!”
A hospital director by training, Rodrigue Alexander is passionate about the challenges of digital transformation in public hospitals. After serving as deputy director in charge of performance and information systems at CHI Compiègne-Nyon, he joined the management of CH d’Arles, where he has been in charge of finance, business and information systems since 2017. At this institution, he piloted over the second half of 2021, the management of a ransomware cyberattack that occurred in early August. A disaster recovery plan was put in place using various technologies and a much more robust information system was rebuilt. The feedback of this specialist is particularly valuable to know the true cost of a cyber attack.