BDI launches its podcasts. On the occasion of the European Cyber Week 2022, we brought together three cybersecurity players to look back at the attack suffered by the Dax hospital in February 2021. Nicolas Terrade, Information Systems Security Manager (ISSM) of the establishment, Arnaud Meunier, ISSM of the Quimper-Cornouaille hospital, and Gilles Larroche, project manager within the GCS e-Santé Bretagne, shared their insights on this attack, but also on the contributions of regional ecosystems to prevent and fight against this type of attack. Here are selected excerpts from this three-way dialogue, which is even more relevant in light of the recent attacks on the hospitals in Corbeil-Essonnes and Versailles.
The reaction: between marathon and solidarity
Invited to the European Cyber Week 2022 to share his feedback on the attack suffered in February 2021 by the hospital in Dax, Nicolas Terrade, CISO of the establishment, mentioned the word “marathon” several times during his presentation.
A term retained by his counterpart at Quimper-Cornouaille, Arnaud Meunier: “The diagnosis, remediation and return to normal of the information system is not a sprint. When healthcare professionals are affected, both CISOs and doctors, there is a lot of physical and psychological fatigue. Nicolas Terrade adds: “The return to normal is a long-term process. We must not go too fast or try to rush through the stages because, in the end, that’s when we get exhausted.”
The second strong word emphasised by Nicolas Terrade: resilience and solidarity. “The hospital staff continued their work. They were able to adapt, to provide care without necessarily having the patients’ histories. All the staff, from the administrative and medical sectors, provided us with considerable support in restoring the systems.”
Finally, Gilles Larroche, project manager at the GCS (Groupement de coopération sanitaire) e-Santé Bretagne, notes “the long timeframe and the short and medium-term impacts on information systems and on certain services such as radiotherapy, for which the doctors in Dax were forced to accompany patients to other establishments.”
Listen to the podcast on your usual platform.
The impact on the CISO profession
The cyber attack had an impact on the activity of the Dax hospital centre, but also on the vision of the CISO’s job. “In the context of both new and old projects, we include this security aspect from the start,” explains Nicolas Terrade. “This inevitably implies a latency in the management of the project. But it is not a negative latency. It is a rather positive latency that allows us to implement a security layer. Now we have a greater say in the decision-making process. For example, one solution provider did not meet the requirements that we have now set. So we changed the solution.”
Arnaud Meunier was not affected, but the Dax cyber-attack did have an effect on his job and his vision of it. “I’m going to go to Dax in the near future to discuss and understand what happened and what may happen. If we don’t understand, we won’t be able to do our job, which is to protect the continuity of care within the hospital.”
The perception of cybersecurity
In February 2021, the cyber attack was a bombshell. In the media and politically, the country realised that even health establishments, despite their benevolent role, could fall victim to hackers. The members of the Dax hospital centre were approached by the media, but also by the President of the Republic. This shed light on cybersecurity needs and the means to be implemented to protect public institutions. “The health workers in Dax are now very aware,” emphasised Nicolas Terrade. What’s more, the hospital’s management has included the cost of the new security system in its budget. This was not the case before. Arnaud Meunier agrees: “There was a before and after. The media worked for us to raise awareness by reporting the attack. In terms of needs, it is human and less financial resources that are required. People with expertise in information systems security who will install, configure and operate cybersecurity solutions.”
The means put in place in Brittany for cybersecurity
In Brittany, institutions can count on the GCS e-Santé Bretagne or Biotech Santé Bretagne to consolidate their cybersecurity achievements. “We are working on putting CISOs in touch with each other so that they can exchange information, says Gilles Larroche. We are also trying to raise awareness among professionals. By launching fake email campaigns, for example. Finally, the Brittany Region has a priority: it is to have a partner to respond to security incidents and to have service providers to prepare and support health establishments to manage these crises.”
The future or current presence of regional ecosystems
In Brittany, health establishments can currently count on a solid and continuously growing ecosystem. The presence of the army, through the DGA, dedicated schools and, in the future, the ANSSI, makes the region a driving force for the country in terms of cyber security. “On the academic side, this allows companies or institutions to integrate work-study students into their teams, as is the case with the GCS e-Santé Bretagne, says Gilles Larroche. As far as the armed forces are concerned, I think that it will be in our interest to get closer to them to benefit from their expertise.” For Arnaud Meunier, this wealth of structures is a major support on a day-to-day basis: “The GCS e-Santé Bretagne is doing a great job of animating the network of CISOs. Brittany is a land of cybersecurity that brings together schools, research and companies. I am delighted to be working there.”
Soon, like other French regions, Brittany will be equipped with a CSIRT (cybersecurity incident response centre) and a cyber campus. For Nicolas Terrade, the CSIRT in New Aquitaine “could have provided additional local support. In the future, the cyber campus and the CSIRT will bring new solutions deployed in the short term with the guarantee of a much faster return. The interest lies in the availability of solutions, in feeling supported because it is important not to feel alone in these situations.”