On the supply side, manufacturers of information systems and devices used in hospitals are expected to comply with security requirements, build security into products from the outset, adopt secure coding practices and perform extensive testing. Security requirements should be clearly defined in the procurement phase and should be verifiable by means of certifications or proof of compliance to relevant standards. Many large organisations, for example, are adopting ISO 27001 and have certified their security management system.
It should also be kept in mind that attacks in healthcare organisations are not always direct. They often come through their supply chain, especially when suppliers are considered more vulnerable and have access to critical information and data. It is important to identify points of potential attacks in the supply chain and understand the severity of threats, their likelihood, and the ability of current defence mechanisms to detect and address them. Auditing the cybersecurity capability of the supplier to determine the degree of risks they pose to the organisation is also a proven good practice; audits to apply to both the supplier selection processes and ongoing performance monitoring processes. It is noted that the notification obligation to the healthcare organisations introduced by the NIS Directive may also require that it follows the supply chain. These provisions should also be foreseen during the procurement phase.
Procurement is therefore a critical function for cybersecurity. Conversely, the importance of cybersecurity in the hospital changes the way procurement professionals work and requires that they acquire relevant skills to collaborate with their IT departments at all stages of acquisition of IT systems, medical devices or third party services to identify the best ways to address the relevant challenges.
In February 2020, ENISA published the ‘Procurement Guidelines for Cybersecurity in Hospitals – Good practices for the security of Healthcare services’. The report offers cybersecurity guidelines for hospitals when procuring services, products and infrastructure. It addresses primarily hospital procurement officers and CISOs/CIOs, providing the context for addressing cybersecurity in procurement. A threat taxonomy and a list of key risks associated with procurement are also presented. All this information is accompanied by quick guides providing insights as to how hospitals can use it in their procurement process.