European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.

European Union Agency For Network And Information Security

Security and resilience for eHealth Infrastructures and Service – ENISA studyDimitra Liveri Secure Infrastructures and Services Unit - ENISA

2

The aim is to

• Understand the policy context and legislation in each Member State related to eHealth

• Identify critical systems, infrastructures and assets in healthcare systems

• Collect information on the governance model followed on cyber security in eHealth services

• Analyse the most prominent security risks and challenges

• Present the specific security measures the MS take to protect their systems from these risks and challenges through good practices

ENISA study on security and resilience for eHeath infrastructures and services

3

Collaboration with Contractors: GNOMON AE, Ote Plus, VIDAVO

Methodology – how did we conduct the study

Desk research: overview of EU MS legislation

Feedback from interviews with national experts (regulators etc)

Input from survey addressed to experts (telecom providers, standardisation bodies etc)

4

• CISOs and IT experts in public authorities

• Healthcare institutions (hospitals, GPs, etc)

• Pharmaceutical sector specialists

• Medical systems vendors

Who should read the report?

5

Profiles

Public institutions responsible for eHealth strategy

eHealth Competence centres

eHealth platform Operators (CIOs, security officers, end points staff, system administrators)

Academia

User Associations – Networking organisations

Standardisation Bodies

ICT Industry (suppliers)

Coverage

18 EU Member States

2 EFTA countries

Overview of stakeholders

ehealth Security in the Member States

7

Overview of national legislation related to eHealth

Focus on

- eHealth Strategy

- eHealth national legislation

- CIIP legislation including eHealth

8

Structure based models• Centralised or national• De-centralised or regional

Hospital-systems driven

Cross border use cases

Common deployment models

Ministry of Health

Hospital Hospital

Regional authority

Regional authority

Hospital

Hospital Hospital

Hospital

Ministry of Health

Cyber Security in eHealth SystemsKey findings

10

• Healthcare business continuity

• Data security and integrity

• Services availability

National perspectives towards CIIP in eHealth

11

Centralised model i.e. the National Security Agency in charge of the CIIP policy and the eHealth regulator needs to impose it.

De-centralised model i.e. the regulatory authorities make the decisions and collaborates with the Ministry or the National Security Agency

Voluntary based schemes

National approaches towards CIIP

Public Agency

Public Agency

Public Agency

Sector Sector Sector

Public Agency

Public Agency

Sector Sector

Council

12

Assessing criticality of the assets

Impact to society in case of breach (disruption, loss, alteration etc)

– human factor

Sensitivity of data Services affected (collateral damages) Financial impact - reputation0

0.5

1

1.5

2

2.5

3

3.5

4

Prioritise (1-5) the parameters based on which you assess criticality of your assets (in average)

13

• Health Information systems, i.e. the information networks in the hospitals

• Clinical data repositories i.e. the databases in each hospital where information is stored locally

• Authentication server i.e. to perform access control and authentication of users

• Laboratory Information System (LIS)

• Radiology Information Systems (RIS)

• Picture Archiving and Communication Systems (PACS), i.e. transferring radiology results

• Electronic Health Record components

• Patient Health Record service

• ePrescription service

Critical Assets and Systems

14

Example 1: Electronic health records (EHR) system

Identify critical components per infrastructure

ASSET IMPACT IN CASE OF FAILURE

Components of network connecting the healthcare operators with the EHR system Loss of availability (no access to the information)

Identity management system, for access control and authorization

Loss of availability (no access to classified information)

Web, Application and database servers Loss of availability (no access application services)

Business process and Application logic assuring data integrity Data integrity violation

Interoperability Enterprise Service Bus – document exchange interface

Loss of availability (no information exchange between point of care sites)

Databases and storage components Loss of availability (no storage and retrieval of information)

Monitoring and logging of information exchanges Confidentiality violation (unmonitored access to sensitive information)

User management and Patient consent application Confidentiality & data integrity violation (misuse and illegal access to information)

Master Patient Indexes, Healthcare Providers registries Data integrity violation

15

Example 2: ePrescription

Identify critical components per infrastructure

ASSET IMPACT IN CASE OF FAILURE

Components of network connecting the healthcare operators with the e-prescription system Loss of availability (no access to the information)

Identity management system, for access control and authorization Loss of availability (no access to classified information)

Web, Application and database servers Loss of availability (no access application services)

Business process and Application logic assuring data integrity Data integrity violation

Interoperability Enterprise Service Bus Loss of availability (no information exchange between point of care sites)

Databases and Storage components Loss of availability (no storage and retrieval of information)

Monitoring and logging of information exchanges Confidentiality violation (unmonitored access to sensitive information)

User management and Patient consent application Confidentiality & data integrity violation (misuse and illegal access to information)

16

Security challenges in eHealth systems and infrastructures

Systems a

vaila

bility

Lack

of interoperabilit

y

Access

contro

l and authentica

tion

Data integrit

y

Network

secu

rity

Lack

of secu

rity e

xperti

se

Data loss

Lack

of complia

nce and tr

ust

Lack

of standardiza

tion

Cross border in

cidents

Other0

2

4

6

8

10

12

Which do you believe are the most important security challenges in eHealth infrastruc-tures and systems?

17

Security requirements in eHealth infrastructures and services

18

1. Cloud Services supporting eHealth

2. EHR/PHR operations

3. eHealth user services (ePrescription, Patient Summary etc)

Use cases on eHealth security

19

• Service Assets

• Domains

• Scale

• Security requirements

• Criticality : High (Disruption of those services may create discomfort but denial of service is usually not life threatening)

• Security Risks• Network security• Systems availability• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and

authentication• Data loss

Use Case 1: Cloud Services supporting Healthcare

20

• Service Assets

• Domains

• Scale

• Security requirements

• Criticality: EHR/PHR act as a supportive mechanism to point of care information systems. As such criticality is Medium to High

• Security Risks• Network security• Systems availability• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and

authentication• Data loss• Data integrity

Use Case 2: EHR/PHR operations

21

• Service Assets

• Domains

• Scale

• Security requirements

• Criticality: High (lack of eServices operation may create discomfort to end users.

• Security Risks• Network security(secure

access to databases online)• Cross border incidents• Systems availability• Lack of compliance and trust• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and

authentication• Data loss• Data Integrity

Use Case 3: eHealth user services (ePrescription, Patient Summary etc)

Recommendations

23

Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security

Analysis

Member States must conduct an asset identification and a risk assessment to classify their critical eHealth infrastructures and services and develop a national catalogue.

The determination of such infrastructures and assets at a National level, shall enable the systematic protection of the latter, based on national rules to be followed uniformly. Moreover this approach may lead to the concentration of protection efforts to the most critical eHealth infrastructures, based on a prioritization scheme.

1. Conduct asset identification and risk assessment

24

Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security

Analysis

Define the minimum requirements for the protection of eHealth infrastructures and assets which have been classified as critical and include them in the guidelines. Such guidelines may refer to specific use cases and technical infrastructures and assets commonly deployed, in terms of their protection measures. Combined with the previous recommendation, these guidelines could form the basis for the development of a standard protection level for the critical eHealth Infrastructures and identified relevant assets.

2. Define clear cyber security guidelines

25

Who: Member States and Healthcare organisations

Analysis

Higher management needs to be motivated to increase budget for investing on cyber security and assets protection. The best way to explain this is to present the cost benefit analysis of the security incidents classified by root causes, to indicate how big the loss is.

The healthcare organizations should provide statistical analysis based on actual facts, incidents that have caused also financial impact to the organization, to convince higher management that security should be considered a priority regardless of the national legal framework.

3. Perform impact/cost benefit analysis to increase investment

26

Who: Healthcare organisations, National security authorities

Analysis

An eHealth incident reporting mechanism, potentially part of a clinical incident reporting and alerting system, would aim at improving patient safety. Moreover, by effectively sharing such information at various levels nationally, organisationally and clinically, collaborative efforts can be followed to improve critical eHealth infrastructure protection and patient safety. In practice, an eHealth focused Computer Emergency Response Team should be created, which could potentially collaborate with the national CERT on incident handling. Feedback directly to the eHealth service users (e.g. clinicians), is extremely important for their continued engagement. A culture that encourages reporting and information sharing is needed.

4. Create incident response mechanisms

27

Who: Healthcare organisations, National security authorities

Analysis

Information sharing is a very important component when building frameworks in a national level. Bringing stakeholders from the private and public sector, the users, the general practitioners, associations of pharmacists etc would result in better depicting the current situation in the country, the gaps, the needs and thus making concrete security requirements for eHealth systems and services security and resilience.

5. Support Information Sharing

28

Who: European Commission, Healthcare organisations, Member States and National security authorities

Analysis

To offer assistance to the healthcare practitioners and bodies, baseline security measures could be set by the European competent authorities. Depending on the existing frameworks, these could be binding and obligatory through a specific legislation (thus requiring monitoring and auditing mechanisms to be in place) or through non-mandatory guidelines. Depending also on the maturity levels the security measures should be able to cover all different levels of sophistication in the systems.

6. Develop baseline security measures

29

Who: Healthcare organisations, Member States and National security authorities

Analysis

Define a set of must have integration profiles to establish secure connections over the network namely in the domains of audit logs, data encryption, TSL assertions, access rights policy, eID, healthcare providers’ registries, and many more related to data integrity and resilience of systems.

Having a common guideline on how to best implement correct interoperability will gradually increase end user experience and acceptance of new type of services that are meant to run over open networks and not in closed and restricted networks.

7. Adopt security standards

30

Who: European Commission, Healthcare organisations, Member States

Analysis

One of the greatest gaps identified in this study is the lack of expertise and knowledge on cyber security and the risks emerging of the people involved in healthcare. Officers working in the competent authorities and the healthcare units (hospitals, clinics etc) should understand the concepts of cyber security risks to be able to protect the critical assets.

8. Invest in raising awareness and in training

31

Who: Member States and National security authorities

Analysis

CIIP is part of the objectives of a National Cyber Security Strategy (NCSS) for 90% of the MS that have a strategy. Ehealth is one of the critical sectors in scope of the national CIIP action plan. Ehealth systems and services protection activities should be aligned with the provisions of the national strategy.

NEW: Align eHealth with NCSS and CIIP activities

32

Other suggestions?

[email protected]

www.enisa.europa.eu/internetcii

Thank you for your help!!

[email protected]

https://www.enisa.europa.eu/scada