On 14 November 2018, ENISA organised the fourth eHealth Security Conference ‘Towards a medical cybersecurity landscape’ in cooperation with the Dutch Ministry of Health.
The conference, which was hosted by the Erasmus Medical Centre in Rotterdam, the Netherlands, had around 100 participants and over 20 speakers and panellists. It tackled various topics related to cybersecurity in the healthcare sector.
From regulatory aspects, such as the implementation of the NIS Directive by the EU member states, to the regulations regarding GDRP and medical devices, and the intricacies of cybersecurity incidents in healthcare technologies, the conference offered interesting information to everyone within the area of eHealth – be it policy, operations, manufacturing or information security topics.
The Executive Director of ENISA, Udo Helmbrecht, said: “Based on our studies, currently, there is a low level of cybersecurity in the healthcare sector. Some hospitals do not have a Chief Information Security Officer, and there is a general lack of security policies and access control mechanisms. We need to do our utmost to protect critical healthcare systems, in particular hospitals, and work towards improving the safety of the patients. ENISA has allocated increased resources in the last years to help EU member states identify and overcome threats. The agency has produced several studies, reports and guidelines on how to improve the cybersecurity level of the eHealth ecosystem. In addition, it has become a tradition to bring together operators of essential services for the ‘eHealth Security Conference’. I want to thank the Dutch authorities for their invaluable support in organising the event this year.”
The first session focused on the regulatory framework with healthcare organisations in scope, and mainly covered the following topics:
- the implications of the NIS Directive for hospitals and the added value it brought to the whole ecosystem;
- good practices on how to enable the implementation of GDPR across a state-wide healthcare system;
- facilitating healthcare providers from the regulators’ perspective;
- the challenges faced by the industry due to the new requirements of their customers.
The discussions revealed that the primary goal across the sector should be harmonisation.
During the second session, discussions moved to the topic of medical devices’ cybersecurity, and speakers and panellists covered the different perspectives of the whole ecosystem and shared their views on the following topics:
- the cybersecurity challenges regarding medical devices are increasing, as they become increasingly interconnected, difficult to patch and directly tied to cyber-physical security;
- the Medical Devices Regulation, and how it changes the landscape of cybersecurity of medical devices;
- good practices on how national competent authorities can introduce cybersecurity guidelines for manufacturers of medical devices;
- how the development of standards is guiding the industry towards more cybersecurity practices.
A third session of the conference focused on cybersecurity incidents regarding healthcare technologies, and on how vendors integrate such incidents in their product lifecycle management processes. The Dutch HealthCERT shared their experiences with incident handling for hospitals in their country. In addition, DutchSec presented a live demo of an incident in hospital systems as an illustrative example.
The conference ended with the mutual conclusion that the healthcare sector is particularly vulnerable to cybersecurity incidents and that cybersecurity is a shared responsibility: all stakeholders have to work together to increase safety for the patients.
ENISA will continue its work on supporting to increase cybersecurity in eHealth over the next years. The agency will focus on the priorities of the sector, such as supporting the implementation of the NIS Directive and the overall development of the regulatory framework and publishing good practices for healthcare organisations as a guideline.