An EU agency has grappled with thorny issues surrounding the adoption of IoT technology in hospitals to draft a series of best practice guidelines.
The European Union Agency for Network and Information Security (ENISA) study engaged information security officers from more than 10 hospitals across the EU, painting a picture of the smart hospital ICT ecosystem. Security experts at the agency analysed attack scenarios before coming up with a risk-based approach that focuses on relevant threats and vulnerabilities.
Increased risks ranging from ransomware attacks on hospitals IT systems and DDoS assault to hackers selling stolen medical data through cybercrime forums shows that a change in mentality by hospital IT staff and their mangers is required, according to ENISA. Modernisation and innovations such as remote patient care are pushing hospitals towards the adoption of smart solutions. Emerging security and safety issues are sometimes getting overlooked or ignored in this headlong rush.
The introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the variety and volume of potential ways hospitals might become vulnerable to cyber-attacks, ENISA warns.
ENISA's recommendations from its report (PDF) centre on a three point plan.
- Healthcare organisations should provide specific IT security requirements for IoT components. Only state-of-the-art security measures should be applied.
- Smart hospitals should identify assets and how these will be interconnected before drawing up policies and practices.
- Device manufacturers should incorporate security into existing quality assurance systems. Healthcare organisation should be involved in the designing systems and services from the very beginning.
ENISA executive director Udo Helmbrecht commented: "Interconnected, decision-making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals."
Healthcare is moving up on the policy agenda. The adoption of the EU Directive on Security of Network and Information Systems (NIS) covers healthcare organisations. ENISA plans to support EU member states with the introduction of baseline security measures to the critical sectors, focusing on healthcare organisations, from next year onwards. ®