Information security is a complex topic and, in structured environments such as healthcare organisations, it may take considerable time to develop and implement. Challenges related to implementing information security are not only technical; they also involve changes in processes and the behaviour of all participating parties, including staff, vendors and even patients.
General ICT methods such as Capability Maturity Model Integration (CMMI) (1) can be introduced, as well as specific models developed for electronic healthcare, such as the Quintegra Maturity Model for Electronic Healthcare or Healthcare IT (HIT) Maturity Model developed by IDC Health Industry Insights (2).
Within the EU, the NIS Co-operation group and ENISA have been tasked with the elaboration of guidance and support of OES. ISO and its national counterparts have also dedicated a substantial amount of effort in producing information security standards. Most methods share a common basic approach based on a small number of key principles:
• Know your assets: what data, devices, systems and processes related to your information and its processing are in place, what their value or importance is for the organisation and key stakeholders for the provisioning of healthcare, such as patients, staff, management, owners, authorities, etc.;
• Identify and manage risks: what harm can be done (or just happen) to your assets, what are the root causes, how probable it is, what you can do in terms of either preventing it from happening or minimising its impact;
• Implement, appropriately and proportionately to the risks posed, technical and organisational measures to manage the risks posed to the security of network and information systems and having regard to the state of the art;
• Document and be consistent: implement a formal system to constantly monitor your assets and risks, increase awareness among all involved, improve your procedures and learn from mistakes.
The risks that result from cybersecurity threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals. Experience gained from analysis of attack scenarios has shown that vulnerabilities may be contained through a rigorous assessment and vulnerability assessment, adoption of effective enterprise governance for cybersecurity, and state-of-the-art security measures, monitoring and auditing, and careful consideration of security requirements when introducing digital innovation and IoT components in the hospital, as well as investment in network and information system components. Awareness and understanding of the causes as well as the impact and origin of the incident through reporting, assessments, research, investigation, and analysis, is vital to enable well-informed decisions.
Useful Resources
In their effort to design and implement appropriate network and information security measures, healthcare providers may find valuable guidance in the CG Reference document on security measures for Operators of Essential Services (3), published in 2018, which provides a synthesis of common approaches to the security measures today in Member States and provides guidance on elaborating such measures, organised under four main cybersecurity domains, summarised in Table 1.
The CG recommendations support implementation of NIS and its aim to ‘significantly raise the level of security of OES in view of allowing them to face the serious risks posed to the security of their critical information systems’ with the aim of supporting their essential operations and ensuring the continuity of those operations.
Healthcare organisations may profit from the implementation of these recommendations, not only in terms of leveraging consolidated good and proven practices for ensuring a high level of security but also in terms of improving their compliance to the NIS related legal obligations.
In addition to this proposed framework used for the identification of suitable measures, the ENISA ‘Procurement Guidelines for Cybersecurity in Hospitals (4)’ provide a comprehensive taxonomy of healthcare threats and also lists the most common risks per type of asset subject to procurement in a hospital.
Healthcare threats taxonomy and risk identification provided in the ENISA procurement guide may be used as a starting point, for inspiration and as a check list when performing critical asset and risk identification.
A critical success factor in securing information in any organisation is the introduction of auditing procedures at all levels of the organisation of processes that relate to data and information processing and therefore to information security. It is also important to understand that auditing does not only mean conducting a formal audit of the overall information security management system once every year. It means that internal and external controls need to be established at many levels within the organisation and its various processes, structures and systems. What is even more important is that findings from these auditing procedures must be used for further improvement of the system. Only a fully functional Plan-Do-Check-Act (PDCA) cycle can provide a reasonable level of security over longer periods of time. As both the organisation and its external environment with its threats and risks are constantly evolving, being secure means being ready for all the threats that may come not only today or tomorrow, but also next week or next year.
Incident reporting in healthcare organisations, internally but also as part of their legal obligations, needs to be in a standardised form, enabling a comprehensive description and classification of the incident. The CG Cybersecurity Incident Taxonomy published in April 2018, although primarily elaborated to support the coordinated response to large-scale cybersecurity incidents, has a broader scope and covers cybersecurity incidents affecting the security of network and information systems in any sector of society. This incident classification does not exclude the use of additional taxonomies, such as healthcare specific taxonomies, should they be needed.
By maximising the incorporation of this taxonomy in the classification system you use to register incidents, your records will be shareable in the context of information sharing across borders, annual summary reporting under the NIS Directive, and international collaboration and information sharing.
While the CG guidance so far is intended to be sector agnostic, it can be easily profiled to healthcare environments. Nevertheless, health-specific guidance is expected to be delivered by the Health workstream of the CG and published in the NIS CG web page (5) which should therefore be regularly consulted.
Complimentary to the CG guidance documents, ENISA has published a number of studies addressing in particular the health sector. Its 2015 study, entitled ‘Security and Resilience in eHealth: Security Challenges and Risks’ (6), investigates the approaches and measures Member States took to protect critical healthcare systems, having, as main goal, the improvement of healthcare and patient safety. It equally includes: the policy context in Europe and the legislation of the Member States; perceptions across Member States on critical assets in eHealth infrastructures; the most important security challenges and common security requirements; as well as relevant good practices that have been deployed in the Member States for eHealth security. Furthermore, it makes a set of recommendations targeting the Member States, operators of critical eHealth infrastructures, and the European Commission.
The following are some of them, highlighted as having particular relevance to healthcare organisations:
Member States and healthcare organisations:
• should perform an impact/cost-benefit analysis of healthcare cybersecurity incidents and to use this as leverage for increasing investment in eHealth systems and infrastructure security;
• should set up information-sharing mechanisms to start exchanging knowledge and lessons learnt on cybersecurity issues, i.e. how to mitigate incidents, which are the security measures they take, etc.
A second study, published in November 2016, ‘Smart Hospitals: Security and Resilience for Smart Health Service and Infrastructures’ (7), looks in particular into challenges faced by smart hospitals and proposes key recommendations primarily for hospital executives:
Hospitals should:
• Establish effective enterprise governance for cybersecurity
• Implement state-of-the-art security measures
• Provide specific IT security requirements for Internet of Things (IoT) components in the hospital
• Invest in NIS security products
• Establish an information security sharing mechanism
• Conduct risk assessment and vulnerability assessment
• Perform penetration testing and auditing
• Support multi-stakeholder communication platforms (ISACs)
Further guidance on implementing Network and Information Management systems may be found in the ENISA ‘Procurement Guidelines for Cybersecurity in Healthcare Organisations’.
Additional Resources
DG CONNECT is has a mission to enable a resilient and privacy-protecting digital single market in Europe through leadership and being the centre of excellence in network and information security and digital privacy policy, providing enabling legislation, co-/self-regulation, cooperation and other soft policy measures including the application and periodic review of the NIS and e-Privacy legislation. Its mission further includes ensuring a future of strong digital resilience and privacy protection by leading the research, innovation and deployment agenda for network and information security and digital privacy in the societal challenges and LEIT/ICT of Horizon 2020 and in the CEF, and focusing on innovative and next-generation systems and generic cybersecurity and privacy solutions. Within this context, it has been funding cybersecurity projects for the health and care sector, some of which are already delivering very relevant and valuable results. H2020 projects on cybersecurity and data protection are progressively making available online a wealth of useful deliverables (8).
The Commission’s Directorate-General for Health and Food Safety (DG SANTÉ) has been supporting cybersecurity policies, especially through the eHDSI deployment projects which pursue a minimum level of security standards for eHealth competence centres. Cross-border eHealth deployment, currently pursued through CEF-supported national projects, is today realised within a common Audit Framework which includes an agreed minimum set of security measures for National Contact Points for eHealth (NCPeHs) and a formal process for external audit and approval to join the network of Member States exchanging cross-border health data. NCPeHs commonly store and manage sensitive health data: patient summaries and ePrescriptions; they are therefore also OESs and as such this framework may be seen as yet another relevant source of information. All in all, 31 information security readiness criteria (9) have been formulated, which NCPeHs need to address when deploying their services.
1. CMMI Institute website
2. Electronic Healthcare Maturity Model (eHMM), A White Paper by Balaji Sharma – Head, Healthcare Practice, June 2008 and Procurement Guidelines for Cybersecurity in Hospitals, by European Union Agency for Cybersecurity, February 2020
3. CG Publication 01/2018 – Reference document on security measures for Operators of Essential Services
4. Procurement Guidelines for Cybersecurity in Hospitals
5. European Commission | NIS Cooperation Group
6. Security and Resilience in eHealth Infrastructures and Services, by European Union Agency for Cybersecurity, December 2015
7. Smart Hospitals – Security and Resilience for Smart Health Service and Infrastructures, by European Union Agency for Cybersecurity, November 2016
8. For example, see Sphinx Project Website, Panacea Research Deliverables and Curex Project Deliverables
9. eHDSI Readiness Criteria check list