Prevention is the cyberdefence for hospitals

Back to News

The EU Agency for Cybersecurity publishes a Cybersecurity Procurement Guide for Hospitals. Healthcare IT professionals have a new instrument in their toolbox.

The hospital is a vast ecosystem comprised of an entire network of devices, equipment and systems that often require connection to external systems, making monitoring and control a very hard task to do. This is due to the high sensitivity of medical data and the potential vulnerability the sector is faced with (see: Two thirds of healthcare organisations suffered cybersecurity incident in 2019), cybersecurity has to be applied every step of the way to ensure patient data privacy and the availability and resilience of healthcare services at the same time.

A cybersecurity procurement guide for Hospitals

The ‘Procurement Guidelines for Cybersecurity in Hospitals’ published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment.  

This new report outlines good practices and recommendations for including cybersecurity as a provision in the procurement process in hospitals. Initially the report presents the set of hospital assets and the most prominent cybersecurity threats linked to them. After categorising the procurement process in three steps, namely ‘Plan, Source and Manage’, it identifies the cybersecurity requirements associated with each step. To make this even easier, the guide provides suggestions for evidence on how the requirements can be fulfilled by the provider.

The EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, stated:

Protecting patients and ensuring the resilience of our hospitals are a key part of the Agency’s work to make Europe’s health sector cyber secure”

Who can use the Guide?

This guide provides an accessible overview and allows reutilisation by CIOs and CISOs of healthcare providers, medical device manufacturers, insurers and other healthcare related organisations, with the objective of becoming a useful reference. The visualisation of this information into a handy tool will be released in the coming months.

The Agency is supporting the healthcare sector to raise cybersecurity capacity and awareness since 2015; issuing several good practice guides, organising dedicated cybersecurity conferences and supporting policy implementation i.e. NIS Directive, Medical Device Regulation, (see: New Medical Device Coordination Group Guidance on Cybersecurity for Medical Devices). Additionally, later this year the Agency will organise a pan-European exercise, Cyber Europe 2020 with a focus on the healthcare sector.

Further information

ENISA - Procurement Guidelines for Cybersecurity in Hospitals

Join us in our eHealth Security activities by participating in our dedicated experts group: Call for Expression of Interest - eHealth Security Experts Group

More information about our activities in healthcare on ENISA dediated page Critical information infrastructures and services - HEALTH

For queries about our eHealth security work, please contact [email protected]

For further queries or interviews, please contact [email protected].