In February 2020, ENISA published its procurement guidelines for cybersecurity in hospitals as a key process in shaping IT environments in modern hospitals that want to meet their cybersecurity objectives. The holistic integration in the diverse processes, components and stages affecting the healthcare IT ecosystem is essential in prioritising cybersecurity in hospitals.

This report offers guidelines for hospitals when procuring services, products and infrastructure with a set of good practices based on the type of procurement or threat the organisation can mitigate. The report is designed to enable an easy to filter set of practices so hospitals can focus on particular aspects. 

Policy context: Legislation plays a major role in defining the cybersecurity requirements that should be described in the technical specifications when obtaining products and services in a hospital. The most prominent of these in Europe are: The Network and Information Security Directive (NISD); Medical Device Regulation (MDR); General Data Protection Regulation (GDPR) and in the U.S.: Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FDA Guidance for Cybersecurity. 

Set of good practices: These are both general practices applicable throughout the procurement lifecycle and to individual procurement phases. 

  • General practices
    • Involve the IT department in procurement. 
    • Vulnerability management. 
    • Develop a policy for hardware and software updates.
    • Secure wireless communication. 
    • Establish testing policies. 
    • Establish Business Continuity plans. 
    • Consider interoperability issues. 
    • Allow auditing and logging. 
    • Use encryption. 
  • Plan phase:
    • Conduct risk assessment. 
    • Plan requirements in advance.
    • Identify threats. 
    • Segregate network.
    • Establish eligibility criteria for suppliers. 
    • Create dedicated RfP for cloud. 
  • Source phase:
    • Require certification.
    • Conduct DPIA PROCURE.
    • Address legacy systems.
    • Provide cybersecurity training.
    • Develop incident response plans.
    • Involve supplier in incident management.
    • Organise maintenance operations.
    • Secure remote access.
    • Require patching.
  • Manage phase
    • Raise cybersecurity awareness.
    • Perform asset inventory and configuration management.
    • Dedicated access control mechanisms for medical device facilities.
    • Schedule penetration testing frequently or after a change in the architecture/system.

PANACEA Research perspectives: These ENISA guidelines are of interest to PANACEA as they highlight the multi-faceted aspects of cybersecurity across the procurement lifecycle, helping to map priorities across major decision makers, procurement officers and IT teams in healthcare organisations. This is a key aspect for exploiting the results of PANACEA's toolkit. 

Lookout Watch entry date: 21/07/2020


Watch category:

Watch Type: