In November 2016, ENISA publicshed its key recommendations for hospital information security executives and industry to enhance the level of information security in Smart Hospitals.

Smart hospitals refer to the adoption of Internet of Things (IoT) components to support the core functions of a hospital. Collaboration among various stakeholders, numerous interconnected assets and high flexibility requirements not only lead to a complex and dynamic environment but also to blurred organisational boundaries.

Due to the great number of significant assets at stake (patient life, sensitive personal information and financial resources) information security is a key issue for smart hospitals. Threats to smart hospitals are, however, not limited to malicious actions in terms of their root cause. Human errors and system failures as well as third-party failures also play an important role. The risks that result from these threats and corresponding vulnerabilities are typically mitigated by combining organisational and technical security measures taken by smart hospitals.

With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant. Relevant technical measures include network segmentation, asset and configuration management, and network monitoring and intrusion detection. However, manufacturers of information systems and devices used in smart hospitals have to take certain measures too. Among them are, for instance, building security into products from the outset, adopting secure coding practices and extensive testing.

Based on the analysis of documents, empirical data, and a detailed examination of attack scenarios particularly relevant for smart hospitals, the study proposes key recommendations primarily for hospital executives: 

  • Establish effective enterprise-wide governance for cyber security.
  • Implement state-of-the-art security measures.
  • Provide specific IT security requirements for IoT components in the hospital.
  • Invest in NIS products.
  • Establish an information security sharing mechanism.
  • Conduct risk assessment and vulnerability assessment.
  • Perform penetration testing and auditing.
  • Support multi-stakeholder communication platforms (ISACs).

The study also makes recommendations for industry representatives in order to enhance the level of information security in smart hospitals. Namely industry players should:

  •  Incorporate security into existing quality assurance systems.
  •  Involve third parties (healthcare organisations) in testing activities.
  •  Consider applying medical device regulation to critical infrastructure components.
  •  Support the adaptation of information security standards to healthcare.

PANACEA Research perspectives: PANACEA is developing a toolkit with technological, human and organisational elements fit for the digitisation of healthcare providing measures to counteract cyber risks in the sector and build stronger defences. The on-going work by ENISA is a major reference point for PANACEA also as it continuously analyses the policy and regulatory environment and matches its toolkit assets with good practices in the area of cybersecurity. 

Lookout Watch entry date: 07/08/2019

Watch category:

Watch Type: