The COVID-19 pandemic has highlighted the need for the French authorities to protect their health infrastructure against cyberattacks. At a time when the health sector needed to be kept in the best possible condition, several recent attacks have demonstrated the fragility of its security infrastructure. “The density of attacks in this sector is the result of chronic underinvestment in IT security. With limited budgets, application development has been prioritised over IT security, leaving institutions at the mercy of attackers seeking targets that could have a major social impact when their activities are disrupted,” explains a report by the Senate foreign affairs, defence and armed forces committee.

Favoured targets

The health sector has not been short of interest from cybercriminals. In May 2017, WannaCry attacked the British health system, the NHS. By exploiting a vulnerability in Windows, the hackers managed to infect 16 health centres and 200,000 computers, leading to nearly 20,000 consultations being cancelled and over 1,200 items of diagnostic equipment being paralysed.
In summer 2019, 120 sites operated by the French health group Ramsay were affected by a cyberattack. In October, the American DCH hospital group was infected with ransomware and had to refuse entry to new patients at its three hospitals in Alabama and pay a ransom to the hackers, who were threatening to destroy its information systems.
In November 2019, all the services of Rouen’s university hospital were paralysed for several days, requiring some patients to be cared for at other institutions and planned operations to be postponed. All the patient care, prescription, appointment and admissions management software was brought to a standstill.

Strong recommendations

Hospitals need to strengthen their security. Security must be upgraded to prevent, for example, cyberattacks affecting continuity of service in operating theatres, taking control of a hospital and its electrical systems, altering the operation of connected healthcare devices or falsifying vital patient data, with consequences for the smooth running of the nation but also for patients’ lives.
The French national information system security agency ANSSI estimates that it will take three years for hospitals to fully deploy the required cybersecurity measures.

E-health: added value for the future

While facilities and staff have been central to combating the virus, the opportunities associated with digital technology applied to health (e-health) have also been crucial in responding quickly to the pandemic. At the height of the Covid-19 crisis, new technologies played a major role in accelerating decision-making, slowing the epidemic, enabling continuity of care and giving patients greater autonomy in screening and monitoring their symptoms.
“The use of digital tools and health data showed the differing degrees of maturity from one country to another. Where technology was used on a large scale, the consequences of the epidemic were controlled more quickly and more effectively,” emphasises the Institut Montaigne in its recent report, “Towards a new deal for health in France”, published in June.
“Driven by both private and public-sector organisations, the deployment of e-health and the systematic collection of health data are among the vital foundations on which our healthcare system must be based,” the report declares. But France is still a long way from achieving P4 medicine: predictive, preventive, personalised and participatory. With the ambitious strategy set by the 2022 My Health act, it will now have to move further and faster.

This digitalisation is essential to respond to the many challenges facing the system: the explosion in chronic illness, the ageing population, changing numbers of healthcare staff in the country, the economic sustainability of the health system and new health and social challenges.
The strategic consulting firm McKinsey estimates that e-health’s potential for value creation in France could reach between €16 billion and €22 billion a year, with benefits in five areas that will define the health system of tomorrow: patients are more independent and manage their own health; patients benefit from smoother flows of medical information thanks to electronic communications; telemedicine develops further; healthcare organisations become more efficient and the patient experience is improved through digital technology and automation. Finally, medical and paramedical decisions become safer and more reliable with the support of artificial intelligence (AI). E-health could also provide robust answers to the problem of medical deserts.

Recommendations for a new deal on health in France

We have one of the best systems of health protection in the world. We must ensure that the same applies to our health systems in the future. The development of e-health must undeniably be accompanied by an element of security by design, a strategy and a global, dynamic approach in terms of cybersecurity in order to keep its promises and avoid becoming an aggravating factor in a sector already under huge pressure.

“This systemic transformation will involve collecting, sharing and using health data within an ethical and sovereign framework to enable better care and more precise, responsive management of our health system. The responsible use of health data is a prerequisite to guarantee user trust in these digital solutions,” adds the Institut Montaigne.

The institute recommends relying on the mobilisation of private-sector players for a true health sector to emerge, constructing an ethical, sovereign “third way” at European level in terms of health data, simplifying access to health data within a secure framework and enabling the Health Data Hub to become more independent faced with American players who are very interested in our health data. This second point implies the use of a trusted cloud backed by a European player, and once again raises the question of regulation, long awaited at national level.

Further recommendations not to be overlooked include strengthening protective measures in terms of cybersecurity for health data, supporting companies at an early stage to help them comply with interoperability standards in the development of their digital solutions, prioritising and investing in health information systems and the development of e-health to align the amounts invested with those of the most advanced countries, building a culture of trust around digital technology and health data and training everyone involved in the health system in digital technology and artificial intelligence while encouraging decision-makers to become familiar with these tools.

Managing, sharing and anticipating cyber risk

Managing cyber risk in healthcare is a key challenge for the future. This cybersecurity demands dynamic analysis and mapping of the risks. This must be the cornerstone of any action plan. It aims to define all the actions necessary to achieve an acceptable level of risk with a full knowledge of the facts at the right decision-making level.
As a cybersecurity company, we strive to support organisations and live our motto to the full: sharing. Many decision-makers believe that sharing information weakens them. The opposite is true. Defenders have everything to gain from exchanging information, and that’s what we offer – studying attack modes, attacker profiles and any weaknesses and compiling them into a library so that everyone involved in the sector can benefit. This approach is also advocated by ANSSI and promoted by the E-Health Cyber plan proposed by the industry’s strategic committee (CSF), leading to a mutual commitment to support the transformation of the healthcare industry towards the healthcare of the future. The European Union member states are also strengthening their cooperation and intensifying the exchange of information about IT protection for healthcare institutions.
Finally, if we want to anticipate the next crisis, which is just around the corner, placing cybersecurity at the heart of governance is a prerequisite. Examining the potential attack scenarios that could affect tomorrow’s information systems will enable us not to avoid cyberattacks, but to respond quickly and effectively and ensure our systems are resilient.

Now more than ever, we must give cyber-vigilance a new collective dimension!

More articles