It was no coincidence that a hospital group was chosen to talk about cyber-resilience. Hospitals are a prime target for cybercriminals, particularly since the start of the pandemic. They are also complex environments. Created in 2014 from the merger between the Clinique Bohler, the Kirchberg Hospital, the ZithaKlinik and the Clinique Sainte-Marie, the Hôpitaux Robert Schuman have more than 306 self-employed doctors and some 2,500 employees spread over seven areas of activity. "A hospital is a bit like a town", explains Jacques Federspiel. "Several professions work together on a regular basis with the same aim: to provide patients with high-quality care and a personalised service with a strong human component. The technological resources are impressive. The biomedical part alone includes nearly 10,000 pieces of equipment. Logistics also play an important role. To give a simple example: without water, it is not possible to perform dialysis on a patient suffering from kidney failure.”
Concrete and essential objectives
In order to manage the cybersecurity of this particular world, Jacques Federspiel had to start almost from scratch. "When I took up my post five years ago, the maturity of the hospital in terms of IT security governance was very low. Before I arrived, the position of Chief Information Security Officer did not even exist. So, we had to raise this level of maturity as quickly as possible. That's why I started looking for a reliable partner with experience in the healthcare sector, offering a pragmatic approach and with expertise in both the technical and auditing fields. My choice was quickly made to work with EBRC.”
“Since our first contacts were from the IT department, we focused our audit on a more technical angle," continues Alice Moyret. "In other words, we applied the 20 critical security controls of the CIS (Center for Internet Security). These controls, which aim to prevent the most widespread and dangerous attacks, allowed us to identify concrete and essential objectives to work on with the IT department.”
Subsequently, the collaboration between EBRC and Hôpitaux Robert Schuman evolved: "From cybersecurity, we have gradually moved towards cyber-resilience", explains Jacques Federspiel. "Two important factors have led to this development. The first concerns the transposition into Luxembourg law of the European NIS Directive which imposes new regulatory requirements on operators of essential services (OES) with the obligation to implement measures designed to ensure a common high level of security of networks and information systems in the European Union (Act of 28 May 2019). The requirements imposed on OES are the implementation of security measures (incident prevention and service continuity), incident reporting/management and risk management. The second relates to the fact that the Hôpitaux Robert Schuman are designated as a critical infrastructure by the Grand-Ducal Regulation of 21 February 2018 determining the modalities for the identification and designation of critical infrastructures; and the Grand-Ducal Regulation of 21 February 2018 laying down the structure of the security and business continuity plans of critical infrastructures. The High Commission for National Protection (HCNP), designated as the national authority in charge of coordinating issues related to critical infrastructure protection, is responsible for initiating, coordinating and ensuring the implementation of activities and measures related to the identification, designation and protection of critical infrastructure, whether public or private. In addition, the HCNP makes recommendations to the owner or operator of a critical infrastructure on security measures to protect it, improve its resilience and facilitate crisis management efforts. We realised that information security was not just a matter for the IT people, but for everyone in the hospital group, and that information systems security governance had to be implemented by management, not just the IT department.”
Using the right language to get things done
“To support our client's cyber-resilience initiative, we changed our audit approach to use the ISO 27001 (information security management) and ISO 22301 (business continuity management) standards, with a focus on specific issues either through targeted penetration testing or through an assessment of all aspects of the disaster recovery plan. Our goal was to have a more complete view and to use, depending on what we discovered, the right resources in an efficient way on more targeted areas and thus have tangible results on the most sensitive issues.”
“What we particularly appreciated about EBRC was their ability to use the right language to get things done,” concludes Jacques Federspiel. “In the same vein, we should in the near future create a multidisciplinary compliance committee on data security and protection. It should be made up of representatives from the legal profession, the data protection officer, the risk manager and the Chief Information Security Officer. The aim is to speak with one voice to all stakeholders.”
You can watch the full interview above or contact us if you want to know more about our solutions.