Today, the line between physical and virtual worlds is becoming increasingly blurred. While cloud environments offer transformative opportunities for the healthcare sector, they also carry a large number of cyber risks. Benoit Grunemwald, cybersecurity expert at Eset, one of the leading providers of IT security software and services in Europe, shares his advice on how to conduct a secure teleconsultation. He also discusses healthcare cybersecurity in general and the way hackers work.
MedicalExpo e-magazine: Could you introduce your company and your role?
Benoit Grunemwald: I have been working for 17 years at Eset and I am in charge of the link between the outside world and our laboratories. We produce preventive and educational content based on real facts (past cyber attacks) or possible scenarios. We are able to identify current and future risks that can potentially be exploited.
Currently, the biggest risks are related to data leakage, unsolicited data access, disruption of normalcy, denial of service, etc. Today, as far as teleconsultation is concerned, we are more about prediction, caution and alert than about real cases.
Our company has been around for 30 years and is based in Bratislava. We have about 3,000 employees in 185 countries with 13 laboratories worldwide. In France, our customers include the national gendarmerie; a number of institutions; small and medium-sized companies; and individuals—who are the core of our turnover.
Can you say that medical teleconsultation has grown since Covid-19, as have the cyber risks connected to it?
Benoit Grunemwald: Yes, of course, teleconsultation was particularly successful during the “Covid years.” Now it has become a way of life, just like teleworking, because we realized that in a number of obvious cases it is not necessary to go in to the medical office in the first place.
For example, in the context of medical follow-ups where the diagnosis has already been made and the patient simply wants to make sure that everything is fine or share additional information with his or her doctor. Similarly, for the follow-up of medical prescriptions and prescription renewals, it is not necessary to go into the office if the symptoms have not changed.
What aspects need to be worked on to conduct a teleconsultation with the fewest cyber risks possible?
Benoit Grunemwald: From the moment you use a digital tool, you have to ask yourself, in terms of cyber security, if three elements are respected: availability, confidentiality and integrity. If these three elements are compromised, the service provided to the patient can be severely degraded and even risky, particularly in terms of data protection.
1/ What is a breach of availability? For example, if at the time of the teleconsultation, the service is not available. This can happen in the event of a risk related to a Denial of Service or DDOS (Distributed Denial of Service).
A DDOS is when a very large number of attackers or activists send a very large number of requests at the same time so that the server becomes so saturated that legitimate users cannot access it. The result is technical (the service becomes inoperative) but the motivations are ethical or (h)activist.
For example, some activists could consider teleconsultation to be a poor quality consultation, and for this reason, they do not want a teleconsultation platform to be accessible.
2/ What is a breach of confidentiality? As soon as you have an application on your phone for a teleconsultation, this application can have a certain number of flaws, just like the infrastructure, which can allow unauthorized people to access confidential information. And potentially extract it.
This is what happened during the cyber attack on the Corbeil-Essonnes hospital last fall. The cyber criminals broke into the hospital’s information system, extracted the data and said: you no longer have access to this information, we have it, if you don’t want us to disclose it, you must pay a ransom.
3/ What is a breach of integrity? In this case the group of attackers penetrates the information system, steals the data, and instead of making the data saleable, they modify it by reversing patient records for example. We’re talking about sabotage techniques that have been seen before in industry, for example with the Colonial Pipeline cyber attack in May 2021.
During this ransomware cyberattack, the impact was made on a server that enabled the flow of gasoline sent in the different pipes supplying a part of the United States to be counted. Colonial Pipeline had to stop distribution because they were no longer able to count and account for what was going out.
In the healthcare sector, the integrity of medical data can be compromised in the same way. We saw that during the research on a vaccine against the coronavirus, there was enormous competition between laboratories. There was espionage, and therefore cyberespionage. Another area where we see cyberespionage is between health organizations that decide whether a drug can be put on the market or not.
What advice would you give today to practitioners and patients in order to conduct a teleconsultation with as little risk as possible?
Advice should be given at three levels: to the provider, to the practitioner and to the patient.
1/ The provider: Normally the platform must be governed by a series of regulations such as, in Europe, the GDPR for the protection of personal data (as well as Security by Design and Privacy by Design which are included in the GDPR). The platform must rely on these regulations. Beyond this, we must focus on everything that concerns IT in general and be particularly careful with these aspects as any company should be, especially in sensitive sectors.
2/ The practitioner: A bit like the user, they must be aware of the risks linked to digital technology and the risks not only for their patients but also for themselves if they do not take security seriously. So we advise them to:
- Be careful with the computer you are connecting from and make sure there isn’t a virus intercepting your data. Imagine you are a practitioner and you have spyware on your computer that transmits everything you write to a third party. It is conceivable that an attacker could then connect to your login and password in order to make false vaccine certificates, for example, allowing those who do not wish to be vaccinated to obtain a health pass. This is a double fraudulent use. So the practitioner’s computer must be well protected.
- Use strong authentication mechanisms so that no one can access your account, for example: complex and unique logins and passwords for the teleconsultation platform that are different from the other sites you connect to that could potentially be hacked (forums, etc.).
- Use a password manager
- Use multi-factor authentication (you are sent an SMS with numbers or you are asked for a code to connect to an application)
- Do not connect to any public wifi networks or wifi hotspots where you don’t know what the security level is
- Keep personal and professional spheres separate by using dedicated devices, not reusing the same passwords, etc.
Regarding this last point, a number of studies have found that teleworking has led to a reduction in the separation of personal and professional life. If you are at work and you need to use a computer for personal research, you will do it from your smartphone or wait until you get home because you don’t want your colleagues to catch you, etc.
On the other hand, at home, if you want to take a break and look at the plane tickets for your next vacation for example, you won’t necessarily take out your personal computer, you’ll tend to do this research on your professional computer. So, that encourages risk. But, in any case, attackers can find out, through various cross-checks, that the practitioner who uses this personal computer is the same one who uses this professional computer.
3/ The user: We make exactly the same recommendations as for the practitioner. We can add that if the user has downloaded a teleconsultation application on his or her smartphone, he or she should always use the latest version. This is very important because if the provider updates the infrastructure, it is both to provide new features but also, and especially, because there may be bugs to correct that can impact security.