On the sidelines of the SantExpo trade fair, which takes place from 23 to 25 May 2023, we have brought together three cybersecurity players who will be exhibiting in the Brittany pavilion. Yves Duchesne, cybersecurity expert at ACCEIS, Cathy Lesage, president of RubyCat, and Frédéric Grelot, co-founder of GLIMPS, testify to the dynamism and complementarity of the Breton ecosystem and share their views on cybersecurity as applied to the healthcare sector.
What solutions do you propose for the health sector?
Yves Duchesne: Cybersecurity is based on at least three pillars: technology, organisation and people. ACCEIS supports its customers to help them organise themselves on a strategic level, such as document production, the implementation of a cybersecurity strategy and organisation to secure the information systems. We also provide them with technical expertise. What we are going to put in place with a hospital centre is very similar to the method we apply to a manufacturer, a local authority or a digital company.
Cathy Lesage: For nearly 10 years, RUBYCAT has been developing a tool for enhanced traceability of sensitive access to the HIS, which is certified by the ANSSI. Our bastion / PAM software solution, a federating portal for sensitive access to critical resources, was initially aimed at the health sector for an initial need identified in the Digital Hospital Plan to strengthen the security of privileged accesses such as accesses by remote operators and external service providers who work on the HIS. Internal administration access is now also concerned (internal administrators who have access to critical resources).
Frédéric Grelot: We do not intervene only when there are problems. We intervene a lot in addition to EDR (Endpoint detection and response) in order to speed up detection. We are also regularly contacted by incident response providers who are called by hospitals following an attack. Often, there are quite high stakes, especially concerning personal data. The investigation phase has to go fairly quickly in order to determine the extent of the leak and to find out what happened to the information system during the attack.
Health, an area that is “special without being special”.
Compared to other sectors of activity, are health, and more particularly the hospital environment, faced with different constraints?
Y.D.: The health sector is special without being special. It concentrates critical and strategic data, on which there are strong constraints. Unfortunately, this field often lacks the means to secure. The sectors all have their particularities, but are all ultimately faced with similar threats. The specificity of health is linked to the regulatory constraints and the different programmes such as SEGUR, which mean that there are specificities.
C.L.: For us, the health sector includes strong constraints that can be found in the OIVs (Operators of Vital Importance) and OSEs (Operators of Essential Services) that can be found in all sectors. The names of the constraints change, but they are very similar. Our solution applies in the same way. The real problem in hospitals today is the question of human resources. The information systems teams have fewer and fewer people. They don’t have enough time; the MCO (Maintenance in Operational Condition) is important and our solution is particularly well suited to their needs as it only requires one hour of maintenance per month; they need a simple, effective tool that makes their daily work easier and not one that is too sophisticated and that they will not be able to master.
F.G.: The health sector, particularly in the public sector, is faced with a huge gap, due to a lack of resources, compared to the defence or banking sectors, for example, which have very large budgets due to the impact of a data leak on their business.
Attacks on hospitals are on the increase, notably in Dax and Corbeil-Essonnes. Have you felt an impact on your activities or an awareness of the health structures?
C.L.: The needs have not changed. On the other hand, these attacks have made it easier for CISOs to obtain additional budgets and have encouraged a greater awareness on the part of general management. They are more aware of the feedback from CISOs. Previously, as long as there was no problem, nothing much happened. Management is now obliged to include cyber security in their budget.
Y.D.: Historically, healthcare has been a consumer of cybersecurity. This subject is not new. I don’t have the impression that there has been an awakening. Things have always been put in place from a regulatory point of view.
Is the health sector subject to any specificities from a commercial point of view?
F.G.: In the health sector, it is difficult to say that you are going to take an hour from a health specialist to present a solution. I have the impression that you have to be in the right place at the right time rather than soliciting people directly. There is a real issue around the time spent by the teams.
C.L.: Indeed, attention will be paid to elements such as the disaster recovery plan (DRP). Because in the event of a problem, the infrastructure needs to be put back together more quickly. Unlike the industrial sector, where there is a loss of time and profitability on a production line, there is a vital risk for patients.
F.G.: This brings us back to the issue of the time saved by the cyber solution. If it wastes time, it will be difficult to offer it. If it creates unavailability, the structures prefer to do without it to devote themselves to the patients. A manufacturer faced with a stoppage in its assembly or production line will be more inclined to invest in a product to ensure that the tool does not break down.
SantExpo, a place to bring together the right people
Does being present at a fair like SantExpo help to change people’s mindsets about cyber?
Y.D.: The advantage of SantExpo is that we meet the right people and that they are available. It brings together a lot of different players, not just CISOs (information systems security managers) or CIOs (information systems directors), but when we meet them, they are there for specific issues and have questions to ask.
C.L.: Also, what interests CISOs and CIOs is being able to meet their peers and share their experiences and thoughts. The CIO/ISR clubs are more regional in scope, whereas SantExpo is a national event.
F.G.: People are indeed present with objectives. It is not a question of thinking about contacting the cyber players, but of meeting them, concretely, during a dedicated day. The CISOs and CIOs will have a series of meetings, demonstrations of IT solutions and advice. In the end, they will have a clearer idea of what they can implement.
What do you expect from an event like SantExpo, given that cyber represents a minimal part of the show?
F.G.: Just the kind of exchange we are having at SantExpo is enriching us all. It allows us to pool our strengths in cybersecurity and capture people’s attention.
C.L.: For us, it’s a way to meet our customers on site and the intersection of the health and cybersecurity sectors is interesting.
Y.D.: This exhibition is an opportunity to spread the word. Our presence will allow us to start a discussion on the subject of cybersecurity. It is the philosophy of the crossing of sectors that is very interesting. The FIC is very profitable for exhibitors because visitors are qualified and come to the show for the cybersecurity issues. But a trade fair for a different sector such as SantExpo triggers thoughts among people who are not necessarily present for cyber issues. A person interested in an X-ray tool, for example, may be interested in cybersecurity issues and will certainly look into them after a discussion.