HEIR will design and deploy an Electronic Medical Devices Cybersecurity Framework that will facilitate intelligent threat identification and hunting services leading to the delivery of the envisioned Risk Assessment of Medical Applications (RAMA). The outcome of these analyses will be available to the IT personnel responsible for the medical devices. More to that, the RAMA client software will submit anonymized statistical data to a central server which will host the envisioned Observatory for the Security of Electronic Medical Devices (OSEMD). The Observatory will provide statistics for each threat identified in the EMD Risk Index Score through advanced visualization tools. Therefore, the medical IT Personnel and the hospital manager will be able to measure how well the specific hospital or medical center performs compared to average aggregated mean scores. The client will identify outlier values to medical IT personnel, highlight issues which require actions and suggest possible solutions to improve the RAMA and minimize risks. This information will be available via the RAMA client to the IT medical personnel only. OSEMD will be a web-based platform accessible to stakeholders, scientists, researchers, hospital managers, medical IT personnel, public servants, law enforcement agents, legislators, CERTs and CSIRTs. It will comprise intelligent knowledge-base and interactive visualization tools and its focus will be on depicting the landscape of cyberthreats for electronic medical devices, detailed cybersecurity assurance statuses, and their evolution over time. It will provide insights about the sectors that require further attention and raise awareness to the health services ecosystem. Finally, it will regularly publish the best practices and recommendations based on the analysis of the collected data.
The need for HEIR, a holistic cyber-intelligence platform for secure healthcare environment
The health sector is steadily becoming the de facto target for cyberattacks. Based on an ENISA report at the end of 2018, cybersecurity incidents have shown that the healthcare sector is one of the most vulnerable. Focusing specifically on Electronic Medical Devices (EMD), they suffer from numerous and multi-layered vulnerabilities. Default, weak or no password authentication for remote connections, unencrypted traffic or obsolete and insecure cryptographic algorithms, unsupported operating systems, outdated, unmanaged and vulnerable software are among the most serious problems that jeopardize both their smooth operation and the data aggregated and stored.
According to Ponemon institute, “healthcare organizations are in the cross hairs of cyber attackers” that grow increasingly frequent. Indeed, its report showed that on average US healthcare facilities have been victims of one cyber-attack per month over the past 12 months and that half of them “have experienced the loss or exposure of patient information during this same period (26% of the other half is unsure)”. This phenomenon can be explained by the combination of two factors: (i) the high value of healthcare facilities’ assets and (ii) the ease in which they can be compromised.
Kimar states that medical data is 10-20 times more valuable than financial data, since healthcare records can continue being exploited (for ransom , tax or insurance frauds, drug prescription etc.) even after the resolution of the security breach which released them. At the same time, according to KPMG (2015), “the healthcare industry is behind other industries in protecting its infrastructure” and its data.
The problem is further exacerbated by the ever-increasing value of the health sector: “In 2015 healthcare spending accounted for 8.7 % of GDP in the EU. It could reach up to 12.6 % of GDP in 2060” as it creates an even more tempting target for miscreants.
The European Commission has identified three challenges related to healthcare systems:
- citizens´ secure access to electronic health records and the possibility to share these across borders
- support data infrastructure to advance research, prevent disease and personalize health and care in key areas
- facilitate feedback and interaction between patients and healthcare providers, enhance disease prevention and empower people take responsibility for the management of their health
Focusing specifically on Electronic Medical Devices (EMD), they suffer from numerous and multi-layered vulnerabilities. Default, weak or no password authentication for remote connections, unencrypted traffic or obsolete and insecure cryptographic algorithms, unsupported operating systems, outdated, unmanaged and vulnerable software are among the most serious problems that jeopardize both their smooth operation and the data aggregated and stored.
HEIR consortium believes that the security cannot be addressed from an isolated viewpoint, thus also in compliance with all the above mentioned regulations/directives HEIR will contribute to the recognition that a single electronic medical device/network/system will need to implement security features that originate from multiple regulatory frameworks (MDR, GDPR, ENISA, NIS etc.). As such, in order to boost the overall level of digital health security in Europe, HEIR will attempt to set up a broad European network for establishing good security practice in all regulatory frameworks to reduce market access limitations, conflicting requirements and unnecessary administrative burdens.