The European Union Agency for Cybersecurity (ENISA) announced this week an online tool that assists healthcare organizations to meet cybersecurity objectives when purchasing products or services.
The ENISA online tool aims to assist various stakeholders in the healthcare sector and will complement the existing procurement guidelines for cybersecurity in hospitals that the agency announced in February last year, according to ENISA. As cybersecurity has become increasingly digital and interconnected, the healthcare sector needs to consider cybersecurity as an enabler and as a key factor for ensuring the resilience and availability of key healthcare services.
Cybersecurity needs to be envisaged throughout the procurement lifecycle. IT departments should be involved in procurement activities as the cybersecurity implications in the procurement of any product or service should be well understood and consistently addressed by healthcare organizations, ENISA said.
With the ENISA online tool, healthcare organizations can quickly identify the guidelines that are most relevant to their procurement context such as assets procured or related threats, and promote the importance of a good procurement process to ensure appropriate security measures. The agency also published a concise version of the procurement guidelines dedicated to the sector in each of the 24 EU official languages.
Users must navigate through the ENISA online tool and gain knowledge on cybersecurity requirements for procurement of services, products and infrastructure in hospitals. Information can be directly used in the RfP of any related service or product. The request for proposal (RfP) is a business document that provides details about a project, outlines the bidding process, contract terms, and guides how the bid should be formatted, in addition to soliciting bids from contractors who will help complete the project.
“Securing eHealth today means ensuring the resilience of the EU’s life support system, the healthcare sector,” said Juhan Lepassaar, executive director at EU Agency for Cybersecurity. “ENISA is committed to shape the ICT environment needed to prevent cybersecurity incidents and attacks on our healthcare sector.”
The Internet of Medical Things market in Europe alone is expected to grow from 11 billion in 2017 to 40 billion in 2022, while the European medical technology market was estimated at roughly €115 billion in 2017, according to data released by Medtech Europe.
The proliferation of medical technology solutions has changed the ICT (Information and communications technology) landscape in healthcare organizations worldwide. Most of the devices are made by different manufacturers, and must effectively communicate with each other to deliver patient care.
The use of smartphones to access health information by patients and doctors; along with the inability of the IT department to apply patches and the usual lack of budget for cybersecurity services and solutions, make the healthcare sector especially vulnerable to cyberattacks.
ENISA has been focused on maintaining cybersecurity in the healthcare sector. In January, the agency released cybersecurity guidelines for healthcare organizations to help further digitalize with cloud services. In its Cloud Security for Healthcare Services report, the agency analyzed the cybersecurity risks of cloud services and offered good practices for their secure integration into the European healthcare sector.
The goals are to provide an overview of the landscape of the applicable EU legislative instruments relevant to cloud services in the healthcare sector and the main cybersecurity and data protection challenges, arising from the need for secure personal data processing of cloud customers from the healthcare sector.
The European Union NIS Directive has identified ‘hospitals’ as Operators of Essential Services (OES), while cloud providers are Digital Service Providers (DSP), ENISA said. Thus, both hospitals and cloud vendors must comply with the NIS Directive security requirements when contracting with cloud services.
Increased adoption of cloud solutions by healthcare organizations has provided advancements in reliability, availability and scalability of services to remote patients, apart from introducing several security and data protection challenges that need to be addressed to accelerate the digitalization of the healthcare sector.
The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.
The changing landscape in the healthcare sector has pushed for greater adoption of regulations, standards and guidelines in various countries and at a regional level, due to the increasing cybersecurity threats to the supply chain, as well as improving cybersecurity and privacy awareness of societies and governments. This gives rise to the need to secure information systems, medical information, and meet cybersecurity requirements for network-connected medical devices, critical infrastructure protection, and privacy protection.