Why a Data and Systems Security Guide for Healthcare Organisations?
The digital transformation of health and care holds significant potential for improved health outcomes, accelerated production of medical knowledge and increased health system intelligence. The COVID-19 pandemichas exemplified the challenges healthcare is facing and has placed in context the integrated response that is necessary, including exploitation of high- performing data platforms, multivendor device connectivity, community-based care, remote monitoring, co-ordination of response and pooling of data for research and discovery of new drugs and vaccines. Connected medical devices, for example, can bring about increased patient safety and efficiency, particularly if connected to clinical information systems. When this applies to the whole healthcare organisation ecosystem, it becomes a ‘Smart Hospital’. However, the increased flow of information within and between hospitals brings cybersecurity risks that ‘Chief’ level professionals in the hospital (CIO, CISO, etc.) need to address. Read more.
Cybersecurity in Context of Healthcare Organisations
The cybersecurity challenge in healthcare organisations is two-fold: their environment is rapidly changing, becoming more connected internally, within the healthcare system and with other sectors, thus increasing the attack surface with a concomitant exponential increase of their security risk. Their potential for response is however hampered by outdated and complex legacy IT systems, that are vulnerable to cyberattacks and a lack of cybersecurity culture, competencies and technical capabilities. Read more.
The Cost of Data and Systems Security
Organisations should analyse their needs and evaluate the costs and how much they can invest in downtime prevention. They should also plan for the cost of security measures, and understand and appreciate the costs of doing nothing, e.g. the financial impact of downtime and data loss. Read more.
Legal Obligations for Healthcare Providers
As a first step, for meeting GDPR requirements, the healthcare organisation should seek expert legal advice to ensure that they are adopting and complying with the most appropriate legal basis for each and every situation of data sharing.
In addition, the healthcare organisation should appoint a Data Protection Officer who should be able to develop a suitable GDPR compliance strategy and see to its proper implementation and continuing compliance. Read more.
The NIS Directive further allocates responsibilities for:
• Operators of essential services and digital service providers to ensure the security of the network and information systems regardless of whether they perform the maintenance of their network and information systems internally or outsource it.
• Healthcare organisations, as OES, to comply with security and notification requirements for operators of essential services; notification should be without undue delay, to the competent authority or the Computer Security Incident Response Teams (CSIRTs) of incidents having a significant impact on the continuity of the essential services they provide. Read more.
Implementation of Information Security Management Systems
Management Responsibility
As a starting point, it is recommended that top management of healthcare organisations.
• Appoints a Chief Information Security Officer (CISO) and a cybersecurity team with an appropriate skill mix to cover all critical areas of operation who should be able to develop a suitable Cybersecurity Strategy and co-ordinate the development and implementation of an Information Security Management System
• Introduces, amongst the team, roles for an Information Security Architect and an Information Security Manager
• Encourages cooperation of clinical, legal and security professionals; it is through their collective skills, cocreation and alignment that the most effective, efficient and broadly acceptable strategies and measures may be developed. Read more.
Implementation Guidance
it is recommended to look at information security and its implementation in terms of a continuous effort and adopt a maturity model enabling assessment of the current level of achievement in various areas related to information security and the planning of future advancement, development priorities and goals. A number of guidance documents have been delivered by EU-level collaborative expert teams of Member State representatives and ENISA primarily under the 2016 Directive on security of network and information systems (the NIS Directive). Read more.
Procurement for Cybersecurity
When procuring IT systems, medical devices and other products and services, it is important that cybersecurity considerations are duly considered, in view of the risks associated with each type of new product or service that will be introduced in the healthcare organisation. Read more.