The application scenarios for SPHINX focus the adoption of innovative information and communication technologies by healthcare stakeholders, giving way to national eHealth strategies and a common EU eHealth policy, including healthcare data capture (secure collection of patient data from multiple sources), analysis (data processing and analytics to extract actionable information from captured healthcare data) and sharing (deployment of healthcare information networks that securely retrieve patient data from multiple sources and make it available to the patient and the responsible healthcare professional), in order to improve significantly the delivery of high-quality cost-efficient healthcare via informed decision-making.
Adapted to the specific context of the SPHINX RIA, the application scenarios embrace today’s growing digitisation of healthcare information and service delivery and its associated security challenges, all of which addressable through the innovation brought forth by the SPHINX System. Overall, SPHINX identifies five relevant application scenarios:
Digital Transformation in Healthcare
Healthcare is still new to digitisation, with the vast majority of related investments on software and services in frontline clinical and administrative healthcare occurring in the last decade. Throughout the years, rendering administrative processes, clinical pathways and patient data into digital realities has driven a focus on data standardisation, integration and security, that hold together disparate system workflows. Adding new computers, servers and devices and creating more dedicated networks has led to a panoply of different operating systems, applications and databases that resulted in unique IT architectures and specialist cybersecurity needs. In the mix, outdated and legacy firmware compound the difficulty to maintain up-to-date security policies, and systems, increasing the number of vulnerabilities or risks.
Hence, SPHINX solution aims to protect digitised healthcare databases and services; update outdated (legacy) operating systems, applications and databases; safeguard the integration of healthcare and patient data from multiple databases, secure the availability, integrity and confidentiality of healthcare and patient data; enhance users’ authentication and profile management; and integrate of BYOD devices in healthcare organisations’ networks.
EU Member States (MS) are working on an eHealth Digital Service Infrastructure under the aegis of the eHealth Network, the network of national authorities responsible for eHealth (2011/890/EU). In addition to Finland, Greece, Italy, Portugal, Spain, France, Denmark, Estonia and Czech Republic, 18 MS are expected to exchange Electronic patient summaries and ePrescription by the end of 2021. Healthcare organisations are gradually adopting new technologies to deliver nation-wide healthcare services online (eHealth), such as ePrescription/eDispensation, Electronic patient summary, eReferrals and eBilling, that significantly facilitate the interaction of citizens and patients with healthcare organisations, as well as the daily work of thousands of healthcare professionals and employees. The added-value eHealth services are adopting widely used Internet-based technologies (e.g., IP and web services) and open standards (e.g., HL7) allowing access from commodity devices (e.g., mobile phones and web-browsers) for users and services (intra and extra organisation). Herein, organisations expose resources to external entities where security controls cannot be enforced. As healthcare systems increasingly rely on web-enabled eHealth services and online transactions for care delivery, they also become more vulnerable to cyberattacks, requiring appropriate cybersecurity policies and solutions. An array of vulnerabilities is exposed and bring heightened concerns regarding privacy and security about third-parties’ risks, inappropriate releases of sensitive and private information from healthcare records and the systemic flows of information throughout healthcare organisations.
Drawing from such challenges, SPHINX’s scope is to test for untrusted environments and devices; monitor web-based online healthcare services; limit the exposure of web-services to external entities; secure availability, integrity and confidentiality of healthcare and patient data; and enhance users’ authentication and profile management.
mHealth and Remote Patient Monitoring Platforms
Mobile health (mHealth) supports the delivery of healthcare via remote access medical devices, IoT-based health devices (the Internet of Medical Things or IoMT) and mobile applications that connect to healthcare IT systems through computer networks, empowering the sharing of health and wellbeing information, enabling the shifting of healthcare to a more preventative care outside of the hospital environment, giving rise to services such as telehealth (video appointments and consultation) and remote patient monitoring platforms, and delivering high-quality healthcare. The use of personal health monitoring devices and smartphone applications (Apps) is also on the rise. Most of these devices are connected to patient remote monitoring Apps that focus on the collection of patient-generated health data from home, through devices and mobile health platforms that connect via the patient’s home network or cellular network, to the primary care provider or care team. With mHealth tools and platforms, telehealth and remote patient monitoring platforms the boundaries of cybersecurity are stretched, while creating new, often insecure, entry points for hackers and rising data security and liability risks. As healthcare systems become interconnected, especially as numerous wireless medical devices start connecting to web-enabled IT systems they become increasingly vulnerable. From a cybersecurity perspective, healthcare organisations need to rethink medical and health device management and consider all the variables this mobile technology introduces, compared to traditional workstations and laptops.
To address the above issues, SPHINX aims to test for untrusted environments and devices; armour remote healthcare services (in-home care) like telehealth consultations and remote patient monitoring platforms; integrate IoT-enabled medical and health devices in the healthcare organisations’ networks; and also patients’ BYOD devices in healthcare organisations’ networks; secure the availability, integrity and confidentiality of healthcare and patient data; and enhance users’ authentication and profile management.
Sharing and Exchange of Healthcare Information
Before the wide-scale adoption of EHRs/PHRs, access to healthcare information entailed paper records, in-person requests to health information management offices and the payment of fees. The increasing digitisation of health records has improved access to health information, with healthcare professionals being able to easily access and view diagnosis, medication history, clinical decision support notes, lab results, imaging, treatment plans and post-treatment monitoring. In this context, EHRs/PHRs act as pillars of point of care information systems, facilitating the sharing and exchange of health information among healthcare stakeholders, such as healthcare providers, pharmacies, insurance companies and researchers. Currently, the ability of European citizens to access their electronic medical records across the EU varies from one country to another. Thus, the European Commission is working to facilitate access across borders to healthcare data, namely to laboratory tests, medical discharge reports and images and imaging reports. Healthcare data interoperability and security are top priorities to ensure patient data protection and prevent data breaches.
As a result, SPHINX solutions focus on introducing standardisation and common data exchange formats compliant with EU and national regulations on interoperability; securing availability, integrity and confidentiality of patient records and healthcare information across the complete workflow and data lifetime; detailed auditing on every data operation; and enhancing users’ authentication and profile management.
Cross-border Healthcare Service Delivery
Enabling citizens to securely access and share their healthcare data across borders is one of the priorities of the Communication on enabling the digital transformation of health and care in the Digital Single Market. Moreover, the General Data Protection Regulation underlines that citizens have the right to access their personal data and provides the legal framework for its protection, setting out directly applicable rules for the processing of the individuals’ personal data, including their health data. And rules for facilitating the access to safe and high-quality cross-border healthcare are specifically provided for by the Directive on patients’ rights in cross-border healthcare. Technical specifications for healthcare information exchange were defined, focusing on two sets of health data: Electronic patient summaries and ePrescription. The first exchanges took place between Estonia and Finland in January 2019 and their example will be followed by another 22 EU MS by 2021. On February 6th 2019, the European Commission’s Recommendation on a European Electronic Health Record exchange format (C(2019)800) sets the framework to further develop a European EHR exchange format that will enable citizens to securely access and exchange their health data across borders in the EU. Further, it underlines the importance of ensuring data protection and security, in line with the GDPR, and full compliance with the cybersecurity framework.
Following the above developments, SPHINX is projected to elaborate on trusted chain of transactions that ensures data confidentiality; enhance the authentication of all involved individuals and IT components (residing in different states); secure availability, integrity and confidentiality of healthcare and patient data; standardise interoperability and common data exchange formats; bridge different national legislation frameworks on healthcare data.
The SPHINX application scenarios enable the construction of the environment or context for the common identification of challenges, problems, needs, gaps and opportunities and for the broaden debate of SPHINX’s added-value for the cybersecurity of healthcare organisations. From it, specific use cases are drafted to help stakeholders discuss cyber threats, attack vectors, vulnerabilities and impact on relevant assets and the usefulness and performance of the SPHINX tools.