European Union Agency For Network And Information Security
Security and resilience for eHealth Infrastructures and Service – ENISA studyDimitra Liveri Secure Infrastructures and Services Unit - ENISA
2
The aim is to
• Understand the policy context and legislation in each Member State related to eHealth
• Identify critical systems, infrastructures and assets in healthcare systems
• Collect information on the governance model followed on cyber security in eHealth services
• Analyse the most prominent security risks and challenges
• Present the specific security measures the MS take to protect their systems from these risks and challenges through good practices
ENISA study on security and resilience for eHeath infrastructures and services
3
Collaboration with Contractors: GNOMON AE, Ote Plus, VIDAVO
Methodology – how did we conduct the study
Desk research: overview of EU MS legislation
Feedback from interviews with national experts (regulators etc)
Input from survey addressed to experts (telecom providers, standardisation bodies etc)
4
• CISOs and IT experts in public authorities
• Healthcare institutions (hospitals, GPs, etc)
• Pharmaceutical sector specialists
• Medical systems vendors
Who should read the report?
5
Profiles
Public institutions responsible for eHealth strategy
eHealth Competence centres
eHealth platform Operators (CIOs, security officers, end points staff, system administrators)
Academia
User Associations – Networking organisations
Standardisation Bodies
ICT Industry (suppliers)
Coverage
18 EU Member States
2 EFTA countries
Overview of stakeholders
ehealth Security in the Member States
7
Overview of national legislation related to eHealth
Focus on
- eHealth Strategy
- eHealth national legislation
- CIIP legislation including eHealth
8
Structure based models• Centralised or national• De-centralised or regional
Hospital-systems driven
Cross border use cases
Common deployment models
Ministry of Health
Hospital Hospital
Regional authority
Regional authority
Hospital
Hospital Hospital
Hospital
Ministry of Health
Cyber Security in eHealth SystemsKey findings
10
• Healthcare business continuity
• Data security and integrity
• Services availability
National perspectives towards CIIP in eHealth
11
Centralised model i.e. the National Security Agency in charge of the CIIP policy and the eHealth regulator needs to impose it.
De-centralised model i.e. the regulatory authorities make the decisions and collaborates with the Ministry or the National Security Agency
Voluntary based schemes
National approaches towards CIIP
Public Agency
Public Agency
Public Agency
Sector Sector Sector
Public Agency
Public Agency
Sector Sector
Council
12
Assessing criticality of the assets
Impact to society in case of breach (disruption, loss, alteration etc)
– human factor
Sensitivity of data Services affected (collateral damages) Financial impact - reputation0
0.5
1
1.5
2
2.5
3
3.5
4
Prioritise (1-5) the parameters based on which you assess criticality of your assets (in average)
13
• Health Information systems, i.e. the information networks in the hospitals
• Clinical data repositories i.e. the databases in each hospital where information is stored locally
• Authentication server i.e. to perform access control and authentication of users
• Laboratory Information System (LIS)
• Radiology Information Systems (RIS)
• Picture Archiving and Communication Systems (PACS), i.e. transferring radiology results
• Electronic Health Record components
• Patient Health Record service
• ePrescription service
Critical Assets and Systems
14
Example 1: Electronic health records (EHR) system
Identify critical components per infrastructure
ASSET IMPACT IN CASE OF FAILURE
Components of network connecting the healthcare operators with the EHR system Loss of availability (no access to the information)
Identity management system, for access control and authorization
Loss of availability (no access to classified information)
Web, Application and database servers Loss of availability (no access application services)
Business process and Application logic assuring data integrity Data integrity violation
Interoperability Enterprise Service Bus – document exchange interface
Loss of availability (no information exchange between point of care sites)
Databases and storage components Loss of availability (no storage and retrieval of information)
Monitoring and logging of information exchanges Confidentiality violation (unmonitored access to sensitive information)
User management and Patient consent application Confidentiality & data integrity violation (misuse and illegal access to information)
Master Patient Indexes, Healthcare Providers registries Data integrity violation
15
Example 2: ePrescription
Identify critical components per infrastructure
ASSET IMPACT IN CASE OF FAILURE
Components of network connecting the healthcare operators with the e-prescription system Loss of availability (no access to the information)
Identity management system, for access control and authorization Loss of availability (no access to classified information)
Web, Application and database servers Loss of availability (no access application services)
Business process and Application logic assuring data integrity Data integrity violation
Interoperability Enterprise Service Bus Loss of availability (no information exchange between point of care sites)
Databases and Storage components Loss of availability (no storage and retrieval of information)
Monitoring and logging of information exchanges Confidentiality violation (unmonitored access to sensitive information)
User management and Patient consent application Confidentiality & data integrity violation (misuse and illegal access to information)
16
Security challenges in eHealth systems and infrastructures
Systems a
vaila
bility
Lack
of interoperabilit
y
Access
contro
l and authentica
tion
Data integrit
y
Network
secu
rity
Lack
of secu
rity e
xperti
se
Data loss
Lack
of complia
nce and tr
ust
Lack
of standardiza
tion
Cross border in
cidents
Other0
2
4
6
8
10
12
Which do you believe are the most important security challenges in eHealth infrastruc-tures and systems?
17
Security requirements in eHealth infrastructures and services
18
1. Cloud Services supporting eHealth
2. EHR/PHR operations
3. eHealth user services (ePrescription, Patient Summary etc)
Use cases on eHealth security
19
• Service Assets
• Domains
• Scale
• Security requirements
• Criticality : High (Disruption of those services may create discomfort but denial of service is usually not life threatening)
• Security Risks• Network security• Systems availability• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and
authentication• Data loss
Use Case 1: Cloud Services supporting Healthcare
20
• Service Assets
• Domains
• Scale
• Security requirements
• Criticality: EHR/PHR act as a supportive mechanism to point of care information systems. As such criticality is Medium to High
• Security Risks• Network security• Systems availability• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and
authentication• Data loss• Data integrity
Use Case 2: EHR/PHR operations
21
• Service Assets
• Domains
• Scale
• Security requirements
• Criticality: High (lack of eServices operation may create discomfort to end users.
• Security Risks• Network security(secure
access to databases online)• Cross border incidents• Systems availability• Lack of compliance and trust• Lack of standardization• Lack of interoperability• Lack of security expertise• Access control and
authentication• Data loss• Data Integrity
Use Case 3: eHealth user services (ePrescription, Patient Summary etc)
Recommendations
23
Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security
Analysis
Member States must conduct an asset identification and a risk assessment to classify their critical eHealth infrastructures and services and develop a national catalogue.
The determination of such infrastructures and assets at a National level, shall enable the systematic protection of the latter, based on national rules to be followed uniformly. Moreover this approach may lead to the concentration of protection efforts to the most critical eHealth infrastructures, based on a prioritization scheme.
1. Conduct asset identification and risk assessment
24
Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security
Analysis
Define the minimum requirements for the protection of eHealth infrastructures and assets which have been classified as critical and include them in the guidelines. Such guidelines may refer to specific use cases and technical infrastructures and assets commonly deployed, in terms of their protection measures. Combined with the previous recommendation, these guidelines could form the basis for the development of a standard protection level for the critical eHealth Infrastructures and identified relevant assets.
2. Define clear cyber security guidelines
25
Who: Member States and Healthcare organisations
Analysis
Higher management needs to be motivated to increase budget for investing on cyber security and assets protection. The best way to explain this is to present the cost benefit analysis of the security incidents classified by root causes, to indicate how big the loss is.
The healthcare organizations should provide statistical analysis based on actual facts, incidents that have caused also financial impact to the organization, to convince higher management that security should be considered a priority regardless of the national legal framework.
3. Perform impact/cost benefit analysis to increase investment
26
Who: Healthcare organisations, National security authorities
Analysis
An eHealth incident reporting mechanism, potentially part of a clinical incident reporting and alerting system, would aim at improving patient safety. Moreover, by effectively sharing such information at various levels nationally, organisationally and clinically, collaborative efforts can be followed to improve critical eHealth infrastructure protection and patient safety. In practice, an eHealth focused Computer Emergency Response Team should be created, which could potentially collaborate with the national CERT on incident handling. Feedback directly to the eHealth service users (e.g. clinicians), is extremely important for their continued engagement. A culture that encourages reporting and information sharing is needed.
4. Create incident response mechanisms
27
Who: Healthcare organisations, National security authorities
Analysis
Information sharing is a very important component when building frameworks in a national level. Bringing stakeholders from the private and public sector, the users, the general practitioners, associations of pharmacists etc would result in better depicting the current situation in the country, the gaps, the needs and thus making concrete security requirements for eHealth systems and services security and resilience.
5. Support Information Sharing
28
Who: European Commission, Healthcare organisations, Member States and National security authorities
Analysis
To offer assistance to the healthcare practitioners and bodies, baseline security measures could be set by the European competent authorities. Depending on the existing frameworks, these could be binding and obligatory through a specific legislation (thus requiring monitoring and auditing mechanisms to be in place) or through non-mandatory guidelines. Depending also on the maturity levels the security measures should be able to cover all different levels of sophistication in the systems.
6. Develop baseline security measures
29
Who: Healthcare organisations, Member States and National security authorities
Analysis
Define a set of must have integration profiles to establish secure connections over the network namely in the domains of audit logs, data encryption, TSL assertions, access rights policy, eID, healthcare providers’ registries, and many more related to data integrity and resilience of systems.
Having a common guideline on how to best implement correct interoperability will gradually increase end user experience and acceptance of new type of services that are meant to run over open networks and not in closed and restricted networks.
7. Adopt security standards
30
Who: European Commission, Healthcare organisations, Member States
Analysis
One of the greatest gaps identified in this study is the lack of expertise and knowledge on cyber security and the risks emerging of the people involved in healthcare. Officers working in the competent authorities and the healthcare units (hospitals, clinics etc) should understand the concepts of cyber security risks to be able to protect the critical assets.
8. Invest in raising awareness and in training
31
Who: Member States and National security authorities
Analysis
CIIP is part of the objectives of a National Cyber Security Strategy (NCSS) for 90% of the MS that have a strategy. Ehealth is one of the critical sectors in scope of the national CIIP action plan. Ehealth systems and services protection activities should be aligned with the provisions of the national strategy.
NEW: Align eHealth with NCSS and CIIP activities
32
Other suggestions?
www.enisa.europa.eu/internetcii
Thank you for your help!!
https://www.enisa.europa.eu/scada