This cyberwatching.eu webinar in December 2020 brought together three Horizon 2020 projects working on new security- and privacy-by-design solutions for healthcare: PANACEA,  DEFeND and PAPAYA. The webinar is the outcome of a clustering activity on cybersecurity and healthcare coordinated by cyberwatching.eu, with DEFeND (Data Governance for Supporting GDPR) providing an innovative data privacy governance platform; PAPAYA (Platform for Privacy Preserving Data Analytics) project is developing privacy-by-design solutions and a dedicated platform for data analytics tasks outsourced to untrusted data processors; PANACEA (Protection and Privacy of Hospital and Health Infrastructures with Smart Cyber Security and Cyber Threat Toolkit for Data and People) enabling all healthcare actors to easily run conformity and engineering assessments. 

Dr Med. Sabina Magalini, senior surgeon at the Gemelli University Polyclinic highlighted the urgent need for security and privacy-by-design solutions in healthcare given that IT systems are mission critical yet hospitals are still vulnerable and poorly protected.

• In recent years, ICT and connected Medical Devices have become mission-critical for healthcare operations with cyber-attacks and staff mis-behaviour increasing risks for business continuity, patient safety and data privacy.
• Improving the current levels of privacy protection and security is imperative because most of the existing assets were designed when data privacy and cybersecurity were not a priority.

COVID-19 has brought attention to the real need for security- and privacy-by-design approaches to respond to the shift towards telemonitoring and remote working, the recruitment of new staff, fast deployment of ad-hoc IT solutions and the use of temporary healthcare sites, all of which raise cybersecurity and compliance concerns. 

The post-COVID-19 pandemic era must be an opportunity to renew these systems with radically new ways to replace or upgrade obsolete IT assets that are no longer fit for purpose, prioritising investments in security- and privacy-by-design approaches. The European Recovery Plan and new priorities on cybersecurity could be important levers for boosting investments in digital health and telemedicine, including methods and tools for assessing the security and privacy of IT platforms to deal with the pandemic and systems to tele-transmit data. However, these investments are an opportunity to reduce cyber risk if and only if security- and privacy-by-design approaches are prioritised for adoption by all parties involved.

PANACEA led the mapping of DEFeND, PANACEA and PAPAYA in terms of targeted regulatory compliance.  spanning the GDPR (EU) 2016/679; DIRECTIVE (EU) 2016/1148 (NIS) concerning measures for a high common level of security of network and information systems across the Union; the Medical Device Regulation (EU) 2017/745 taking effect from May 2021 and the Cyber Act Regulation (EU) 2019/881.

Martina Bossini Baroggi from RINA presented PANACEA’s security-by-design framework in the context of healthcare, where cyber awareness is extremely low, calling for a programmatic approach to detecting, mitigating and remediating cyber risks. 

• Cybersecurity measures should be part of the design process for systems and medical devices. Thus, the PANACEA security-by-design approach to software and hardware development is aimed at making systems and devices as impervious to cyber-attacks and vulnerabilities as possible through continuous testing, authentication safeguards and adherence to best programming practices. 
• The presentation also highlighted how PANACEA has drawn on ENISA’s mapping of security requirements for operators of essential services (OES) in diverse sectors and ENISA guidelines for the analysis of potential candidates of certification schemes.
• Other innovations include the extraction of taxonomies for vulnerabilities, threats and security controls from relevant healthcare standards as references during risk assessment scenarios. The security-by-design principles support manufacturers in taking informed decisions on security controls during the early phases of software development and system engineering.

The Framework comprises two solutions: 

• Secure design support platform - SDSP (RHEA): Prioritising security in the development of medical devices and information systems with a software platform for risk assessment. Such assessments can produce security controls pointing to new requirements that need embedding in the system to improve security. SDSP enables users to perform risk assessments in each phase of the medical device life cycle. A key innovation is enabling a risk-based approach to enhancing the security controls during the development of a medical device or system. 
• Compliance support tool - CST (RINA): Supporting the quality assurance process throughout the entire lifecycle of medical devices and systems and putting in place as assessment audit and compliance with existing standards in healthcare. CST covers compliance through the entire process. A key innovation is supporting users in verifying compliance with applicable standards for cybersecurity during the entire life cycle of devices and applications.

cyberwatching.eu webinar recording. Dr Med. Sabina Magalini, FPG: 09:11-21:33. Martina Bossini Baroggi, RINA: 1:19-1:31

Presentations

• Dr Med. Sabina Magalini: Security and Privacy by Design for healthcare - Problems and overview of the proposed Solutions
• Martina Bossini Baroggi: PANACEA Security by Design Framework

Watch also the RINA video on the security-by-design framework with the SDPS from 00:04-45 and the CST from 04:45-08:38. 

Watch the entire cyberwatching.eu webinar and download all presentations here. 

Download the full report about the Cyberwatching.eu Webinar on Security and Privacy by Design for Healthcare here.