ShareThe European Union Agency for Cybersecurity (ENISA) has released cybersecurity guidelines for hospitals when procuring services, products and infrastructure, identifying relevant threats and risks and mapping good practices.
You might also like: ENISA director, Juhan Lepassaar, explains how the COVID-19 pandemic has made the need for effective cyber hygiene even more urgent. Read more
Digitalisation of healthcare has seen an explosive growth during the COVID-19 pandemic, especially in terms of virtual health and telemedicine. At the same time, cyber threats and data protection-related issues have come to the forefront. ENISA’s new report, Cloud Security for Healthcare Services, aims to help “IT professionals in the healthcare security contexts to establish and maintain Cloud security while selecting and deploying appropriate technical and organisational measures”.
The legislative background of cloud services procurement includes, at the EU
level, the Network
and Information Security Directive (NISD) 2016/1148/EU
and the EU Cybersecurity Act; the Medical Device Regulation (MDR) and the Medical
Device Directive; and the GDPR, as well as various national legislations in
relevant fields. The NISD defines hospitals as
Operators of Essential Services and cloud services providers as Digital Service
Providers which means that when procuring respective services they both must
comply with the Directive security requirements. They also share responsibility
for how the health data are stored and processed (assuming roles equivalent to
the GDPR’s data controller and data processor).
There is a variety of cloud-based services in healthcare,
from health information systems (HIS) to office management to telemedicine.
When deploying any of them, many challenges arise, from a lack of trust of cloud
solutions and a lack of expertise to integration of cloud with legacy systems
and data protection issues (e.g. data deletion or encryption). In addition,
cybersecurity threats may be posed by natural disasters, supply chain and
system failures, human errors and malicious actions, etc.
The report provides three use cases of an EHR, remote care
and medical devices, and reviews a reference cloud architecture, factors for risk
assessment, and risk mitigation
measures. Further on, a number of security measures and good practices are
proposed including:
- Identification of security and data protection requirements
- Conducting a risk assessment and data protection impact assessment
- Establishment of processes for security and data protection incident management
- Ensuring business continuity and disaster recovery
- Termination and secure data deletion
- Auditing, logging and monitoring, and others.
Each of these practices are explained and applied to the three use cases.
In
conclusion, the report highlights how the COVID-19 pandemic has boosted
migration to cloud in healthcare but notes that the majority of cloud services
in this sector are still used for administrative and not clinical purposes due
to “lack
of trust in Cloud services, lack of expertise, compliance
requirements, particularly in relation
to data protection, and more”. By outlining the
foundations and good practices of cloud service provision in terms of
cybersecurity and data protection, ENISA aims to further accelerate healthcare’s
transition to cloud-based operations.
Source and image credit: ENISA
