00:00:00
Voice-over: 100 days to success is the podcast from G_NIUS, the Guichet national de l'innovation et des usages en e-santé. With Lionel Reichardt, meet e-health innovators and key experts to help you succeed in your projects.

00:00:20
Lionel Reichardt: Hello everyone! You're listening to 100 Days to Success, the podcast aimed at innovators and entrepreneurs in digital healthcare, but also at anyone curious about this field. This podcast is produced by G_NIUS, the Guichet national de l'innovation et des usages en e-santé. In this episode, we'll be talking about taking cybersecurity into account in digital health projects.

00:00:38
Lionel Reichardt: We'll be joined by Auriane Lemesle, regional information systems security referent at GCS e-santé Pays de la Loire. We will also be joined by Cédric Bertrand, security expert at ANS, the Agence du numérique en santé. Auriane Lemesle Good morning, and thank you for agreeing to share your experience with us. Could you first tell us a little about your training and background?

00:01:07
Auriane Lemesle: Hello, I graduated with a double master's degree in health risk management and health products and information systems security management from L'ISSBA in Angers, which has since become Polytech Angers. Then, I started my career at GCS Télésanté Centre as a regional IS security referent for establishments in the Centre-Val de Loire region for about four years and I'm still a part-time lecturer at Polytech Angers and I'm general secretary of the Association pour la sécurité des sites santé, and since 2016, I've been a regional referent for GCS Santé des Pays de la Loire.

00:01:42
Lionel Reichardt: What are your missions within the GCS e-santé Pays de la Loire?

00:01:46
Auriane Lemesle: So, I'm in charge of coordinating digital security issues for healthcare professionals in the Pays de la Loire region, in partnership with the Agence régionale de santé. We offer a wide range of support services to help organizations improve their level of cybersecurity maturity.

00:02:02
Lionel Reichardt: The issue of cybersecurity is a recurring one in healthcare. Why is that?

00:02:06
Auriane Lemesle: On the one hand, because we have a growing dependence on digital. The transformation of the healthcare system relies heavily on digital technology to serve the business and improve performance. And secondly, because we need to guarantee the confidence of professionals and users in the use of digital technology. Also, because the health crisis has forced the implementation of new ways of working and organizing, somewhat at a forced march, with the introduction of telecommuting, telemedicine and collaborative tools requiring remote access to information systems.

00:02:35
Auriane Lemesle: These are new uses that come with new risks. There have also been a number of recent incidents that have received considerable media coverage. ANSSI qualifies the state of the threat to healthcare information systems as high, and finally, because incidents involving healthcare systems can have a direct impact on user care.

00:02:55
Lionel Reichardt: We can see that there are a lot of impacts and that this cybersecurity issue is essential when you're a digital health project developer. How should we go about it, and when should we take this issue into account?

00:03:06
Auriane Lemesle: So, in my opinion, you have to do it as soon as possible. And ask the right questions right from the start. On the one hand, to identify security needs in terms of availability, integrity and traceability, and not just in terms of confidentiality, as we tend to think. On the other hand, to be able to take into account the many regulatory aspects that apply to healthcare information systems that handle sensitive data.

00:03:29
Auriane Lemesle: The departmental security policy, the general security policy for healthcare IS, the technical doctrine for digital health, the RGPD, etc. Do this throughout projects, so as to be able to guarantee maintenance in security condition, with careful thought given to awareness-raising, training, updating, risk reassessment, etc.

00:03:49
Lionel Reichardt: As you said, at GCS e-santé Pays de la Loire, you're in charge of acculturation, the ecosystem, and innovation in healthcare. How do you assess the maturity of these different players? How do you develop it?

00:04:00
Auriane Lemesle: Overall, the maturity of healthcare IS still lags behind that of other sectors such as banking. However, there has been an improvement in the extent to which players are taking the subject on board. A few years ago, it wasn't an issue at all. Today, given the media coverage we've been talking about and the consequent impacts of increasing digitization, it's becoming a real concern, even for smaller structures like EPAD, which didn't think it was a target a while ago.

00:04:28
Auriane Lemesle: There has also been an acceleration in public authorities taking the issue on board, right up to the highest level of government. This can be seen in the various presidential announcements, notably the implementation of a plan to combat cybercrime, but also in the healthcare sector, where security is the second priority of the roadmap for digital healthcare, and forms part of the foundations of all healthcare IS.

00:04:51
Auriane Lemesle: To develop it, we have the collective impetus I've just mentioned, which is also materialized through the national awareness campaign "Tous Cyber vigilants", but also, we can combine it with on-the-ground support such as we're working to offer with the Regional Health Agency by proposing training, webinars, document templates through a documentary database in support of incident management and various awareness tools such as posters, videos, Escape Game.

00:05:23
Lionel Reichardt: Fittingly, speaking of escape games, you've set up one called "Sant'escape - Digital Security". In fact, as a winner of the Talents de la e-santé 2020 competition, why did you design this escape game? What does it involve?

00:05:35
Auriane Lemesle: Initially, it's a sort of gamble that was launched by one of our organizations, which wanted an innovative and attractive tool to raise awareness of cybersecurity, which is a subject rather seen as technical and unattractive. We co-constructed it with several regional structures, public, private, for-profit and non-profit healthcare establishments, as well as our regional quality and risk management support structure, taking into account the constraints of professionals to be able to deliver this escape game in one hour with 45 minutes of gameplay and 15 minutes of briefing/debriefing.

00:06:10
Auriane Lemesle: The idea is for participants to put themselves in the shoes of nasty, unscrupulous journalists, who are going to try to recover health information from a VIP called Johnny Jackson so they can save their people magazine from bankruptcy. The challenge is to be met in 45 minutes. Our idea was to create a positive emulation with a playful and pragmatic method that gets the participants involved and better maintains their attention, while valuing teamwork and operating cybersecurity awareness.

00:06:41
Lionel Reichardt: What lessons did you learn? How do participants react to this escape game?

00:06:46
Auriane Lemesle: Given that they have to exploit the bad practices they implement on a daily basis themselves, this leads them to reflect on these practices, but also on their private lives and the way they manage security, quote-unquote at home. As a result, it also has a positive impact at work, by improving practices around password management, workstations, confidentiality and so on.

00:07:14
Lionel Reichardt: Speaking of practice, you also support the digital health ecosystem for provider management practices on the information system. What kind of support and advice do you provide?

00:07:25
Auriane Lemesle: We guide them in the sense that we offer them model clauses to include in their contracts with service providers. We also strongly encourage them to discuss safety issues from the very start of a project, or even beforehand. We've published a small flyer that enables them to talk to their service providers using a tool that is somewhat institutional and also supported by the Regional Health Agency, which makes the approach official with their service providers and helps them.

00:07:55
Lionel Reichardt: Auriane Lemesle to conclude, what advice would you give to a digital health project owner wondering about cybersecurity issues?

00:08:04
Auriane Lemesle: As we were saying just now, it's about thinking about this security as early as possible and throughout projects right from the framing stage, at the design stage, during deployment and throughout operation. I think it's important to be agile enough to be able to adapt both to regulations, which change quite regularly in the healthcare sector and in digital security in general, but also to adapt to the different inspirations of attackers, who have no shortage of imagination when it comes to exploiting a new flaw.

00:08:35
Auriane Lemesle: We also need to ask the right questions in terms of potential impact, both on user care and their private lives. In terms of the organization of the client healthcare structure, but also in legal terms for the structure, but also for the service providers by rebound, their liability may also be engaged. Finally, on the brand image of both the structure, but also the provider who could be incriminated if there was an incident for which he was responsible.

00:09:04
Auriane Lemesle: Basically, you need to adopt a good approach by integrating ISS into projects somewhat in process mode, in planning, in implementation. Regularly check and readjust the security measures to be implemented as part of a continuous improvement process. This makes it easier to take safety constraints into account, and reduces costs, deadlines and the non-quality of projects. We mustn't forget that safety is 80% method and organization, and 20% technique and tools.

00:09:33
Auriane Lemesle: We can also recommend that they be transparent about the security measures that are implemented, value security as a performance driver and reassure customers and users by giving them confidence in the tools and services that are offered by providers.

00:09:49
Lionel Reichardt: Auriane Lemesle thank you for this information. You're a digital health project leader and you're wondering how to take cybersecurity into account. Here are some answers from Cédric Bertrand, security expert at ANS, the French agency for digital healthcare. Hello, Cédric Bertrand. Can you first tell us about your training and background?

00:10:12
Cédric Bertrand: My name is Cédric Bertrand, I'm a security expert and in terms of my background, I was first a network administrator where I managed corporate networks, a high school network and I went back to school to complete my training with IT security.

00:10:30
Lionel Reichardt: So you're a security expert at ANS. What are your duties?

00:10:35
Cédric Bertrand: Mainly, I provide support for in-house projects or, right from the start of projects within the agency, there's a security expert, we look at the architecture, the software that's going to be used and how we can take security into account as early as possible, so that's part of my remit. Another big part of my job is to carry out cybersecurity audits for hospitals. You've seen in the news over the last few years that there have been a huge number of attacks on hospitals using what we call ransomware.

00:11:02
Cédric Bertrand: Basically, what is it? Attackers take control of the entire network, block computers and demand a ransom to unlock them. I've developed a platform called "Cybersurveillance Platform", which enables security audits to be carried out in an automated way, so we can cover as many hospitals as possible.

00:11:21
Lionel Reichardt: What are the most common cybersecurity and information systems vulnerability issues?

00:11:27
Cédric Bertrand: What I found when I carried out a hundred audits on hospitals. Most of the time, there are six main attack vectors. The first, and most common, is patch management. Every time a new piece of software is released, at some point new vulnerabilities are discovered, so security patches have to be applied. This can be a long and arduous process. And often, we find that the software isn't up to date and there's a vulnerability that's easily exploitable.

00:11:53
Cédric Bertrand: The second vector I come across regularly is configuration errors. Often, only the default configuration is applied. You have to go through what we call a hardening process, i.e. make the configuration a little more complex and more personalized. The third thing, the third attack vector I come across regularly, is weak passwords, i.e. passwords that haven't been changed, called default passwords.

00:12:20
Cédric Bertrand: Either users are using passwords that aren't very strong, so an attacker will be able to find out by testing lots of passwords. This is something I come across quite regularly. The fourth is insecure development, i.e. development errors or when developers sometimes develop without taking security into account in the code, which means that there are vulnerabilities linked to development, such as SQL injections.

00:12:48
Cédric Bertrand: It's important to remember that all the data users enter can be malicious. And that's not necessarily taken into account. The fifth vector is backups, which aren't secure enough. When you back up a website, for example, the backup of the website may include passwords, configuration files and so on.

00:13:09
Cédric Bertrand: Finally, the last types of attack vectors we regularly come across are what we call social engineering attacks, which involve exploiting the human factor to some extent. For example, you might be told "be careful, you haven't paid for your domain renewal". You'll receive a little e-mail and you'll be asked to enter your bank details, or you'll be told what's commonly known as phishing. They send you an e-mail, asking you to enter your bank details. So that's the latest type of attack that we're seeing everywhere, from individuals to businesses.

00:13:44
Lionel Reichardt: How should this issue of security be taken into account for a digital project? What approach should be adopted?

00:13:49
Cédric Bertrand: Security is a process. And the question isn't, "Am I going to be breached? But rather, when am I going to be intruded upon? And from that point on, you need to think about security as early as possible in the project, and say to yourself, "If I'm ever intruded upon, how am I going to react? Plan everything you need to do. And tell yourself that it's going to happen. The question isn't: will I be a victim? It's when am I going to be a victim?

00:14:17
Lionel Reichardt: To conclude, what advice would you give to a digital health project owner wondering about cybersecurity issues?

00:14:23
Cédric Bertrand: There are plenty of resources out there already, but if I had to give some quick advice, the first thing is not to start from scratch. When you're developing an application based on frameworks. Tools that will help with development. There are several of them, for example for PHP there's "Symfony", for Python there's "Django", and for Microsoft applications there's ".NET". In fact, these frameworks already take the security dimension into account. And that's the first thing that prevents developers from developing code that isn't secure.

00:14:51
Cédric Bertrand: The second thing, as I told you in fact sooner or later, an intrusion is going to happen. And you have to ask yourself the question: if my website is hacked, for example, what actions should I take? So we're going to talk about PRA or PCA. A DRP, for example, is what we call a disaster recovery plan. If my website is hacked tomorrow, where are my backups stored? How can I get my website back up and running quickly? How can I detect an intrusion?

00:15:19
Cédric Bertrand: A BCP is a business continuity plan. Let's say, for example, that I have too many requests for my website. How can I keep my website running? And finally, once you've developed your application and it's ready to be made available on the Internet, you need to carry out an initial audit. This first audit will make it possible to see if there have been any configuration errors, if all the software is up to date, to see a little of all the attack vectors we talked about earlier and to carry out an initial audit before exposing resources on the Internet.

00:15:53
Lionel Reichardt: Cédric Bertrand, thank you for your testimony. Our episode is coming to an end. Thank you for listening. We'd like to thank our two guests for their availability. Don't hesitate to subscribe to our podcasts, which are also available on listening platforms. We look forward to seeing you soon for a new episode of 100 Days to Success.

00:16:20
Voice-over: Those who make the E santé of today and tomorrow are on the G_NIUS podcast and all the solutions for success are on gnius.esante.gouv.fr