3 min

Health data security: Business is booming! [By Cedric Cartau, CISO CHU Nantes]

June 13, 2016

Not too long ago, information technologies were limited to salaries, invoicing and accounting full stop. And by “not too long ago” I mean the late nineties, even if some of us equate this period with the Precambrian era and “old school computing” …It’s worth noting that IT has been around for 50 years whereas hospitals have been around for at least 500 years. Even in my lectures I sometimes ask those who are interested “what IT revolutions took place after 1991?”  Nada! None! All the more impressive!

In any case as far as payroll or accountancy security is concerned, security in the IT department is no longer a major issue. Payroll crashes (the mere thought has all the HRM trembling)? No worries! We’ll just use last month’s payroll. Accountancy crash? Little effect if any at all, at the most a careless mistake – just switch around the figures. Invoicing? Pfff…We pay our clients after 52 days and our “clients” – sorry I mean our patients – will pay us even later.

But when you start computerising the heart of the profession or logistical support, then you have to alter your tone. There are basically two reasons for this. The first one is easy to understand: any dysfunction in IT at the heart of the medical profession has a direct impact on those who are “on the battlefront” so to speak: doctors, nursing staff and thus indirectly patients. No need to spell it out. A breakdown in medical prescription systems means there is no access to a patient’s history and medical dispensations: this could prove to be very risky and in some cases even lead to the death of a patient.

But the most pernicious situation is no doubt an IT crash in support services – logistics or direct support for treatment like imagery or biology. Here the devil is in the detail. Of course everyone understands the consequences of a breakdown in biology: no blood tests, which is disastrous in the case of an life-threatening emergency. However, there are a multitude of tiny bits of IT all over the place, unknown to the IT department (don’t even mention the CISO), the breakdown of which can have very very worrying effects. One day for example the labelling machine for patient tray meals broke down. This machine prints out the hotmelt adhesive bar codes on meal trays before they are delivered by the logistics department. It might seem insignificant but definitely not when you need to deliver 3,000 meal trays (for the same number of patients) 3 times a day across 20 different geographical locations in a single French départment. I can tell you the head chef’s stress levels surged. One little detail: nobody, not a single person had anticipated this SPOF[1] in the production chain, or even imagined such a breakdown in the system.

The future for the CISOs will be hectic. Especially in the health sector with 4 upcoming IT revolutions: the transition to paperless, Big Data, connected objects and genomics. A whole book would be needed to describe the consequences of these revolutions. As far as IT and securisation are concerned, it would be fair to say that making these changes will require at least the same effort as when we transitioned from administrative computing to computerising the heart of the profession.


Business is indeed booming!


Cédric Cartau


Cédric Cartau is the Information Systems Security Manager at Centre Hospitalier Universitaire de Nantes and a lecturer at EHESP School of Public Health. He also performs information systems audits on behalf of public and private institutions in different industries. He is a regular contributor to DSIH and has published the following works under Presses de l’EHESP and Eyrolles:

  • La sécurité du système d’information des établissements de santé (The Security of the Information Systems of Healthcare Institutions), Presses de l’EHESP, 2012
  • Guide pratique du système d’information (A Practical Guide to Information Systems), Presses de l’EHESP, 2013
  • Stratégies du système d’information, vers l’hôpital numérique (Information Systems Strategy: Towards the Digital Hospital), Presses de l’EHESP, 2014
  • L’informatique d’entreprise au quotidien (Day-to-Day Business Computing), Presses de l’EHESP, 2014
  • L’informatique de santé (Healthcare Computing), Eyrolles, 2015


[1] Single Point of Failure

Send this to a friend