Académique Documents
Professionnel Documents
Culture Documents
Key findings
Dimitra Liveri, Ilias Bakatsis, Athanasios Drougkas| ENISA
2nd eHealth Security Workshop| Vienna | 23rd November
European Union Agency For Network And Information Security
2016: ENISA work to secure Smart
Hospitals
Objectives
• Improve security and resilience of
hospitals information systems
• Identify common cyber security
threats and challenges and,
• Present mitigation measures to
address them
• Support pilots in hospitals across the
EU
• Target Audience
- Healthcare Providers / Hospitals – CIOs/CISOs etc.
- Industry stakeholders
- Policy Makers
Responders :
• Methodology
1. Hospital CISO/CIO (“user side”)
- Desktop research
- Interviews with hospitals’ CISOs 2. Industry representatives
- Online survey 3. Policy makers
3
Towards a definition
”
introduce new capabilities
4
Why Hospitals are becoming “Smart”
5
Threats based approach
Recom
Vulnera Attack Good Initial
Assets Threats mendat
bilities scenarios practices findings
ions
6
Identification of Smart Assets in
Hospitals
7
Assessing the criticality of smart
assets
INTERCONNECTED CLINICAL INFORMATION SYSTEMS 67%
DATA 30%
BUILDINGS 10%
8
Vulnerabilities of Smart Hospitals
• Interconnection between devices/systems, some times even automatic
• Communication between devices and legacy systems creates gaps
• Physical security impossible for all components
• Impossible to virtually patch all devices
• Life span of medical devices
• Little malware detection or prevention capabilities
• No clear way to alert the user when a security problem arises
• Access control difficult to implement
• Usability issues cause circumventions of set policies
• Use of personal devices non compliant to security policies
• Lack of compliance with organisational or industry standards
• Users behaviour
• Lack of proper configuration management process
9
Threats mind map
10
Attack scenarios
12
Open Issues
14
Recommendations for Industry
15
Thank you
resilience@enisa.europa.eu
eHealthSecurity@enisa.europa.eu
https://www.enisa.europa.eu/scada
www.enisa.europa.eu/internetcii