SPHINX Workshop CYBERSEC4HEALTH

SPHINX Workshop CYBERSEC4HEALTH

SPHINX (A Universal Cyber Security Toolkit for Health-Care Industry), an Horizon2020 Research and Innovation funded project (sphinx-project.eu), organized its first Workshop titled “CYBER SECURITY SITUATION AWARENESS FOR HEALTH ORGANIZATIONS – CYBERSEC4HEALTH” on July 10th 2019 at Brussels. Hosted by Vrije Universiteit Brussel (VUB), and co-organized in conjunction with Hellenic Mediterranean University (HMU), the workshop counted, among its speakers, with the participation of ENISA, the European Union Agency for Cybersecurity (www.enisa.europa.eu), SANTHEA, a professional employer association in the health sector in Wallonia Brussels and representatives of other EU-funded projects such as PANACEA (www.panacearesearch.eu), CUREX (curex-project.eu) and SafeCare (www.safecare-project.eu), as well as several SPHINX project partners, including three healthcare providers from three different European countries (Portugal, Greece, Romania).

The workshop, divided in four thematic sessions, started with presentations by representatives of the Health Care providers partners of SPHINX (5th Regional Authority of Greece, Hospital do Espírito do Santo, Hospital de Évora and Polaris Medical) focusing on the topic of the required improvements in security needed in health care services, data and infrastructures. The key questions addressed in this session were: What violations have occurred? How are risks evolving? Which Hospital processes /systems are more vulnerable to cyber attacks?

Fotios Gioulekas and Konstantinos Gounaris presented the Greek Cybersecurity healthcare landscape, a joint analysis with Evangelos Stamatiadis and Athanasios Tzikas , all from the 5th Health Regional Authority of Thessaly and Sterea, Greece. During the presentation, the main objectives and gains through the involvement and collaboration within SPHINX project were delineated. It was pointed out that digital transformation of healthcare processes and workflows, with respect to the GDPR compliance, was evolving to enable the smooth transition of current traditional hospitals to smart hospitals. Although cybersecurity awareness was found low among the hospital and primary healthcare employees, several steps have been made so far to raise it. Cybersecurity vulnerabilities that could affect Hospitals’ assets and daily operations were also presented along with the main problems toward the applicability of efficient security policies. These problems are due to the heterogeneity in Greek Hospital Information Systems (both H/W and S/W), the outdated software executed on medical devices (e.g. ultrasound device, CT scanner, etc.) and equipment, budget and resource constraints and mainly to the personnel’s resistance to follow a security policy, especially when it cumbers the established business process. The latter, consequently, results either to the “invention” and usage of work around procedures or security policy drop-outs. Interesting Cyber Security incidences (i.e. Ransomware attack, conficker worm, “police” virus, etc.) that encountered in the past were given, together with actions taken to mitigate these events. Considering all the incidents that were reported, a central database for recording the cyber security occurrences in Greek Healthcare sector is ongoing. In conclusion, the Greek partners presented the current status on the work conducted by the 5th Health Regional Authority of Thessaly and Sterea on the implementation of a Disaster Recovery Site (DRS) to protect Data and Information Systems of 3 major hospitals, all the supervised health centers and the central authority. Also, insights into the potential of SPHINX ecosystem to secure the DRS infrastructure were discussed.

Ricardo Cabecinha from Hospital do Espírito Santo de Évora, Portugal, presented the Portuguese Health Ministry Cybersecurity Strategy, providing a historical evolution of the topic through the years and the associated laws. A very frank assessment of recent cyber attacks experienced by different health care providers in Portugal was given and some of the root causes for such dire state was presented, of which Ricardo highlighted the most relevant statistics (from 95% of all cyber security violations being due to human errors, to 75% of healthcare sector was infected with malware at some moment in 2018). These global threats taken collectively show a growing trend of increased vulnerability of organizations and data privacy impact. A very interesting study on how much each stolen information is worth in the black market was shown, from the simple hacked email account to stolen medical records. Ricardo Cabecinha ended his presentation with a updated list of the cyber security incidents reported to the Ministry of Health (tracked by the IT services) and the future challenges protecting healthcare data, services and infrastructure.

Sergiu Marin from POLARIS MEDICAL started by presenting the medical network infrastructure of Romania and a brief description of the current status and stakeholders involved in the total healthcare ecosystem. This was followed by a presentation on the cyber security threats reported by the Romanian National Computer Security Incident Response Team. The detailed analysis led to interesting debate among the participants, where different experiences were shared. The conclusion from this first session was clear: The threats faced by healthcare organizations across Europe are similar and need a coordinated approach and require the deployment of a common Cyber Security Toolkit, validating the approach proposed by SPHINX.

The next thematic session focused on the technological solutions already available in the marketplace to reduce data privacy breaches as a result of cyberattacks, as well as work being proposed to address both at the standardization level as well as technical level, improvements in cybersecurity for the entire health care ecosystem. Key questions addressed in this thematic session covered many topics, such as, What is the current protection level? What suspicious log events are found? How Cybersecurity Standards can help?

George Doukas from the National Technical University of Athens (NTUA), Greece, highlighted the potential beneficial impact of Cybersecurity Standards in reducing Data breaches. Initially he pointed out the changing phase of Information Security and the rapid pace with which the cyber domain is currently evolving given the increasing level of interconnectedness between physical and virtual systems, people and processes. He referred to the current protection level and the factors that affect it adversely. He stressed the fact that rather than striving for prevention the most effective strategy to mitigate and minimise the effects of a data breach is to build a solid foundation upon which to deploy the cyber security technology stack. Finally, he underlined the benefits of the utility of standards and the necessity of a holistic approach in designing the cyber security defence mechanisms.

Evgenia Nikolouzou from ENISA, presented ENISA’s role and work on the eHealth Domain, starting with the Situational analysis of cybersecurity in eHealth, discussing current and evolving cybersecurity landscape in the sector, the evolving regulatory landscape for cybersecurity in eHealth, in particular the implementation status of the NIS Directive and the Cybersecurity Act / Cybersecurity Certification Framework. Of particular interest to the participants stood out the Cybersecurity Certification Framework, seen as one framework, many schemes, which will be valid across all Member States. The main goals of the new framework were presented: To Address market fragmentation, To Propose a risk-based approach for voluntary certification, To Define assurance levels, and To Define the role for Member States. ENISA mission in cybersecurity certification was precisely described and a very illustrative presentation of all Stakeholders’ interactions leading to Conformity assessment against a particular scheme.

Evgenia Nikolouzou concluded her presentation by discussing ENISA’s on-going activities in eHealth, such as the 2019 report on procurement guidelines for Healthcare organisations, Cyber Europe 2020 and the 5th eHealth Security Conference organised by ENISA in Barcelona.

The session was concluded by a presentation by Yannis Nikoloudakis from the Hellenic Mediterranean University of Crete (HMU), Greece, who presented the Vulnerability Assessment as a Service module (VAaaS), one of the core components that will be developed for the SPHINX project. During the presentation, Mr Nikoloudakis described the current situation, in terms of cybersecurity, in large modern ICT infrastructures and more specifically in Healthcare institutions. He outlined the rapid adoption of novel technologies and paradigms, such as cloud/Edge computing and the Internet of Things (IoT), by such infrastructures, faster than they can be harnessed and maintained, as well as the outstandingly growing numbers of network-enabled devices and services, the vast attack surface they introduce and the difficulties system administrators face wile trying to digitally fortify their infrastructures. He concluded by presenting the opportunists raised by the SPHINX project and the VAaaS service in particular, as well as the benefits it can bring to the Healthcare domain, in terms of cybersecurity.

The workshop’s third session, being essentially a knowledge-management seminar, carried the title “Increased Patient Trust and Safety through the Legal and Technological Toolset” and was focused on the legal cooperation between security and legal professionals. The panel was moderated by Ms. Dimitra Markopoulou (VUB-LSTS) and presentations were made by Vagelis Papakonstantinou and Lina Jasmontaite (VUB-LSTS) and also Philippe Costard (Santhea, Belgium). Professor Vagelis Papakonstantinou discussed the legal and technological toolset available today in the EU, raising the topics of patient trust and security and how best they can be accommodated through legaltech and the legislators’ mentality and methodology. Mr. Philippe Costard presented the practices and lessons learned through Santhea’s approach applied in Belgium and offered useful insight on legal and technological problems that may lie ahead with regard to cybersecurity policies and regulatory provisions. Finally, Ms. Lina Jasmontaite discussed the legal aspects posed by EU personal data protection and cybersecurity law. Her presentation focused on the GDPR and the NIS Directive, offering case studies and practical examples viewed through the lens of applicable legal framework. Ms. Dimitra Markopoulou concluded that better cooperation tools and common understanding between technologists, engineers and lawyers is needed in order to enhance the applicability and relevance of legal provisions and therefore to provide adequate and efficient protection of patients’ rights.

The workshop concluded with a very lively exchange of experiences between several research projects funded by the European Union Horizon 2020 program under the call H2020-SC1-FA-DTS-2018-2020 (Trusted digital solutions and Cybersecurity in Health and Care), namely PANACEA (www.panacearesearch.eu), CUREX (curex-project.eu) and SafeCare (www.safecare-project.eu).

From the SPHINX project, Marco Manso from EDGENEERING, Portugal, presented the initial results of the SPHINX project with respect to the identification of cybersecurity challenges for the healthcare service and health solution providers in today’s digital transformation in healthcare context.
The presentation, named “Application Scenarios and Use Cases for SPHINX”, presented the five main application scenarios considered in the project: digital transformation in healthcare, eHealth and mHealth services and healthcare information sharing, both inter-organizations and cross-border environments.
These application scenarios were then brought to life through by description of two specific use cases, selected from a set of more than twenty that the SPHINX partners already created.
One of the use cases – “Attacking Obsolete Operating Systems” – described a cyber incident that exploited vulnerabilities in outdated IT systems used in hospitals with the sole purpose of disrupting the Institution’s operations. The second use case – “Exploiting Medical Equipment to Steal Exams Results” – addressed a cyber incident exploiting a vulnerability in a medical device with the intention to steal patient data, while also affecting the reputation of the clinic and of the device manufacturer involved.
These use cases are representatives of the pilot cases to be developed in SPHINX in Portugal, Romania and Greece. Marco Manso’s presentation ended with an overview into the three pilot experiments planned for 2020.

All four projects agreed to continue and further extend the current collaboration among them, led by the Coordination Support Action project Secure Hospitals (Securehospitals.eu), into the future, especially since many common problems faced by all projects were discussed among all participants (example: Security by Design and Certification; Secure Information Sharing) although the solutions proposed by each project differ through the application of different approaches and architectures. Since there was a very interesting overlap in the Use Cases analyzed by all four projects, the individual elicitation of requirements will, in the near future, be discussed by all projects in a common technical work session in order to find commonalities and establish a repository to exchange knowledge among all projects.