The number of cyber-attacks around the world exploded in 2020: exploiting the Covid-19 pandemic as an opportunity for cybercriminals to take advantage of the shift in focus towards smart working and hospital staff transferred to the frontline.
In February 2020, ENISA published its procurement guidelines for cybersecurity in hospitals as a key process in shaping IT environments in modern hospitals that want to meet their cybersecurity objectives. The holistic integration in the diverse processes, components and stages affecting the healthcare IT ecosystem is essential in prioritising cybersecurity in hospitals.
This report offers guidelines for hospitals when procuring services, products and infrastructure with a set of good practices based on the type of procurement or threat the organisation can mitigate. The report is designed to enable an easy to filter set of practices so hospitals can focus on particular aspects.
Policy context: Legislation plays a major role in defining the cybersecurity requirements that should be described in the technical specifications when obtaining products and services in a hospital. The most prominent of these in Europe are: The Network and Information Security Directive (NISD); Medical Device Regulation (MDR); General Data Protection Regulation (GDPR) and in the U.S.: Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FDA Guidance for Cybersecurity.
Set of good practices: These are both general practices applicable throughout the procurement lifecycle and to individual procurement phases.
PANACEA Research perspectives: These ENISA guidelines are of interest to PANACEA as they highlight the multi-faceted aspects of cybersecurity across the procurement lifecycle, helping to map priorities across major decision makers, procurement officers and IT teams in healthcare organisations. This is a key aspect for exploiting the results of PANACEA's toolkit.
Lookout Watch entry date: 21/07/2020