21 July 2022

Healthcare has recently seen the introduction of new technologies, including Big Data analytics, IoT, AI and cloud/mobile services. Collectively, these advances have contributed to the development of electronic health records and the capacity for telemedicine. Healthcare environments are particularly challenging with multi-user connected endpoints, rendering the use of information systems prone to human error. Combined with the lack of information security measures, this human behaviour increases the risk for cyberattacks with potential data breaching.

Technical solutions to safeguard hospital IT services

The mission of the EU-funded PANACEA project was to develop technical solutions to detect and manage risks in complex IT environments such as hospitals. The project brought together multidisciplinary expertise for the design of a toolkit that addresses IT weaknesses and offers an essential service in healthcare. “PANACEA introduced nine tools to help healthcare organisations to assess, reinforce and manage their capability to avoid cyberattacks that disrupt business continuity and put sensitive data at risk,” explains project coordinator Sabina Magalini. One of the tools helps in assessing the security by design of newly procured medical devices or software applications. The idea is to avoid introducing any new vulnerabilities into the hospital’s IT system. Researchers developed a software-based tool that rapidly analyses possible new types of attack and provides dynamic risk evaluation of IT systems, medical devices, and people. It also offers prioritised mitigation actions for the vulnerabilities detected. Regarding data protection, PANACEA introduced a secure software-based solution for sharing clinical documents and images between different organisations regardless of where they are located. To increase the security of hospital workstations that are usually accessed by numerous employees, the project proposes a biometric identification system for face recognition through an employee’s smartphone.

Improving staff awareness and organisational preparedness

A considerable part of the project was devoted to raising awareness about cyberthreats and preparing healthcare organisations to deal with real IT breaches. Researchers devised a checklist that identifies security gaps in hospitals with respect to cybersecurity standards and offers guidelines to build an IT-secure organisation. To assist hospitals in adopting the right cybersecurity solutions, the consortium developed a method that supports hospital management decide the priority of the investments in cybersecurity, maximising return in terms of increased compliance vs cybersecurity standards. This comes together with a set of guidelines that support hospitals in selecting and deploying the PANACEA tools according to their specific needs. With respect to alerting hospital staff, PANACEA introduced a method that identifies non-secure IT behaviours and then deploys context specific nudges in the form of memes or screensaver messages. Short voiceless video clips with cartoons describing real risky situations were also developed for raising staff awareness. The tools have been validated in three European countries, and each tool can be used alone. “The main achievement is that the PANACEA tools make up a holistic, people-centric and organisation-oriented approach,” emphasises Magalini. The toolkit is directly accessible via the PANACEA Healthcare Cybersecurity Advisory Services (PHCAS), a collaboration mechanism signed by project partners under a memorandum of understanding. PHCAS offers multidisciplinary advisory services to help clients adopt a holistic approach to cybersecurity assessment and preparedness.