The webinar hosted by cyberwatching.eu on 10 December is just one example of how European funded projects are working towards more resilient healthcare systems. The webinar brought together the DEFeND, PANACEA, PAPAYA and SPHINX projects to delve into the very important topic of security and privacy by design as part of the cyberwatching.eu project clustering activities. Here, we report on the perspectives shared by PANACEA during the webinar.
PANACEA coordinator Dr Med. Sabina Magalini highlighted the major issues facing the healthcare sector in terms of cyber risks and vulnerabilities while pointing out important opportunities to innovate the industry.
- Healthcare systems are mission critical infrastructures with a vast array of connected devices, networks and information that need protecting from internal weak links and malicious outsiders. With cyber-attacks now escalating, much more needs to be done to ensure business continuity, patient safety and data privacy.
- Covid-like context raises specific requirements in terms of Security & Privacy by Design to tackle emerging risks, such as:
- Low levels of security in telemedicine.
- Staff technology illiteracy when working from home.
- New staff inexperience of company cybersecurity and privacy policies.
- Fast-design apps and solutions with potential security flaws.
- Information sharing of data fluxes for infection monitoring with low levels of security.
- Insecure WIFI systems in temporary healthcare structures giving hackers the opportunity to monitor traffic over air and steal access credentials.
- As hospitals receive an increasing number of offers for new IT platforms, they need methods and tools to assess if they are fit for purpose from a privacy and cybersecurity perspective.
While the COVID-19 pandemic has confirmed the crucial role that healthcare plays in all our lives, it has also highlighted a major opportunity to renew health IT systems through investments to replace or upgrade obsolete and vulnerable IT assets through new approaches to security and privacy by design. In all European countries, Next Generation EU and recovery plans and investments will include the upgrading of healthcare systems and medical devices.
These investments are an opportunity to reduce cyber risk if and only if Security & Privacy by Design approaches are adopted by all involved parties. In the meantime, hospitals should be setting up pre-requirements for contracts with medical device manufacturers and system/service providers. These should state that, in face of similar products, preference is given to those that comply with Security and Privacy by Design approach.
European response: To be in line with this policy, all parties can count on the solutions proposed by these three projects: DEFeND, PANACEA, PAPAYA. The need for Security and Privacy by Design, includes not only the revamping and strengthening of ENISA (the EU Agency for cybersecurity, through Cyberact 2019/881) and regulatory measures (GDPR, MDR, EU Directive 2016/1148, Cyberact 2019/881), but also the funding, through the Horizon 2020 programme, of research and innovation projects to develop solutions that are effective and usable in the healthcare context. DEFeND, PANACEA and PAPAYA are three of them.
- The DEFeND (Data Governance for Supporting GDPR) project provides an innovative data privacy governance platform which supports healthcare organizations towards GDPR compliance using advanced modelling languages and methodologies for privacy-by-design and data protection management.
- PANACEA (Protection and Privacy of Hospital and Health Infrastructures with Smart Cyber Security and Cyber Threat Toolkit for Data and People) project provides all healthcare actors with a assessment and system monitoring audit workflow to easily run conformity assessment and engineering assessment.
- The PAPAYA Platform for Privacy Preserving Data Analytics) project is developing privacy-by-design solutions and a dedicated platform for data analytics tasks which are outsourced to untrusted data processors.
The PANACEA Security-by-Design Framework
Martina Bossini Baroggi from RINA walked webinar participants through the Security-by-Design Framework, aimed at ensuring that system developers and medical device manufacturers apply security and privacy by design approaches right across the engineering life cycle.
- Healthcare context: Lack of cyber awareness within healthcare sector, calling for immediate and industrywide action through the development of a programmatic approach to identification, mitigation, and remediation of risk.
- The main innovations of PANACEA's SbDF are:
- The inclusion of a Compliance Support Tool (CST) helping users verify compliance with standards related to cyber security throughout the entire lifecycle of a medical device of digital health application.
- The inclusion of a Secure Design Support Platform (SDSP) providing a risk-based approach to improve security controls of a medical device/system during its development.
- Use of extracted taxonomies on vulnerabilities, threats and security controls in the most relevant standards that can inform risk assessment scenarios specific to healthcare.
- The support of security-by-design prnciples in the analysis of security levels and scenarios guide manufacturers in their decision making of which security controls to implement during the early phases of software and system engineering.
- Taking on board ENISA's approach and guidelines for the analysis of potential candidate certification schemes.
Presentations: Dr Med. Sabina Magalini - PANACEA; Martina Bossini Baroggi - PANACEA; Orhan Ermis, EURECOM - PAPAYA; Andrés Castillo, Pediatric Hospital Niño Jesús and Haris Mouratidis, University of Brighton - DEFeND
Watch the Webinar Recording.