Hospitals and health and French establishments are prime targets of cybercriminals, at the rate of one attack per week on average in 2021. Jean-Noël de Galzain, president of the Hexatrust group and CEO of Wallix, an editor specializing in cybersecurity, responds to the Channelnews questions.
Channelnews : Out of the 3,000 healthcare establishments in France, what is the level of maturity in the face of cybersecurity, the capacity for recovery after an incident?
Jean-Noël de Galzain : It varies from one establishment to another. The Oloron hospital in the Pyrénées-Atlantiques was paralyzed on March 8 by a ransomware attack. Six months after the incident, the problem is still not completely resolved. IT teams in hospitals are overworked. They do what they can with the means at their disposal to keep IT tools operational and secure. In 2021, some establishments are still equipped with 20-year-old devices, due to a lack of resources. As with cars that have to pass technical checks, digital hospital equipment should pass security checks regularly.
Channelnews : The State has launched a plan of one billion euros to modernize the cybersecurity sector. Do you think this will solve the problem?
Jean-Noël de Galzain : The initiative is received in a mixed way. The sum may seem paltry compared to the costs of cyber attacks: $ 1 trillion in 2020, twice as much as in 2018.
Channelnews : Which action is priority in your opinion?
Jean-Noël de Galzain : The establishment of governance. Hospital directors must position themselves as conductors. Despite the goodwill of the CIOs, it is imperative to involve all the stakeholders in the functioning of the hospital center.
In March 2019, more than 600 computers at the Montpellier University Hospital were infected following an attack. In question: a small negligence of an employee of the CHU who had clicked on a malicious link in a phishing email. Most cyber attacks occur because of the ‘phishing’. This example proves that vigilance must take place at all levels.
In February 2020, ENISA, the European cybersecurity agency, released a cybersecurity guide for European hospitals. This guide provides recommendations and best practices for including cybersecurity issues in hospital equipment procurement processes. It has the merit of existing and joins the roadmap of the Digital Health Agency (ANS) and the Digital Health Delegation (DNS).
Channelnews : The proposed solution seems very simple: the adoption of good practices?
Jean-Noël de Galzain : To protect a hospital’s information system, it is essential to have password management, data access protection and identity governance solutions, but to maximize the level of security, it is necessary that the user of these solutions is made aware and trained. It is important to have a “citizen” education in cybersecurity: integrate cybersecurity training in primary school, college and up to post-baccalaureate studies. Everything will not change overnight.
–
