Next up in our series of 2-minute interviews comes our sit down with Alain de Maght, CISO & DPO at Hôpitaux Iris Sud – Iris Ziekenhuizen Zuid! With more than 25-years of experience in information technology, management, strategy, and governance, he joins our line-up of expert speakers at the Benelux Virtual Cyber Security Summit. Read on for Alain’s cyber security priorities, how cyber challenges in the healthcare industry have been shaped by the pandemic, and his lessons learned coming out of the pandemic.
In a nutshell, tell us a bit more about your current role at Hôpitaux Iris Sud?
Hôpitaux Iris Sud (HIS) is a group of public hospitals in Brussels. It is spread over 4 sites and has 550 beds. With about 2000 employees it handles yearly 40000+ hospitalizations, 85000+ ER visits and 350000+ consultations and covers all specialities. Our approach is to focus on the respect of the persons, taking the family into account. I am currently working as a CISO and DPO, reporting directly to the CEO.
I am promoting:
- A security and GDPR strategy based on (business) value management and integration into the organization’s strategy
- The concept of security and GDPR by design for the processes of the organization’s operating model. The topics are not sided efforts but have to be built-in in activities & projects
- Security and GDPR are a matter of risk (management) and need to be integrated into enterprise risk management
- The value of enterprise architecture and data governance
- The alignment of the enterprise digital security architecture with enterprise IT architecture
- The documentation of business processes as a starting point to identify improvements (also business).. a possible point of entry to digital transformation
- The adaption of a hybrid-multi-cloud architecture
- The importance of the right sourcing model for security and GDPR (but not only GDPR)
- Physical security as the first line of defence to digital security
A couple of verbs I think reflects our cyber activities: Listen, look, ask, read, exchange, think, understand, advice/propose and help. In essence, I promote lots of communication/awareness at different levels of the organization, link the conceptual with and the down to earth aspects relying on a dual approach bottom-up/top-down, and execute the tasks of the GDPR as defined in the regulation (Art. 39).
What are your main security concerns and what are you prioritising at the moment?
- IAM and PAM: Mainly the non-technical part, organizational measures (policies, processes and procedures,) in parallel to the deployment of technical solutions.
- Malware and social engineering
- PS: Limited homeworking so far but the trends are going up
Have you seen any recent shifts in the cyber threat landscape? And, how is this affecting the healthcare sector?
Not a real shift, but an increase especially in social engineering attacks. Ransomware is also around affecting more hospitals than in the past. Cybersecurity remains to be perceived as a regulatory compliance effort.
The digital maturity level of your organization is a factor. After all, hackers never attack a paper folder…
What are the 3 main cyber challenges to tackle in the healthcare industry today?
- End-users & the non-structured business processes
- Increase of the surface of attack due to the digitalisation of the sector
- IoT (Medical) and AI evolution
How are public/private entities overcoming these challenges? Are there differences in their concerns/ objectives and priorities?
Overcoming: Awareness initiatives, redesigning the security architecture, leveraging from cloud-based migration, and rethinking the security sourcing model.
Differences: Culture, agility, speed of adoption, regulation constraints, investment, and the acquisition process.
What have been the main challenges associated with the spread of the COVID-19? How did you respond to them?
- Multiplication of temporary processes involving internal and external stakeholders
- (Limited extend but growing) – Homeworking
Looking at data protection, how do you think GDPR has affected cybersecurity?
With the introduction of Article 32, GDRP has a clear link with (cyber)security for all personal data. It has forced every business process owner to also include security in his/her considerations and be a security driver in the organization. The business processes identified help to discover unknown issues and participate in the documentation of new ones.
As many organisations adjust their business operations as a result of the COVID-19 pandemic, what data protection and cybersecurity risks healthcare organisations should prepare for?
In all honesty, a lot of organizations are still working on their GDRP compliance program, it’s a continuous effort. COVID-19 is driving changes. Each organization is different, but the implementations of new flows of automated data and addition of new technologies have to be carefully analysed.
What are the biggest lessons learned for you? And what lessons the healthcare sector should retain from the COVID crisis to strengthen its security posture?
The COVID-19 is a crisis, an accelerated set of changed in business processes. Being able to change rapidly while staying efficient is very necessary
The silos between entities are single points of weaknesses and moving to more 360, end to end, holistic views allow a strengthening of the security posture.
(Cyber)security and privacy have to work hand in hand. Reliance on frameworks for security and privacy management should guide the organization, this to justify and implement adequate and consistent controls and bring the organization to an agreed level of risk.
Security (and privacy) need to be an area of attention at the governance, management and operational level.
Join Alain at the Benelux Virtual Cyber Security Summit on 22nd – 23rd September for the sessions:
- Day 1, 11:00 – Live Panel Discussion: ‘How Will the Pandemic Affect the Needs of Our Remote Workforce with the SASE Model?‘ alongside Fred Streefland (Hikvision), Olivier Antoine (Post Luxembourg), Elian Habra (Bankinter), and John Graham-Cumming (Cloudflare)
- Day 2, 14:00 – Fireside Chat: ‘Data Privacy as the New Strategic Priority, a DPO & CISO in Conversation‘ with Eric Bedell (Franklin Templeton Investments)
Learn more about both of the sessions he’s involved in, the speaker line-up, and register for FREE with code: BENELUXVIP online at benelux.cyberseries.io/register!
