Hospitals are increasingly becoming the target of cyber-attacks, with very serious repercussions on business continuity affecting patient. The ransomware attack on the Irish national health service in May 2021 with on-going impacts in early 2022 is a wake-up call for organisations in Europe to improve their cyber resilience and put patient safety first.
The workshop on 9 February 2022 brought together three European funded projects, CUREX, PANACEA, and SPHINX, to show how their solutions could be used not only to avoid similar attacks but also mitigate their impacts.
Co-organised and moderated by Stephanie Parker, Senior Research Analyst at Trust-IT Services, the workshop opened with a welcome from Dr Med Sabina Magalini, Senior Surgeon at Gemelli University Hospital and Coordinator of PANACEA, giving an overview of the drivers behind this joint event, highlighting the need to take action now on cybersecurity with the involvement of top management.
Insights on the European Commission’s priorities for cybersecurity came from Dr. Reza Razavi, Sr. Research Programme Officer for EU Policies, Communications Networks, Content and Technology (DG CONNECT), including research and innovation to increase trust and security in the healthcare sector. According to Dr. Razavi “it is essential that people can trust the way in which health data is being accessed, can trust innovative digital solutions, and can embrace them without fear. Building trust involves security and data protection and has been of strategic importance for the European Commission already for many years”. He also outlined the new cyber security strategy, which is aimed at boosting cooperation, knowledge and capacity sharing at the European level.
A key feature of the event was a detailed account of the attack on the Health Executive Service, with insights coming from Peter Daly, COVID Project Manager and Helen Coughlan, Chief Technology Officer, highlighting its sheer scale across Ireland with 54 hospitals and over 4000 workstations and servers, which were brought down by the attack, affecting public health services, from primary care, ambulance services to lab tests, among others.
Resilience comes not only from cybersecurity capabilities but also from strong leadership at the very top in implementing effective strategies and allocating sufficient budget. The talk also stressed the importance of balancing services and regulations, measures for critical situations, as well as continuously raising awareness of the risks across the organisation.
Taking cue from the HSE ransomware attack, Pasquale Mari, Deputy Coordinator of PANACEA, presented a joint catalogue on how CUREX, PANACEA and SPHINX could have been used to prepare HSE staff and avoid the attack while mitigating its impacts. The catalogue is grouped around diverse functions, like data sharing and access controls, evaluation, validation, certification, knowledge collection and system monitoring, training and awareness, where the tools can be used in standalone or as combined solutions.
The three project coordinators then took the floor for a deep dive into their specific solutions: Christos Xenakis, Professor at University of Piraeus (CUREX), Christos Ntanos, Senior Researcher, National Technical University of Athens (SPHINX) and Sabina Magalini (PANACEA), explaining how the solutions can be used to avoid or minimise the impacts of similar attacks and ensure continued care within healthcare organisations as critical for patient wellbeing.
CUREX, PANACEA and SPHINX tools
The last speaker of the workshop was Maria Papaphilippou, Cybersecurity Officer at the European Union Agency for Cybersecurity (ENISA), giving expert knowledge on cybersecurity in healthcare and highlighting dedicated reports and best-practice guidelines produced by the agency. Her talk spotlighted the NIS directive, the network and information security directive, used to introduce the baseline cybersecurity requirements of essential services relying on information and communication technologies, as well as the Medical Devices Regulation (MDR), which defines the safety, security and IT security requirements, and introduces novelties relating to cybersecurity.
With an excellent mix of participants from healthcare, cybersecurity agencies, government, academia and research, the workshop preparations included polling at registration time to gain insights into critical factors for cybersecurity from the audience. The same poll was repeated at the end of the event to see how new insights affected priority ranking, showing that it had been effective in conveying a greater need for top management support than had previously been thought.
The graphs below show the main findings and takeaways from the short survey and the participants’ geographical distribution:
The workshop wrapped up with a panel discussion on the main takeaways and calls to actions. Chief among these, the common perception that cybersecurity is only an IT issue but that it should be organisation-wide involving all relevant processes, procedures and policies. Increasing the number of dedicated trainings, organisational structures and investments in cybersecurity are all equally important in the fight against cybercrime, deploying the right resources, skills, and competences and leveraging new solutions from research and innovation as exemplified by the three hosting projects: CUREX, PANACEA and SPHINX.