The European Union Agency for Network and Information Security (ENISA) is a network of security expertise. It provides assistance to member states of the Union European both in the private and public sectors to increase infrastructure security resilience and compliance with EU legislation.
ENISA has just released a study about the shift for hospitals from the “traditional hospital” model towards a “smart hospital” one. A hospital becomes “smart” when more and more Internet of things (IoT) devices are used and connected to the network in the hospital.
While this new way of working offers undeniable benefits, it also brings new security challenges. As such dependency on IT is increasing ant the risks need to be managed appropriately as do cybersecurity and resilience considerations.
Goal and methodology
The study aims at reviewing the threats and vulnerabilities associated with smart hospitals and upcoming digitalisation. It takes a separate look at the technical and organisational measures that must be set up to reduce these risks to an acceptable level.
To get a global understanding, the process involved the participation of more than 30 security professionals in senior positions from either the hospitals, the health industry, or policy-making agencies. The study summarizes nine main gaps that need to be addressed by hospitals in order to be ready to adapt to IoT devices and move forward in the digital transformation.
Highlights
The following conclusions were reached by ENISA:
- The top two threats perceived by respondents are caused by human errors (first) and malicious activities (second). These threats can also cause maximum damage to hospitals (77% for malicious actions and 70% for human errors)
- Respondents clearly identified infrastructure as the most critical asset for small hospitals (please refer to chart 1)
- Respondents considered that among deployed measures, only few are actually effective and most of these are technical (please refer to chart 2).
Conclusion of the ENISA study
Hospitals are not ready for the digital future and smart devices because
- IT assets are not managed in a central inventory – the study offers a categorisation schema to do so
- Threats and risks are not assessed and consequently managed – the study offers a taxonomy of threats applicable to smart hospitals
- Identification of good practice and the gaps in good practice in a hospital are not identified and closed in a timely manner – the study identified nine major gaps which are seen in most hospitals
How PwC can help
The question is no longer whether a hospital can be the target of a cyberattack but when.
Based on our experience, both as auditors and cybersecurity consultants, we have developed an approach which helps to enhance the security stance of hospitals. Our approach comprises the assessment of three aspects: people, processes and technology.
An appropriate level of cybersecurity, compliance and privacy requires a structured approach balancing governance, processes and technology. It includes:
- A strategy for how to address cyberthreats, manage risks and establish governance
- Identifying the IT assets, the risks and responsible roles in and for the organisation
- Protecting IT assets and data appropriately
- Detecting cyberattacks, data exfiltration and human errors early and efficiently
- Responding effectively to IT security incidents and
- Recovering according to defined time objectives to minimize business impact
By the end of the assessment, you will be aware of any gaps with respect to regulatory requirements and of how your security programme lies compared to industry good practices.
