04 January 2020

PANACEA Research adopts a multi-stakeholder approach to define end-user requirements in terms of cyber risks and healthcare organisation priorities, with the aim of pinpointing critical impacts resulting from a cyber-attack or incident. To this end, PANACEA has investigated cyber risk scenarios from multiple perspectives in the context of healthcare organisations: cyber-attack-driven, regulatory-driven and behaviour-driven risk analyses. Here we report on the main findings for cyber-attacks, with some considerations of regulatory aspects.

Risk scenarios are the starting point for understanding the potential consequences in terms of privacy, data breaches, patient safety, patient trust and business continuity. From here, we can analyse the criticality of roles, processes, technology services, applications and devices, thereby gaining an understanding of which preventive measures need to be applied to increase cyber security in such contexts. Most of this investigation is based on workshops, surveys and interviews with PANACEA healthcare end-users are the basis for defining reliable and representative risk scenarios for user needs and requirements, both technical and non, alongside validation scenarios on which to test the PANACEA Toolkit as the main outcome of our research and innovation activities.

A key finding of this PANACEA investigation is the general lack of cyber security and knowledge about the diverse risks of a cyber-attack due to vulnerabilities and ‘shadow’ work process by staff members by opting for quick workarounds in a fast-paced environment, which though inadvertently increase cyber risks.

There are several measures IT teams hospitals can implement as good practices to mitigate risks right across the organisation.

First and foremost, IT departments need to make dynamic risk assessment a top priority to understand which IT assets, staff members and patients are most exposed to vulnerabilities and estimate the level of risk in relation to business impacts.

IT departments also need to set up a dedicated team responsible for defining mitigation measures. Indicators used to detect countermeasures should be based on the minimum acceptable level of risk and potential impacts on the hospital, while also ensuring compliance with applicable regulations. As healthcare organisations count as critical infrastructures, for example, under the EU NIS Directive, it is extremely important to monitor IT security management activities, with timely reports on any incidents incurred.

Our findings show that technology has a role to play in mitigating other risks, such as screening of USB devices on machines that are isolated from the main hospital network. Technology also underpins security-by-design, as well as the design and development of identification and authentication systems.

Security-by-design should drive manufacturers along every stage of the production process, spanning requirement definition, design, implementation, testing, validation and maintenance. Thus, hardening of products needs to become a top priority. The PANACEA risk scenarios show that medical devices, systems and software for healthcare organisations need to be robust from a confidentiality perspective to avoid the unwanted and non-compliant disclosure of sensitive data.

Identification and authentication are important for limiting intrusion in healthcare systems, whereby only authenticated systems and people are given access. Authentication is used to implement the ‘need to know’ principle so access to information is restricted to standard operations and protocols based on pre-defined roles and responsibilities. For example, PANACEA findings reveal a discrepancy between job descriptions and tasks actually performed on a daily basis. A good case in point is the sharing of log-in credentials, creating weak links in the cyber system of the hospital.

A good practice to minimise such unsecure behaviour would be implement an effective authentication mechanism and appropriate training. In this respect, it is very important that staff why any such measures are important as key to their adoption and continued use. This is key to driving good cyber security practices by minimising perceptions of security as a barrier to productivity and another “hoop to jump through” for no perceived reward.

With support from senior management, IT teams need to help bridge gaps with medical staff with a view to enabling positive behavioural change and investigating factors determining such practices. This is where cyber security governance comes into play, starting with a gap analysis in terms of roles, policies and procedures. Supporting hospital staff in defining what these are is thus a critical first step.

PANACEA findings point to the added value of creating an “Ad-hoc Task Force” charged with mapping cyber security and incident management with respect to general crisis management. The task force would report back to the CEO and manage processes in response to critical situations. Such an approach can guide the implementation of cyber security governance within a healthcare organisation to underpin the continuous improvement of the information security management system.

Lastly but definitely not least, healthcare organisations need to implement a value assessment for investments in cyber security as appropriate investments are key not just to build a more resilient IT infrastructure but also an organisation-wide cyber security culture. Value assessments need to consider aspects like the depreciation of the overall investment, the annual budget for cyber security, expected size and impacts of a cyber-attack or incident, including any regulatory-imposed fines, and the time and effort to recover.

Taking into consideration the PANACEA findings, healthcare organisations need to define a minimum configuration on which to operate so cyber security measures can be built around it with end-users testing and validating it. This is why PANACEA is developing an Implementation Guidelines Tool, enabling managers and IT teams to assess the status and customise the solution before rollout.