Security and resilience for Smart Hospitals

Key findings
Dimitra Liveri, Ilias Bakatsis, Athanasios Drougkas| ENISA
2nd eHealth Security Workshop| Vienna | 23rd November
European Union Agency For Network And Information Security
2016: ENISA work to secure Smart
Hospitals

Objectives
• Improve security and resilience of
hospitals information systems
• Identify common cyber security
threats and challenges and,
• Present mitigation measures to
address them
• Support pilots in hospitals across the
EU

Secure devices and systems to improve patients’ safety

 Study Overview
• Scope
- Smart hospitals value and offerings built on top of traditional hospitals
- Smart Hospitals assets identification
- Vulnerabilities and threats presentation
- Attack scenarios analysis
- Good practices and recommendations

• Target Audience
- Healthcare Providers / Hospitals – CIOs/CISOs etc.
- Industry stakeholders
- Policy Makers
Responders :

• Methodology 1. Hospital CISO/CIO (“user side”)

- Desktop research 2. Industry representatives
- Interviews with hospitals’ CISOs
3. Policy makers
- Online survey
3
Towards a definition

“ A smart hospital is a hospital that relies on

optimised and automated processes built on
an ICT environment of interconnected
assets, particularly based on Internet of
things (IoT), to improve existing patient care
procedures and introduce new capabilities

” 4
Why Hospitals are becoming “Smart”

5
Threats based approach

Vulner Initial Recom

Attack Good
Assets abilitie Threats finding menda
scenarios practices
s s tions

6
Identification of Smart Assets in
Hospitals

7
 Assessing the criticality of smart
assets
Interconnected Clinical information systems 67%

Networked medical devices 67%

Networking equipment 43%

Remote Care System 40%

Data 30%

Mobile client devices 30%

Identification systems 30%

Buildings 10%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Respondents rating the asset critical for smart hospitals

8
Vulnerabilities of Smart Hospitals
• Interconnection between devices/systems, some times even automatic
• Communication between devices and legacy systems creates gaps
• Physical security impossible for all components
• Impossible to virtually patch all devices
• Life span of medical devices
• Little malware detection or prevention capabilities
• No clear way to alert the user when a security problem arises
• Access control difficult to implement
• Usability issues cause circumventions of set policies
• Use of personal devices non compliant to security policies
• Lack of compliance with organisational or industry standards
• Users behaviour
• Lack of proper configuration management process 9
Threats mind map

10
Attack scenarios

1. Social engineering attack Malware 60%

2. Medical device tampering Tampering with devices 33%

3. Theft of Hospital equipment

4. Ransomware attack on Social engineering 23%

Hospital Information System

Denial of service 23%
5. DDoS on Hospital servers
Per scenario: Theft 13%

- Description
0% 10% 20% 30% 40% 50% 60% 70%
- Assets affected
Respondents rating the attack scenario common for smart hospitals
- Criticality
- Likelihood
- Cascading effects
- Estimated recovery time
- Good practices
- Challenges and gaps
11
Good practices

12
Open Issues

Gap 1 - Lack of bring your own device controls

Gap 2 - Need of automated asset inventory discovery tool
Gap 3 - Lack of application whitelisting technology
Gap 4 - Need to ensure secure configurations
Gap 5 - Need of client certificates to validate and authenticate systems
Gap 6 - Lack of training and awareness-raising programs
Gap 7- Remote administration of servers, workstations, network
devices, etc. over secure channels
Gap 8 - Pace of standardisation versus IT technology
Gap 9 – Cost benefit breakdown is critical
13
Recommendations for Hospitals

• Establish effective enterprise governance for cyber security

• Implement state-of-the-art security measures
• Provide specific IT security requirements for IoT components in the
hospital
• Invest on NIS products
• Establish an information security sharing mechanism
• Conduct risk assessment and vulnerability assessment
• Perform pen g and auditing
• Support multi-stakeholder communication platforms (ISACs)

14
Recommendations for Industry

• Incorporate security into existing quality assurance systems

• Involve third parties (healthcare organisations) in testing activities
• Consider applying medical device regulation to critical infrastructure
components
• Support the adaptation of information security standards to
healthcare

15
Thank you

eHealthSecurity@enisa.europa.eu
resilience@enisa.europa.eu

https://www.enisa.europa.eu/scada
www.enisa.europa.eu/internetcii