Guillaume Poupard: “Being a regulated operator is a chance, not a burden”

In 2020, ransomware attacks spared no one, especially hospitals. A trend that “continued in 2021, with an average of one attack per week” explained Matthieu Feuillet, head of the risk management office at the agency on the occasion of the presentation of the agency’s 2020 activity report. . The multiple attacks targeting French health establishments prompted the government to announce in February a support plan for the cybersecurity sector, and Anssi also put itself in battle order to support the sector.

This has resulted in particular in the designation of around 100 additional hospitals to be supervised under the Operators of Essential Services regime, a category of regulated actors defined under the NIS directive. This European directive makes it possible to define sectors considered essential and to impose certain constraints and obligations in terms of security on the organizations concerned, a broader and less cumbersome version of the regulations governing operators of vital importance concerned by the French military planning law. from 2013.

“We already had the large CHUs and the main hospitals which were supervised as operators of vital importance, and we had designated around twenty health establishments to be considered as essential service operators” explains Guillaume Poupard, director of Anssi. “The novelty is that we have added a hundred smaller establishments to this list of operators of essential services, aiming to cover the greatest number of establishments. “This extension was announced in February, and the designations were therefore made:” We focus above all on establishments at the head of hospital groups in the territory, as well as on establishments based in overseas territories: unlike those based in France. metropolitan area, we cannot easily reroute patients to other establishments in the event of an incident paralyzing the system, ”explains Guillaume Poupard.

Prevention is better than cure

The director of the agency insists on the fact that it is not only a question of imposing new obligations on these establishments, but of reinforcing the level of security of organizations which have not always been able to keeping up with the state of the art in digital security. “Until then, we tended to think that hospitals were not targets, but we realized that there were attacks on health establishments, even in times of health crisis” explains the director of the agency, who insists that this is “an opportunity and not a burden” for institutions.

“When certain hospitals are attacked, we will help them. But we also have to intervene upstream. Designating these new establishments as operators of essential services is above all a way for us to reach out to them and to be able to help them, ”adds Guillaume Poupard. Anssi received a budget of 136 million euros as part of the France Relance plan, aimed at financing both diagnostics and the deployment of new equipment. Of these 136 million euros, 25 are for health establishments and hospitals.

The agency had also invited during its press conference the CISO of the Leon Berard center, specializing in treatment and research on cancer, who benefited from one of its “cybersecurity courses” offered by Anssi: on the program, a complete inventory of the establishment’s security posture in order to identify gaps and possible weaknesses. “The procedure then gives rise to a summary, which is symbolized by a“ cyberscore ”which shows both the level of security of the establishment and the attainable level, and then allows the implementation of a security plan. ”

In addition to Anssi’s efforts, the Ministry of Health has also pledged to finance part of the effort by releasing 350 million euros for cybersecurity projects in the health sector. The delay to be made up in this matter was considerable: in February, Anssi had issued a report pointing out the many factors of vulnerabilities in the IT systems of healthcare establishments: large attack surface, equipment and software often obsolete or not having sufficient security, lack of resources allocated to IT security issues. The subject therefore risks occupying Anssi for some time to come.

Back to top button