ENISA’s key recommendations on protecting smart hospitals
November 2016 by ENISA
ENISA presents a study that sets the scene on information security for the adoption of IoT in Hospitals. The study which engaged information security officers from more than ten hospitals across the EU, depicts the smart hospital ICT ecosystem; and through a risk based approach focuses on relevant threats and vulnerabilities, analyses attack scenarios, and maps common good practices. A rough estimation on the cost of cyber security incidents in hospitals1 shows that a change in mentality is required. The need for improved, and even remote, patient care drives hospitals to transform by adapting smart solutions, ignoring sometimes the emerging security and safety issues.
Nothing comes without a price: hospitals are the next target for cyber-attacks. The increasing number of ransomware cases and DDoS attacks is just a glimpse of things to come. The introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the attack vector rendering hospitals even more vulnerable to cyber-attacks. The report recommends, inter alia, that:
Healthcare organisations should provide specific IT security requirements for IoT components and implement only state of the art security measures
Smart hospitals should identify the assets and how these will be interconnected (or connected to the Internet) and based on this identification adopt specific practices
Device manufacturers should incorporate security into existing quality assurance systems and involve healthcare organisation from the very beginning when designing systems and services. ENISA Executive Director, Udo Helmbrecht, commented: “Interconnected, decision making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals”.
Healthcare is moving up on the policy agenda: the adoption of the NIS Directive includes in scope healthcare organisations. ENISA in 2017 will work on supporting the Member States introducing baseline security measures to the critical sectors, focusing on healthcare organisations. Moreover, in continuation to this work, ENISA will look more closely at cyber security issues in medical devices.
The report findings were presented in the 2nd ENISA eHealth security workshop, which was organised on the 23rd of November, together with the Vienna Hospitals Association. In a session dedicated to “IoT Security for eHealth”, experts from the private and public healthcare sector, organisations and policy makers, exchanged views and experiences through live demos.