European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

Conclusions from e-Health

Enhanced Collaboration in Europe Region

International Telecommunication Union An Insight into BDT Programme 3 Marco Obiso ICT Applications and Cybersecurity Division Telecommunication Development.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Connecting Healthcare Stakeholders Through HIT and Health Information Exchange The Inland Northwest Health Services Story Thomas Fritz, CEO.

The strategic role of ICT in healthcare National strategies and micro-level implementations in Europe and Bulgaria Alexander Dobrev Communication & Technology.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Policy recommendations for wider implementation of telemedicine Peeter Ross, MD, PhD e-Health expert, Estonian eHealth Foundation, Estonia.

Towards an European eHealth High Level Governance Michèle THONNET Ministry of Labour, Employment and Health Paris, France eHGI Mainstream &Roadmap chair.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.

1 of 1 E- Health in the European Union Dr. Andrzej Rys Director for Health and Risk Assessment DG SANCO European Commission OPEN DAYS 2009 Mobility in.

European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.

Building Public Health / Clinical Health Information Exchanges: The Minnesota Experience Marty LaVenture, MPH, PhD Director, Center for Health Informatics.

The Knowledge Resources Guide The SUVOT Project Sustainable and Vocational Tourism Rimini, 20 October 2005.

Quality Improvement Prepeared By Dr: Manal Moussa.

1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.

TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.

How can I trust the rest of Europe ? Requirements and a possible organisation with regard to epSOS and eHealth Frank Robben General manager eHealth platform.

A project implemented by the HTSPE consortium This project is funded by the European Union SECURITY AND CITIZENSHIP.

Towards a European network for digital preservation Ideas for a proposal Mariella Guercio, University of Urbino.

A major step towards a Europe for Health Directive on patients’ rights in cross-border healthcare DG SANCO D2 Healthcare Systems.

Chapter 6 – Data Handling and EPR. Electronic Health Record Systems: Government Initiatives and Public/Private Partnerships EHR is systematic collection.

Current challenges for health systems Increasing elderly population –Relative decrease in resources (fewer taxpayers), chronic patients Financial sustainability.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

2011 East African Internet Governance Forum (EA – IGF) Rwanda Cyber briefing: Positive steps and challenges Didier Nkurikiyimfura IT Security Division.

JOINING UP GOVERNMENTS EUROPEAN COMMISSION Establishing a European Union Location Framework.

EUNetPaS is a project supported by a grant from the EAHC. The sole responsibility for the content of this presentation lies with the author(s). The EAHC.

EHealth Interoperability – EU Commission activities Dr Octavian Purcarea Unit H1 – ICT for Health Directorate ICT for citizens and businesses DG INFSO.

Realising the European Union Lisbon Goal The Copenhagen process and the Maaastricht Communiqué: Martina Ní Cheallaigh DG Education and Culture.

ENISA efforts for securing European Internet Infrastructure

HTA Benefits and Risks Dr Bernard Merkel European Commission.

European Union Agency for Network and Information Security ENISA and Cloud Security Dimitra Liveri| NIS Expert EuroCloud Forum 2015| Barcelona|

European Interoperability Framework revision Call for action! eGovernment Luxembourg, December 2015 The Digital Single Market and the role of Interoperability.

1 The Future Role of the Food and Veterinary Office M.C. Gaynor, Director, FVO EUROPEAN COMMISSION HEALTH & CONSUMER PROTECTION DIRECTORATE-GENERAL Directorate.

EHGI and Convergence 21st March DIRECTIVE 2011/24/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 9 March 2011 on the application of patients’

EPHA Briefing Paper (Part 2): High Level Reflection Process on Patient Mobility in the EU - summary of final recommendations - December 2003 (See also.

Kathy Corbiere Service Delivery and Performance Commission

European strategies for digitisation: the context of i2010 digital libraries Pat Manson Head of Unit Cultural Heritage and Technology Enhanced Learning.

19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.

European Union Agency For Network And Information Security Enhancing the security of CIIPs in Europe – eHealth and ENISA Dr. Evangelos Ouzounis, Head of.

ISACA Ireland Cyber Security Policy 9 February 2016.

United Nations Economic Commission for Europe Statistical Division WHAT MAKES AN EFFECTIVE AND EFFICIENT STATISTICAL SYSTEM Lidia Bratanova, Statistical.

A look into current and future trends in national policies for eHealth and Innovation in the WHO European Region Clayton Hamilton, eHealth and Innovation.

A look at progress in the development of eHealth in the European Region Results and recommendations from the 2016 report “From Innovation to Implementation:

EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.

EHealth Development Vision. eHealth ojectives Healthcare systems and network focused on the patient: Not patient runs between institutions but the patients’

The legal aspects of eHealth: the specific case of telemedicine Céline Deswarte ICT for Health Unit, European Commission TAIEX Multi-country seminar on.

ITC-ILO/ACTRAV Course A Trade Union Training on Occupational Safety, Health & HIV/AIDS (26/11 – 07/12/2012, Turin) Introduction to National Occupational.

Security and resilience for Smart Hospitals Key findings

Anne-Marie Yazbeck, PhD National Infoday, Sweden 2017

Cloud Security for eHealth – Study Validation

eHealth Standards and Profiles in Action for Europe and Beyond

Sendai Framework for Disaster Risk Reduction

Dimitra Liveri | NIS Expert CSA CEE Summit 2017|Ljubljana - 9 March

The European Union (EU) policy challenge

Paperless & Cashless Poland Program overview

About the NIS directive

Establishing the Infrastructure for Radiation Safety Preparatory Actions and Initial Regulatory Activities.

The Biodiversity and Protected Areas Management (BIOPAMA) Programme

EU Reference Centres for Animal Welfare

Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |

Institutional Framework, Resources and Management

Advancing Telemedicine Adoption in Europe – Developing capacities

CYRAIL Final Conference ERA on cybersecurity

Innovation in Healthcare across the EU WhiteRoseBrussels

The European Union response to cyber threats

eHealth/mHealth Gisele Roesems

Presentation transcript:

European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri Secure Infrastructures and Services Unit - ENISA

The aim is to Understand the policy context and legislation in each Member State related to eHealth Identify critical systems, infrastructures and assets in healthcare systems Collect information on the governance model followed on cyber security in eHealth services Analyse the most prominent security risks and challenges Present the specific security measures the MS take to protect their systems from these risks and challenges through good practices 2 ENISA study on security and resilience for eHeath infrastructures and services

Collaboration with Contractors: GNOMON AE, Ote Plus, VIDAVO 3 Methodology – how did we conduct the study Desk research: overview of EU MS legislation Feedback from interviews with national experts (regulators etc) Input from survey addressed to experts (telecom providers, standardisation bodies etc)

CISOs and IT experts in public authorities Healthcare institutions (hospitals, GPs, etc) Pharmaceutical sector specialists Medical systems vendors 4 Who should read the report?

Profiles Public institutions responsible for eHealth strategy eHealth Competence centres eHealth platform Operators (CIOs, security officers, end points staff, system administrators) Academia User Associations – Networking organisations Standardisation Bodies ICT Industry (suppliers) Coverage 18 EU Member States 2 EFTA countries 5 Overview of stakeholders

ehealth Security in the Member States

7 Overview of national legislation related to eHealth Focus on -eHealth Strategy -eHealth national legislation -CIIP legislation including eHealth

Structure based models Centralised or national De-centralised or regional Hospital-systems driven Cross border use cases 8 Common deployment models Ministry of Health Hospital Regional authority Hospital Ministry of Health

Cyber Security in eHealth Systems Key findings

Healthcare business continuity Data security and integrity Services availability 10 National perspectives towards CIIP in eHealth

Centralised model i.e. the National Security Agency in charge of the CIIP policy and the eHealth regulator needs to impose it. De-centralised model i.e. the regulatory authorities make the decisions and collaborates with the Ministry or the National Security Agency Voluntary based schemes 11 National approaches towards CIIP

12 Assessing criticality of the assets

Health Information systems, i.e. the information networks in the hospitals Clinical data repositories i.e. the databases in each hospital where information is stored locally Authentication server i.e. to perform access control and authentication of users Laboratory Information System (LIS) Radiology Information Systems (RIS) Picture Archiving and Communication Systems (PACS), i.e. transferring radiology results Electronic Health Record components Patient Health Record service ePrescription service 13 Critical Assets and Systems

Example 1: Electronic health records (EHR) system 14 Identify critical components per infrastructure

Example 2: ePrescription 15 Identify critical components per infrastructure

16 Security challenges in eHealth systems and infrastructures

17 Security requirements in eHealth infrastructures and services

1.Cloud Services supporting eHealth 2.EHR/PHR operations 3.eHealth user services (ePrescription, Patient Summary etc) 18 Use cases on eHealth security

Service Assets Domains Scale Security requirements Criticality : High (Disruption of those services may create discomfort but denial of service is usually not life threatening) Security Risks Network security Systems availability Lack of standardization Lack of interoperability Lack of security expertise Access control and authentication Data loss 19 Use Case 1: Cloud Services supporting Healthcare

Service Assets Domains Scale Security requirements Criticality: EHR/PHR act as a supportive mechanism to point of care information systems. As such criticality is Medium to High Security Risks Network security Systems availability Lack of standardization Lack of interoperability Lack of security expertise Access control and authentication Data loss Data integrity 20 Use Case 2: EHR/PHR operations

Service Assets Domains Scale Security requirements Criticality: High (lack of eServices operation may create discomfort to end users. Security Risks Network security(secure access to databases online) Cross border incidents Systems availability Lack of compliance and trust Lack of standardization Lack of interoperability Lack of security expertise Access control and authentication Data loss Data Integrity 21 Use Case 3: eHealth user services (ePrescription, Patient Summary etc)

Recommendations

Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security Analysis Member States must conduct an asset identification and a risk assessment to classify their critical eHealth infrastructures and services and develop a national catalogue. The determination of such infrastructures and assets at a National level, shall enable the systematic protection of the latter, based on national rules to be followed uniformly. Moreover this approach may lead to the concentration of protection efforts to the most critical eHealth infrastructures, based on a prioritization scheme Conduct asset identification and risk assessment

Who: Member States, Authority with mandate on cyber security and CIIP or Authority responsible for eHealth security Analysis Define the minimum requirements for the protection of eHealth infrastructures and assets which have been classified as critical and include them in the guidelines. Such guidelines may refer to specific use cases and technical infrastructures and assets commonly deployed, in terms of their protection measures. Combined with the previous recommendation, these guidelines could form the basis for the development of a standard protection level for the critical eHealth Infrastructures and identified relevant assets Define clear cyber security guidelines

Who: Member States and Healthcare organisations Analysis Higher management needs to be motivated to increase budget for investing on cyber security and assets protection. The best way to explain this is to present the cost benefit analysis of the security incidents classified by root causes, to indicate how big the loss is. The healthcare organizations should provide statistical analysis based on actual facts, incidents that have caused also financial impact to the organization, to convince higher management that security should be considered a priority regardless of the national legal framework Perform impact/cost benefit analysis to increase investment

Who: Healthcare organisations, National security authorities Analysis An eHealth incident reporting mechanism, potentially part of a clinical incident reporting and alerting system, would aim at improving patient safety. Moreover, by effectively sharing such information at various levels nationally, organisationally and clinically, collaborative efforts can be followed to improve critical eHealth infrastructure protection and patient safety. In practice, an eHealth focused Computer Emergency Response Team should be created, which could potentially collaborate with the national CERT on incident handling. Feedback directly to the eHealth service users (e.g. clinicians), is extremely important for their continued engagement. A culture that encourages reporting and information sharing is needed Create incident response mechanisms

Who: Healthcare organisations, National security authorities Analysis Information sharing is a very important component when building frameworks in a national level. Bringing stakeholders from the private and public sector, the users, the general practitioners, associations of pharmacists etc would result in better depicting the current situation in the country, the gaps, the needs and thus making concrete security requirements for eHealth systems and services security and resilience Support Information Sharing

Who: European Commission, Healthcare organisations, Member States and National security authorities Analysis To offer assistance to the healthcare practitioners and bodies, baseline security measures could be set by the European competent authorities. Depending on the existing frameworks, these could be binding and obligatory through a specific legislation (thus requiring monitoring and auditing mechanisms to be in place) or through non-mandatory guidelines. Depending also on the maturity levels the security measures should be able to cover all different levels of sophistication in the systems Develop baseline security measures

Who: Healthcare organisations, Member States and National security authorities Analysis Define a set of must have integration profiles to establish secure connections over the network namely in the domains of audit logs, data encryption, TSL assertions, access rights policy, eID, healthcare providers’ registries, and many more related to data integrity and resilience of systems. Having a common guideline on how to best implement correct interoperability will gradually increase end user experience and acceptance of new type of services that are meant to run over open networks and not in closed and restricted networks Adopt security standards

Who: European Commission, Healthcare organisations, Member States Analysis One of the greatest gaps identified in this study is the lack of expertise and knowledge on cyber security and the risks emerging of the people involved in healthcare. Officers working in the competent authorities and the healthcare units (hospitals, clinics etc) should understand the concepts of cyber security risks to be able to protect the critical assets Invest in raising awareness and in training

Who: Member States and National security authorities Analysis CIIP is part of the objectives of a National Cyber Security Strategy (NCSS) for 90% of the MS that have a strategy. Ehealth is one of the critical sectors in scope of the national CIIP action plan. Ehealth systems and services protection activities should be aligned with the provisions of the national strategy. 31 NEW: Align eHealth with NCSS and CIIP activities

32 Other suggestions?

Thank you for your help!!