The EU Agency for Cybersecurity speaks to HEQ about cybersecurity and data protection in healthcare.
The European Union Agency for Cybersecurity (ENISA) is the EU’s official agency dedicated to shoring up cybersecurity throughout the bloc. ENISA works alongside the EU and its Member States to inform and contribute to the formation of EU policy on cybersecurity; provides cybersecurity certification schemes for ICT products, services and processes; and helps Europe prepare itself for ‘the cyber-challenges of tomorrow’ through campaigns such as the annual European Cybersecurity Month.
ENISA Network and Security Experts Athanasios Drougkas and Dimitra Liveri tell HEQ about cybersecurity and data protection in the healthcare sector.
What are the themes of this year’s European Cybersecurity Month?
The European Cybersecurity Month (ECSM) is the EU’s annual cybersecurity awareness campaign, co-ordinated by ENISA and the European Commission, and supported by the Member States and more than 300 partners from across industries. The ECSM provides up-to-date digital security information through education and sharing of good practices through an array of activities – from workshops and conferences to training sessions, webinars and presentations – across the full month of October each year.
The eighth annual European Cybersecurity Month (ECSM) this October featured two themes: Cyber-Scams and Digital Skills. The Cyber-Scams theme provided insights on current and potential cyber threats to help the general public and businesses minimise risks. COVID-19 has led to an increase in e-commerce, which has triggered concerns about the security of data and online payments. Activities in this theme focused on phishing, business email compromise and online shopping fraud. The key message encouraged users to have a heightened awareness of cyber-scams when conducting business and personal transactions online.
The Digital Skills theme presented educational activities that inform the general public on Internet security. The COVID-19 pandemic has increased the digitalisation of everyday life. This new hyperconnected world requires an awareness of current skills for citizens to stay on top of trends and be safe online. The theme covered e-privacy matters such as personal data protection, cyberbullying and cyberstalking. The key message conveyed the importance of cyber-hygiene and establishing good practices online.
With more people working from home, engaging in remote meetings, telehealth and shopping online, is cybersecurity more important now?
Indeed, cybersecurity is more important now than ever. The healthcare sector has become increasingly digital and significantly interconnected, a trend that has only increased with the new reality of the COVID-19 pandemic. Patient healthcare records are now available on demand for medical staff as electronic information. Medical devices can measure patient data in real time and upload them to the cloud, or even take automatic action if needed. Telemedicine applications allow for remote patient care and consultations without the need for an actual visit to the doctor’s office. Healthcare organisations use interconnected medical devices to monitor patient status, administer medicine automatically and even perform surgery. Even administration procedures in hospitals are becoming more automated than ever before. The rationale behind all of this is clear: digitalisation means improved efficiency, additional capabilities and ultimately better patient care.
However, this increased reliance on interconnected systems and devices also introduces a number of challenges and brings cybersecurity to the forefront. In order for digital healthcare to reach its full potential, healthcare providers, medical staff and patients need to trust that the services will be available no matter what; that sensitive patient data stored in electronic format will remain confidential; and that electronic information about patients used for their treatment will remain unaltered. This is equally true for the continuously increasing number of people who are working remotely and need to take care of their cyber-hygiene. ENISA recommends keeping work and leisure activities on separate devices; and highlights the importance of watching for scams and emails referencing the coronavirus, as phishing activities have been on the rise since the pandemic began.
What measures can healthcare facilities implement to ensure users’ data is secure and avert cyberattacks?
The COVID-19 pandemic has made cybersecurity in healthcare an even harder puzzle to solve. The need for medical resources to manage this crisis is testing the sector’s limits across the globe. Adding to this overwhelming situation, the healthcare sector has become a direct target or collateral victim of cybersecurity attacks. While healthcare has traditionally been a target of cybercrime due to the value of health data and the criticality of healthcare services, malicious actors have already taken advantage of the COVID-19 pandemic to launch a series of phishing campaigns and ransomware attacks. What was once an issue for healthcare providers has become a critical problem for a sector pushed to its limits by the pandemic.
The extraordinary issues that the healthcare sector is currently facing come on top of long-standing challenges that have hindered the cybersecurity maturity growth in healthcare in the past:
- Low maturity on cybersecurity in the healthcare sector is evident: many hospitals do not have a Chief Information Security Officer, and lack comprehensive security policies and access control mechanisms
- Hospitals are easy targets for malicious attackers due to the many different ways a malicious attacker can gain access to a system
- Lack of security awareness – for example, physicians, administrative personnel and patients can use their personal devices to connect to the hospital network without following any specific strategy
- The lifespan of medical devices in use, such as CAT scanners or MRI machines, can be longer than the manufacturer has anticipated, which commonly means security updates must be performed by a third party
- The vulnerable nature of medical devices. For example, manufacturers build them in order to support remote patching and updating of firmware, which creates identifiable loopholes
In order to help healthcare organisations in their efforts to achieve a higher level of cybersecurity, the European Union Agency for Cybersecurity has been working with healthcare stakeholders on a number of topics – developing good practices, sharing information and good practices, and improving their ability to respond to the next cyber incident. Some of the Agency’s publications of interest include:
- Cybersecurity and Resilience for Smart Hospitals (November 2016), which proposes key recommendations for hospital information security executives and industry to enhance the level of information security in smart hospitals
- Procurement Guidelines for Cybersecurity in Hospitals (February 2020), which offers cybersecurity guidelines for hospitals when procuring services, products and infrastructure.
In response to the cybersecurity challenges related to the COVID-19 pandemic, the EU Agency for Cybersecurity has reached out to provide advice in support of the healthcare sector. These recommendations take into account the situational evolution and the nature of the incidents over the course of the crisis:
- Share the information with healthcare staff in the organisation, build awareness of the ongoing situation and, in the case of infection, ask staff to disconnect from the network to contain the spread. Raise awareness internally in healthcare organisations and hospitals by launching campaigns even during the time of crisis (i.e. to inform hospital staff not to open suspicious emails)
- In case of a systems compromise, freeze any activity in the system. Disconnect the infected machines from other machines and from any external drive or medical device. Go offline from the network. Immediately contact the national computer security incident response team, known as a CSIRT
- Ensure business continuity through effective backup and restore procedures. Business continuity plans should be established whenever the failure of a system could disrupt the hospital’s core services; and the role of the supplier in such cases should be well defined
- In case of an incident impacting medical devices, the incident response should be coordinated with the device manufacturer. There should be collaboration with vendors for incident response in case the situation involves medical devices or clinical information systems
- One key preparedness measure is network segmentation. With network segmentation, network traffic can be isolated and/or filtered to limit and/or prevent access between network zones
In addition, the EU Agency for Cybersecurity launched its sixth annual eHealth Security Conference on 23 September 2020. This year, the conference includes three virtual sessions (23 September, 23 October and 23 November) focusing on important aspects of cybersecurity in healthcare as the sector is confronted with the COVID-19 crisis:
- Session 1: cybersecurity in healthcare in times of a pandemic
- Session 2: cybersecurity in COVID-19 tracing mobile apps
- Session 3: incident response while in crisis
Furthermore, the Agency has selected healthcare for the next Cyber-Europe exercise, an EU-wide exercise where participants are confronted with a series of simulated incidents that eventually escalate into a cross-border cyber-crisis.
Should more action be taken to implement education on cybersecurity and data privacy at a healthcare provider level?
Over the past few months, awareness and training have become key in protecting against cyber-threats. Many attacks against the healthcare sector during the COVID-19 crisis came in the form of phishing campaigns. The number one defence against such attacks is user awareness.
While IT staff generally tend to appreciate the importance of following appropriate cybersecurity practices, medical staff may often perceive security controls as obstacles to doing their job of patient care. It is important to step up awareness and education of digital security and the risks involved as attackers are deep at work, doing their job to exploit the situation.
Right now, in the current digital environment, people should be suspicious of emails asking to check or renew their credentials even if it seems to come from a trusted source. They should verify the authenticity of the request through other means, and never click on suspicious links or open suspicious attachments.
A growing number of countries have adopted contact tracing apps to help slow the spread of COVID-19. What actions should developers take to ensure that user data is both secure and anonymous?
Mobile apps have the potential to bolster contact tracing strategies to contain and reverse the spread of COVID-19. Therefore, EU Member States have created a common EU toolbox on mobile applications to support contact tracing in the EU’s fight against COVID-19. To exploit the full potential of contact tracing and warning apps to break the chain of coronavirus infections across borders and save lives, an EU-wide system has been set up to ensure interoperability – a so-called ‘gateway’.
While each country ultimately decides on the security requirements to which each contact tracing app should comply, the aforementioned toolbox offers a set of recommendations to app developers to ensure the security and anonymity of user data:
- Collaborate with other project teams and follow relevant industry initiatives
- Keep it simple, ensure data minimisation and minimum permissions
- Follow secure software development principles and secure the environment
- Ensure security is built-in for apps, protocols, and backend
- Secure communication and implement cryptography
- Develop apps that are secure by default and user-friendly
- Implement user authentication
- Secure the backend services and interfaces
- Ensure secure use of libraries and third party code
- Focus on secure software distribution and smartphone app stores
- Specifically handle insecure smartphones.
Network and Information Security Expert
Network and Information Security Expert
European Union Agency for Cybersecurity (ENISA)