Security and resilience for Smart Hospitals Key findings

Slides:



Advertisements
Similar presentations
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
Advertisements

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
The State of Security Management By Jim Reavis January 2003.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Application Threat Modeling Workshop
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lessons Learned in Smart Grid Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sandra C Security Advisor Energy Dan B Security Advisor Water
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.
ENISA efforts for securing European Internet Infrastructure
European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Your Partner for Superior Cybersecurity
Cloud Security for eHealth – Study Validation
MEM Cybersecurity Working Group Update to PCD Technical Committee
Security measures deployed by e-communication providers
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Design for Security Pepper.
Patch Management Patch Management Best Practices
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Dimitra Liveri | NIS Expert CSA CEE Summit 2017|Ljubljana - 9 March
MEM Cybersecurity Working Group Update to PCD Technical Committee
Data Architecture World Class Operations - Impact Workshop.
Medical Device Cybersecurity Legislative Activities - Overview
(1888 PressRelease) Staying Ahead of Today’s Rapidly Evolving Security Landscape
Cyber Protections: First Step, Risk Assessment
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Security Engineering.
Integrated Site Security for Grids
Cyber defense management
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
America’s First National Critical Infrastructure Exercise
David Sayago EU Research Funding Team Valorisation Centre.
Skybox Cyber Security Best Practices
Moving from “Bolt-on” to “Build-in” Security Controls
How to Mitigate the Consequences What are the Countermeasures?
Cyber security Policy development and implementation
JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
Enhanced alerting and collaborative incident management
IS Risk Management Framework Overview
IS4680 Security Auditing for Compliance
Computer Science and Engineering
Risk Mitigation & Incident Response Week 12
Managing IT Risk in a digital Transformation AGE
Cyber Security in a Risk Management Framework
Albeado - Enabling Smart Energy
IT Management Services Infrastructure Services
DSC Contract Management Committee Meeting
IoT in Healthcare: Life or Death
Presentation transcript:

Security and resilience for Smart Hospitals Key findings Dimitra Liveri, Ilias Bakatsis, Athanasios Drougkas| ENISA 2nd eHealth Security Workshop| Vienna | 23rd November

2016: ENISA work to secure Smart Hospitals Objectives Improve security and resilience of hospitals information systems Identify common cyber security threats and challenges and, Present mitigation measures to address them Support pilots in hospitals across the EU Secure devices and systems to improve patients’ safety

Study Overview Scope Target Audience Methodology Smart hospitals value and offerings built on top of traditional hospitals Smart Hospitals assets identification Vulnerabilities and threats presentation Attack scenarios analysis Good practices and recommendations Target Audience Healthcare Providers / Hospitals – CIOs/CISOs etc. Industry stakeholders Policy Makers Methodology Desktop research Interviews with hospitals’ CISOs Online survey Responders : Hospital CISO/CIO (“user side”) Industry representatives Policy makers

Towards a definition A smart hospital is a hospital that relies on optimised and automated processes built on an ICT environment of interconnected assets, particularly based on Internet of things (IoT), to improve existing patient care procedures and introduce new capabilities

Why Hospitals are becoming “Smart”

Threats based approach Assets Vulnerabilities Threats Attack scenarios Good practices Initial findings Recommendations

Identification of Smart Assets in Hospitals

Assessing the criticality of smart assets

Vulnerabilities of Smart Hospitals Interconnection between devices/systems, some times even automatic Communication between devices and legacy systems creates gaps Physical security impossible for all components Impossible to virtually patch all devices Life span of medical devices Little malware detection or prevention capabilities No clear way to alert the user when a security problem arises Access control difficult to implement Usability issues cause circumventions of set policies Use of personal devices non compliant to security policies Lack of compliance with organisational or industry standards Users behaviour Lack of proper configuration management process

Threats mind map Report also includes threat modelling identifying attack actors and attack vectors, asset exposure mapping threats to assets and finally assessing criticality.

Attack scenarios 1. Social engineering attack 2. Medical device tampering 3. Theft of Hospital equipment 4. Ransomware attack on Hospital Information System 5. DDoS on Hospital servers Per scenario: Description Assets affected Criticality Likelihood Cascading effects Estimated recovery time Good practices Challenges and gaps

Good practices Mapping good practices to meeting threats (good practices are organised in categories)

Open Issues Gap 1 - Lack of bring your own device controls Gap 2 - Need of automated asset inventory discovery tool Gap 3 - Lack of application whitelisting technology Gap 4 - Need to ensure secure configurations Gap 5 - Need of client certificates to validate and authenticate systems Gap 6 - Lack of training and awareness-raising programs Gap 7- Remote administration of servers, workstations, network devices, etc. over secure channels Gap 8 - Pace of standardisation versus IT technology Gap 9 – Cost benefit breakdown is critical

Recommendations for Hospitals Establish effective enterprise governance for cyber security Implement state-of-the-art security measures Provide specific IT security requirements for IoT components in the hospital Invest on NIS products Establish an information security sharing mechanism Conduct risk assessment and vulnerability assessment Perform pen g and auditing Support multi-stakeholder communication platforms (ISACs)

Recommendations for Industry Incorporate security into existing quality assurance systems Involve third parties (healthcare organisations) in testing activities Consider applying medical device regulation to critical infrastructure components Support the adaptation of information security standards to healthcare

Thank you eHealthSecurity@enisa.europa.eu https://www.enisa.europa.eu/scada

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.