Although there is growing awareness that cybersecurity is extremely important, the budgets healthcare allocates to it are limited. A structural policy and more cooperation are needed within the sector in Kurt Gielen’s view.
Kurt Gielen is IT manager at Ziekenhuis Oost-Limburg (East-Limburg Hospital), a position he combines with the role of CISO. This is actually not ideal. A CISO ideally stands outside the whole IT operation and looks at it from a distance so he can challenge IT. That tension makes for great progress. The two roles should ideally be separated therefore.
'Within the role of CISO, I try to raise awareness about cybersecurity. Increased computerisation and digitisation, as well as recent incidents, have increased the focus on cybersecurity. There is growing awareness in many large companies that a CISO clearly has an important role. But there is unfortunately still work to be done in the health sector to convince managements and boards of directors of the importance of cybersecurity,' says Gielen. 'Chief information security officer is a role that is rare in healthcare at present.'
Do you face specific challenges as a CISO in a hospital?
'A hospital is a complex environment. A large hospital like ours is a town in miniature. We do all sorts of things: logistics, transport, IT, food, healthcare.... We deal with very confidential information and data while being publicly accessible at the same time. Everyone walks in and out of here just like that. Moreover, we have an atypical employee field. As self-employed people, doctors are often not on the payroll and they feel less bound by corporate policies. But at the same time, they play a crucial role in the operation and funding of our hospital. In addition, we have quite a few employees who work here for only a short time such as interns and students.'
Your team was given a difficult task then?
We have to be very meticulous with our budgets for the task at hand and proceed selectively in what we do and don't do. At the ZOL, we work with an IT team of just under 50 staff who operate effectively at a pretty high operational and technical level. That sounds good, but given a workforce of 5,000 employees, it is still a fairly small number. Our team is responsible for the physical installations of a network of 4,000 PCs on four campuses. We maintain hundreds of servers in five different data centres and make sure hundreds of applications keep running.'
'As I said, we work with very critical data, often the most intimate data a person can have. And you have to protect that on a budget that is quite spartan, in a sector that is pretty immature in terms of cybersecurity.'
Is healthcare not yet far enough on the cybersecurity front?
'Security unfortunately does not always come first due to limited resources. In the Netherlands, the IT department of a comparable hospital would consist of 300 people. In smaller regional hospitals in our country, the IT department consists of five people at most. It is therefore clearly difficult to work out a consistent policy. Furthermore, the fact that the role of CISO does not yet exist in many hospitals does not help either.'
'I also notice that every hospital has its own policy. We all do the same exercises, we keep reinventing the wheel and that generates a lot of overhead. We need to get things going outside the boundaries of our own hospital so as to create support in the sector. We are trying to do that, for instance, under the umbrella of the Cyber Security Coalition in which we have a healthcare-specific focus group with a number of working groups around specific themes. There we try to pursue alignment across the sector as well as seek a forum where we can learn from each other.''.
To what extent does a hospital a possible cyberattack into account?
'We address this eventuality very actively and invest a relatively large amount of time and resources to prevent it. Since the onset of COVID, hospitals are often victims of ransomware. They seem to be an easy victim and the impact of a cyber-attack is high because human lives are at stake. Moreover, hospitals work with very critical data and are highly digitalised. In our case, every process has a digital component and that gives cybercriminals many potential access points.'
'A cyberattack is still too often seen as something one-off. It does not yet lead to a structural policy. We make a conscientious effort to have the right protection techniques in place and we make sure we are ready for it. But as a sector we are still too reactive. We also very often work with what are known as legacy systems, i.e. devices that still work with software from 20 years ago. These tend to be medically certified equipment to which we are not allowed to change anything.'
'Fortunately, there is growing awareness that we need to take steps quickly. We are more active with it than the average SME. But if we look at concrete measures or implementation, we are not yet at the level of the banks, for instance, even though we handle equally sensitive data.’
Which trend worries you most in terms of cybersecurity?
'For one, the complexity of everything. You have to defend against all possible attacks, make sure everything is tightly sealed, whereas an attacker only needs one opening to do his thing. The solutions are becoming increasingly sophisticated, but unfortunately increasingly more expensive as well. And it remains something very intangible. When have you taken sufficient measures? And are they the right measures? That is very difficult to quantify and requires a lot of expertise that is still insufficiently present in our sector. If there is ever a successful attack, all we can say is that we tried to do the utmost according to current practices, but nevertheless we have to conclude that it was not enough.'
'What troubles me even more is the ease with which attacks can be purchased as a service. Anyone can buy attack packages on the internet at very low prices. Cybercrime is a huge business and, all in all, people get away with it pretty much with impunity.'