Today, the line between physical and virtual worlds is becoming increasingly blurred. While cloud environments offer transformative opportunities for the healthcare sector, they also carry a large number of cyber risks. Benoit Grunemwald, cybersecurity expert at Eset, one of the leading providers of IT security software and services in Europe, shares his advice on how to conduct a secure teleconsultation. He also discusses healthcare cybersecurity in general and the way hackers work.
Here is the Part II of this interview.
MedicalExpo e-magazine: Is it possible to achieve zero risk when conducting a teleconsultation?
Benoit Grunemwald: We will never get there, we can’t. It’s like the number of deaths on the road, it will never be zero. It’s an inevitability, but that’s the way life is, not cybersecurity. Our goal is to identify the most likely scenarios, the most likely flaws, and those that have the most consequences. From there, we do a risk analysis and the client will take the appropriate measures to go from a state they are not satisfied with to a state that is not 100% secure but that they are sufficiently satisfied with.
MedicalExpo e-magazine: Is it possible today to use connected medical devices, such as a smart watch, without any risk?
Benoit Grunemwald: We should not deny technology and innovation, they are fundamental. However, people should be aware that if malicious software attacks their smart watch, it may no longer be available and the data recorded on it may be shared with third parties without their authorization. Worse, an attacker can hack into a connected watch and change the person’s blood sugar index for example.
In this context, is it possible to have a 100% secure smartwatch or connected medical device? In cybersecurity, 100% does not exist, as I said earlier. The idea is to get to a level where you can sleep well and where the risk is “acceptable.” So the answer is yes, but it is also up to each person to set the risk acceptability cursor.
I’ll give you an example: you use a free service on the Internet for which you are obliged to accept the conditions of use, which ask you to share information that we Europeans, under the RGPD, consider to be confidential personal data of great value, in return for the free service. So it’s up to you to see if you really want to accept these conditions. Are you violating your own values or not? It is a state of consciousness I would say.
Unfortunately, sometimes the user has no choice. So the responsibility also lies with practitioners and the platform they choose to make available to their patients. These must at least guarantee a certain level of security. We are talking about a level of requirement here, not about responsibility in the criminal or legal sense of the term.
MedicalExpo e-magazine: Who are the hackers?
Benoit Grunemwald: There are essentially two categories of cybercriminals: white hats (ethical hackers) and black hats (malicious hackers).
White hat hackers discover a flaw, they hack it but before making this flaw public, they follow a procedure specific to the profession (a kind of convention called “Responsible Disclosure”) and warn the manufacturer thus giving them time to correct the flaw before warning the rest of the world what they found. White hat hackers’ goal is to awaken without putting anyone in danger. They have certain ethics.
Black hat hackers are unscrupulous cybercriminals. They are mostly divided into two subcategories: small and medium cybercriminals motivated by money, and large cybercriminals motivated by destabilization, cyberwarfare, geopolitical issues, espionage and sabotage. We have been seeing examples of the latter with the war in Ukraine and everything related to the production and distribution of energy.
Unfortunately, these two categories tend to come together today in attacks: why not carry out sabotage and at the same time ask for money in return? If it works, you get a double win, jackpot!
MedicalExpo e-magazine: Are cybercriminals also undergoing a digital transformation?
Benoit Grunemwald: Absolutely. Before, small cybercriminals only had access to tools at their level, but today, on forums or via other techniques, they can have access to the tools of big cybercriminals and they can carry out operations that are actually beyond them.
Or they can even find themselves affiliated with large cybercriminal groups, especially via Ransomware-as-a-Service (RAAS). Let me explain: you can have a mafia company that publishes malware, but its job is not to operate it, just to publish it. The company puts it on the forums and says: the one who operates it will get 15% (or sometimes even 50%) of the ransom in exchange.
I remember the case of this pediatric hospital in Canada that was attacked by an affiliate. The company that published the malware and the Ransomware-as-a-Service decided to give the hospital the decryption key to access the file without paying the ransom and publicly apologized saying that it did not normally attack the health sector and even less pediatric hospitals. It then publicly announced that the affiliate partner for the attack was banned from its cybercriminal networks.
In industry, when machines were designed, they were designed without cyber safety in mind. With the digital transformation that followed, everything has become networked and this transformation has brought a huge number of risks and consequences. And any change in a plant costs millions, so it’s complicated…