Les Assises de la Sécurité et des Systèmes d'Information > Home

The "Health" Area

Editorial

Considering that actors and decision makers are aware of the importance of Information Systems Security for the good quality of the infrastructures, not all of them have in mind that it is also a matter of safety for the patients’ health.

New uses (mobility, online health, online medicine, connected medical equipments, distance maintenance) combined with professional and personal uses increase the risk exposure and the risk taking times. This is also due to the constant “all connected”.

Therefore a change is required at the higher executive level. Executive managers have to be aware of the risks and the rules, otherwise none State law or regulation can’t be efficient… with more disciplined doctors… with more patients-oriented industries.

In this complex context, CISO or CSO have to juggle between economical constraints and the multitude of industrial offers. Most of the experts think that CISO should report directly to a (in)formed head office and conscious that ISS is neither only a technical issue nor a mean issue.

Meanwhile the State is expected to provide a operational organization which tends to be sometimes easier, often more coherent, always more effective.

Paved with obstacles and long is the path leading to Virtue

Salvation shall come from operational people standing behind the few courageous and volunteers because Nature fears emptiness.
Jean-Pierre Blum, MD, President of the Strategic Committee of the Assises Health Sector

The health sector
- Bringing together concerned players around the health sector
  - Targeted visitors: some 100 information security officers, information system managers and security officers from university hospitals and major hospitals
- A strategic committee, chaired by Dr Jean-Pierre Blum, E-health References and Security Manager, National Assembly, establishes the strategic focuses. The committee’s members include:
  - Eric Grospeiller, IS security official - Ministry of Health and Sports
  - Philippe Loudenot, Assistant IS security official , Ministry of Health and Sports
  - Guillaume Deraedt, information security officer - Centre Hospitalier Régional Universitaire de Lille
- Specific topics proposed
  - Governance and future
    
    Tomorrow is the time of online medicine, shared datacenters between public services and health centers, private Clouds, regionalization of resources, home hospitalization and mobility.
    The induced forecast is the enforcement of regional system in which all the hospitals’ CSO refer to a senior CISO, part of the Regional Health Agency. He would refer directly to the RHA head office as the others CSO would refer to their health center executives. It is the minimum the State should set up, as required by most of the CISO, and would be the logical continuation of the reforms.
    The ISS governance, under head office regulation, will be confided to a small team:
    - The Head Office Executive, guidelines and constant leading of the ISS policy
    - The Human Resources Director, managerial animation
    - The CSO, nominal functional architectures
    - The CISO, control tools, strategic watch, new risks and uses
    - The CME President, training doctors
    Some kind of a perfect world!
  - Numeric hospital: new uses, new threats
    
    Very high speed Internet, all connected, mobility, online health, online medicine are steps forward for better social and medical practices, but also better reasons to reinforce the security specially regarding internal acts of negligence and external abuses. Hospital IS solutions providers, here is your challenge: take your responsibilities and deliver adaptative and safe solutions.
  - The Regional Numeric Health Areas
    
    ENRS are dematerialized service areas, driven by Regional Health Agency, constrained by the recommendations of the ASIP (Health shared IS agency), responding to the regional need in the medical centers. Those areas put into relief the matter of Security of medical information all along the chain of the medical services. Not all of the interrogations have been solved. The ENRS are, by definition, made to share! Uses are going to take advantage of the “all connected”, the rocketing of exchanged volumes and the mobile uses, expected to be 25 times more important in 2015 and 10 times faster. But a quick thought about it sets that the threat against ISS (so does the quality of the services) depends on the risk exposure duration, the data volume and the transmission speed. Two problems are implied: the infrastructures security and the services to patients’ safety. Let’s say it frankly: the rise of online medicine makes our techno-dependant systems as fragile and fallible as the Human kind. Yet the medical service requires guarantees, responsibilities, requires downgraded alternatives for a business continuity plan. Continuity plans will be specifically watched since the demands level concerning the availability of the medical materials are very high. Information security has to be conceived “ex ante”. As any doctor knows, an ounce of prevention is worth a pound of cure, so let’s try to primarily think about it: “primum non nocere”

The 2010 programme for the Health Area at the European Security and Information
Systems Congress was sponsored by the Ministry of Health and Sports