Cybersecurity needs 

  • There is no structured approach aimed at ensuring the cybersecurity of newly procured systems and connected medical devices along the entire process: procurement, deployment in the clinical operational context.
  • Collaboration in the process between hospital ICT and Clinical Engineering Departments is poor.
  • The influence of users’ behaviours on cybersecurity are not taken into account.

Short Description 

The use case regards procurement of a new Point of Care Testing (POCT) device (for local blood analysis) and its deployment in 10 clinical wards. The POCT will be connected with the Laboratory Information System (LIS).
The procurement and deployment process is articulated in 11 steps (1. Analyse proposal to assess compliance with Security stds, , …, 10. Monitor impact on users’ behaviours, 11. Analyse and take action if needed). For each step, ten organizational actors are involved (CISO, DPO, Training, Procurement) and PANACEA tools can be used, specifically for the step (e.g. CST in step 1.).
During a workshop, the most relevant actors simulated the execution of the entire process. The process “walk-through” was facilitated by the PANACEA team, which also showed how eight tools can be used.

Overview on how PANACEA can make a difference

The use case shows how the PANACEA tools (DRMP, CST, SBDF, IMP, SBNT, TECT, RGT) can be used to implement a robust “security by design” approach while performing the process, to avoid that cybersecurity new vulnerabilities are imported.
The integrated use of PANACEA tools offers a more structured method to

  • In the Procurement phase, (i) insert ad hoc clauses in the contract (ii) select among offers of different competitors.
  • In the Deployment phase, (i) build a low risk behavioral use context, (ii) ensure higher compliance with regulatory frameworks.
  • In both phases, ensure that all relevant actors are involved from the start of the process with clear responsibilities and methods.

End User Testimonials

“An end-to-end structured approach to the procurement of technological asset is really useful” Information Security Officer.
“I really appreciate the clear definition of roles and of the “shared responsibility” of the parties involved, in particular ICT and Clinical Engineering Departments, along the phases of the procurement process” Clinical Engineering Officer.
“The fact that the method covers also the “human factors” aspects is really positive and an advance vs the current culture, which is techno-centric” Medical Doctor.