Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and resilience for Smart Hospitals Key findings

Published byBeverly Cummings Modified over 7 years ago

Similar presentations

Presentation on theme: "Security and resilience for Smart Hospitals Key findings"— Presentation transcript:

1 Security and resilience for Smart Hospitals Key findings
Dimitra Liveri, Ilias Bakatsis, Athanasios Drougkas| ENISA 2nd eHealth Security Workshop| Vienna | 23rd November

2 2016: ENISA work to secure Smart Hospitals
Objectives Improve security and resilience of hospitals information systems Identify common cyber security threats and challenges and, Present mitigation measures to address them Support pilots in hospitals across the EU Secure devices and systems to improve patients’ safety

3 Study Overview Scope Target Audience Methodology
Smart hospitals value and offerings built on top of traditional hospitals Smart Hospitals assets identification Vulnerabilities and threats presentation Attack scenarios analysis Good practices and recommendations Target Audience Healthcare Providers / Hospitals – CIOs/CISOs etc. Industry stakeholders Policy Makers Methodology Desktop research Interviews with hospitals’ CISOs Online survey Responders : Hospital CISO/CIO (“user side”) Industry representatives Policy makers

4 Towards a definition A smart hospital is a hospital that relies on optimised and automated processes built on an ICT environment of interconnected assets, particularly based on Internet of things (IoT), to improve existing patient care procedures and introduce new capabilities

5 Why Hospitals are becoming “Smart”

6 Threats based approach
Assets Vulnerabilities Threats Attack scenarios Good practices Initial findings Recommendations

7 Identification of Smart Assets in Hospitals

8 Assessing the criticality of smart assets

9 Vulnerabilities of Smart Hospitals
Interconnection between devices/systems, some times even automatic Communication between devices and legacy systems creates gaps Physical security impossible for all components Impossible to virtually patch all devices Life span of medical devices Little malware detection or prevention capabilities No clear way to alert the user when a security problem arises Access control difficult to implement Usability issues cause circumventions of set policies Use of personal devices non compliant to security policies Lack of compliance with organisational or industry standards Users behaviour Lack of proper configuration management process

10 Threats mind map Report also includes threat modelling identifying attack actors and attack vectors, asset exposure mapping threats to assets and finally assessing criticality.

11 Attack scenarios 1. Social engineering attack
2. Medical device tampering 3. Theft of Hospital equipment 4. Ransomware attack on Hospital Information System 5. DDoS on Hospital servers Per scenario: Description Assets affected Criticality Likelihood Cascading effects Estimated recovery time Good practices Challenges and gaps

12 Good practices Mapping good practices to meeting threats (good practices are organised in categories)

13 Open Issues Gap 1 - Lack of bring your own device controls Gap 2 - Need of automated asset inventory discovery tool Gap 3 - Lack of application whitelisting technology Gap 4 - Need to ensure secure configurations Gap 5 - Need of client certificates to validate and authenticate systems Gap 6 - Lack of training and awareness-raising programs Gap 7- Remote administration of servers, workstations, network devices, etc. over secure channels Gap 8 - Pace of standardisation versus IT technology Gap 9 – Cost benefit breakdown is critical

14 Recommendations for Hospitals
Establish effective enterprise governance for cyber security Implement state-of-the-art security measures Provide specific IT security requirements for IoT components in the hospital Invest on NIS products Establish an information security sharing mechanism Conduct risk assessment and vulnerability assessment Perform pen g and auditing Support multi-stakeholder communication platforms (ISACs)

15 Recommendations for Industry
Incorporate security into existing quality assurance systems Involve third parties (healthcare organisations) in testing activities Consider applying medical device regulation to critical infrastructure components Support the adaptation of information security standards to healthcare

16 Thank you eHealthSecurity@enisa.europa.eu

Download ppt "Security and resilience for Smart Hospitals Key findings"

Similar presentations

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sandra C Security Advisor Energy Dan B Security Advisor Water

Sandra C Security Advisor Energy Dan B Security Advisor Water
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.

Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.
ENISA efforts for securing European Internet Infrastructure

ENISA efforts for securing European Internet Infrastructure
European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.

European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.

Similar presentations

Ads by Google