Healthcare Cybersecurity

Cloud Security for Healthcare Services, ENISA


Executive Summary

The healthcare sector is going through the digitalisation process and continuously adopting new technology to improve patient care, offer new services focusing on patient-at-home care, and reach operational excellence. The integration of new technology in an already complex IT infrastructure opens up new challenges regarding data protection and cybersecurity.

Moreover, the ongoing COVID-19 pandemic has been a further catalyst for cyberattacks on healthcare organisations. Typical examples are phishing attacks that aim to collect user credentials of healthcare professionals and ransomware against hospitals and other Healthcare Organisations (HCO).

At the same time this pandemic stresses the need for remote healthcare services, since the system was overwhelmed in some countries and physical presence was a risk for the spread of the pandemic. In this context, Cloud solutions have provided elasticity and fast access for the deployment of new services including «virtual» health and telemedicine.

This study aims to provide Cloud security practices for the healthcare sector and identify security aspects, including relevant data protection aspects, to be taken into account when procuring Cloud services for the healthcare industry.

The set of general practices aims to help IT professionals in the healthcare security contexts to establish and maintain Cloud security while selecting and deploying appropriate technical and organisational measures. The identification of relevant threats and risks to Cloud services in the healthcare industry and security and data protection requirements are also covered by the scope of this report. Further objectives include the presentation of informative and practiceoriented use cases and their analysis of relevant threats and Cloud security measures.

The overall conclusion derived from the study, is that Cloud integration in the healthcare sector in the EU is still in its infancy. Some healthcare organisations hesitate to adopt Cloud services, because they are challenged by a dense and complex legal basis, and new technologies.

Furthermore, the loss of data governance and processing of personal data in the Cloud makes healthcare organisations hesitant to adopt Cloud services. Other healthcare organisations use PaaS for connecting medical devices with a web-application for remote monitoring of patients or SaaS for documentation and scheduling doctor-patient consultations. Some countries are in the beginning of forming a Government Cloud (G-Cloud) to satisfy such needs. There are also various government managed services such as electronic prescription and electronic health records, which run on government-owned resources, such as private Clouds and state owned datacentres and Clouds.

The study is structured around three use cases, which are the most prominent in using Cloud or to be using in the future, namely Electronic Health Record, Remote Care and Medical Devices. A set of 17 security and data protection measures has been identified to be relevant for ensuring Cloud security and have been assessed based on the use case.


1. INTRODUCTION.

1.1 CONTEXT OF THE REPORT.

The healthcare sector is one of the sectors most vulnerable to cyber attacks. Simultaneously, the digitalisation of the healthcare sector is moving forward, and digital solutions or electronic records continuously replace paper-based processes.

The transformation affects services along the complete healthcare delivery chain, i.e. medication, appointment scheduling, patient records, inpatient and outpatient care as well as inpatient and remote monitoring or selfmanagement. Digitalisation offers new solutions to improve patient care and gain operational excellence in healthcare organisations.

Cloud solutions for healthcare services offer an excellent opportunity to increase operational efficiency, cut costs on IT expenditure and improve cybersecurity and data protection. This is since Cloud service providers have resources such as personnel, knowledge of technology, and the financial means to improve cybersecurity and data protection continuously. These are the same factors that sometimes have proven to hinder advances in the maturity of data protection and cybersecurity at healthcare organisations.

The COVID-19 pandemic has pushed Cloud-based technology usage in the healthcare sector, especially in telemedicine, for patient-doctor consultations and artificial intelligence for triaging purposes. The further integration of Cloud computing services in the healthcare sector also raises security and data protection concerns. This report therefore aims to help ensure Cloud security for healthcare.


1.2 OBJECTIVE

This report's overall objective is to provide the target audience with a set of guidelines to ensure cybersecurity and security of personal data processing when procuring Cloud services for providing healthcare services and a clear understanding of the corresponding responsibilities.

The goals are to provide an overview of the landscape of the applicable EU legislative instruments relevant to Cloud services in the healthcare sector and the main cybersecurity and data protection challenges, relevant to security of personal data processing, of Cloud customers from the healthcare sector.


1.3 SCOPE

The study's scope is Cloud services that support the broader eHealth ecosystem, such as healthcare services and facilities, medical devices and equipment, medical services, or managed care. It is not limited to a specific Cloud architecture, neither deployment nor service model. The study focuses on showing relevant threats, measures, and responsibility by analysing three representative use cases, electronic health record, remote care, and medical devices.

The set of guidelines for Cloud security of healthcare services (output) is primarily for Cloud customers, such as healthcare organisations or medical device manufacturers. The study, investigation, and the output are centred on the European Union and European Free Trade Association (EFTA) member states.


1.4 TARGET AUDIENCE

The target audience of the study’s output acceptable practices for ensuring Cloud security for healthcare services is anyone interested in using Cloud technology in the healthcare sector. The main focus is on Cloud customers in healthcare, primarily:

- IT health professionals (CISO, CIO, IT procurement specialists, and IT-teams in charge of purchasing Cloud services).

- Healthcare professionals in managerial positions seeking advice on whether to procure Cloud services.

The report may be useful to IT professionals from medical device manufacturers and possibly, policymakers and Cloud service providers.


2. HEALTHCARE IN THE CLOUD

2.1 POLICY CONTEXT

Legislation plays an important role in defining cybersecurity requirements and adopting cybersecurity and data protection related measures. In the case of healthcare and the Cloud, the policy landscape at national or European level is still at early stages of development. Very few MS have Cloud-related guidelines specifically for the healthcare sector, simply because if Cloud security guidance is in place, it applies to all critical sectors; all Member States consider healthcare a critical sector.

The general conclusion derived from the desk research and expert interviews shows that MS have a dedicated legislation for healthcare activities (not necessarily covering cybersecurity) and in several cases they adopt cybersecurity guidelines for Cloud computing; there is no case of healthcare and Cloud specific legislation. This corresponds to the assessment of the healthcare sector as critical, thus required to abide by overall cybersecurity legislations and guidelines.

At the same time, identification of requirements deriving from national or European legislation, proves crucial when procuring Cloud services. Some healthcare services, electronic health records for instance, have a separate law entailing security and data protection requirements. And eventually, to some extent the general practices overlap.

The illustration below depicts the legislative situation regarding Cloud security and healthcare. From a legal requirements perspective, we examined four topic-related dimensions: privacy, cybersecurity, Cloud security, and healthcare.



The most relevant legal documents or guidelines at EU level are summarised below.


2.1.1 The Network and Information Security Directive (NISD)

The Network and Information Security Directive (NISD) 2016/1148/EU, which came into force in May 2018, has two main goals: the implementation of minimum security requirements and the establishment of cybersecurity notifications for both Operators of Essential Services and Digital Service Providers.

Healthcare providers, namely hospitals, are identified as Operators of Essential Services in most Member States. At the same time Cloud Service Providers are considered Digital Service Providers. Therefore, both these types of organisations will have to take the Directive and the relevant national law into account when contracting a Cloud service.

The Directive goes beyond implementation of security requirements, as it gives power to the regulatory bodies to audit the Operators of Essential Services to ensure the level of cybersecurity in the organisation is acceptable and as per the provisions of the Directive.

At the same time, the Directive puts in scope specific services which span among the designated essential sectors. In the healthcare ecosystem, this can be translated as cybersecurity requirements for all products so it should be included as a provision in the procurement process.

For the Digital Service Providers, the decision on the details of cybersecurity measures resides with the MS, since the Directive leaves a certain level of flexibility. In the case of Cloud services offered to an operator of essential healthcare service, both parties need to agree on how the legal requirements will be met before reaching a contractual agreement.


2.1.2 General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It sets the rules for the processing and free movement of personal data and applies to all domains of the public and private sector; however, some specific derogations are defined for data concerning health, aimed at protecting the rights of data subjects and confidentiality of their personal health data and at the same time preserving the benefits of data processing for research and public health purposes.

The GDPR considers health data as a "special category" of personal data which are considered to be sensitive by nature and imposes a higher standard of protection for their processing. Organisations (Data controllers) processing health data have the following obligations (among others):

- to implement appropriate technical and organisational measures to ensure security of the processing systems, services and personal data,

- to perform data protection impact assessment, and

- to report data breaches which are likely to result in a risk to the rights and freedoms of individuals within 72 hours after having become aware of them.

The GDPR expanded the scope of application of EU data protection law requirements to the data processors as well. This means that Cloud service providers, acting as data processors on behalf of the data controller, have obligations as data controllers but their obligations would not necessarily be the same.


2.1.3 Non regulatory guidelines.

Prior to the adoption of GDPR, in 2012, the European Data Protection Supervisor (EDPS) had issued an opinion on the use of Cloud Computing and provided guidance indicating security measures for data protection but also sharing considerations in respect to responsibilities between data processor and data controller. This can be used as a basis for Cloud security requirements solicitation from the healthcare sectors as well.

In 2015, the Joint Action to Support the eHealth Network (JASEHN) issued a report on the use of Cloud computing in health focusing primarily on the secondary use of health data where amongst other explains the responsibility shift between the HCO and the CSP based on the service model (IaaS, PaaS, SaaS etc).

In 2018, the European Data Protection Board (EDPB) and the EDPS issued an opinion specifically for healthcare namely on data protection for eHealth Digital Service Infrastructure compiled under the directive on patients’ rights to cross-border healthcare. Amongst other things, the opinion includes requirements for more secure information exchange (i.e. encryption), secure data storage and that the EC, as data processor, has to clarify the governing rules of the processing.


2.2 CLOUD COMPUTING BASICS.

2.2.1 Cloud Services.

As per previous ENISA publications, the basic types of Cloud services can be explained in the following diagram:



Interpreting the diagram from left to right:

- Infrastructure as a Service: In IaaS, the provider delivers computing resources (virtual hardware), accessible online. The software providing access to the resources is called the hypervisor. Generally speaking there are two types of resources: processing power (including network resources), and (block) storage (memory resources). Examples include Amazon’s Elastic Compute Cloud, Google’s Compute Engine, Amazon Simple Storage Service, Dropbox, Rackspace, etc. Note that object storage services (e.g. Dropbox) are often considered SaaS.

- Platform as a Service: In PaaS, the provider delivers a platform, or more precisely, application servers, for customers to run applications on. PaaS providers sometimes provide a software development tool for the platform. Examples of applications running on these platforms are scripts (PHP, Python, e.g.) or byte code (Java servlets, C#). Examples include Google App engine, Microsoft Azure, Amazon Elastic Beanstalk, etc.

- Software as a Service: In SaaS, the provider delivers full-fledged software or applications, via the internet. Applications range from email servers, document editors, customer relationship management systems, and so on. SaaS services can often be accessed with a browser or a web services client. Note that it is not uncommon for SaaS providers to run their applications on an IaaS or PaaS from another provider. An example is the video streaming site Netflix (SaaS) which runs on Amazon AWS computing services (PaaS/IaaS).

- Facilities denote the physical structures and supplies such as networks, cooling, power, etc.

- Organisation denotes the human resources, the policies and procedures for maintaining the facilities and supporting the delivery of the services.


2.2.2 Cloud Deployment models.

Private Cloud is a model in which one customer has exclusive access to the Cloud infrastructure and computational resources, that can be hosted by the customer itself or a provider, over a private network.

Public Cloud refers to a shared Cloud infrastructure and computational resources that are available and reachable over the public internet.

Hybrid Cloud is a model for a group of users that share the same Cloud infrastructure and the computational resource. The premises may be owned, managed, and operated by one or more of the organisations in the community, a third party, or both. It may exist on the community’s location (on-site) or the third-party’s location (off-site).

Governmental Cloud (g-Cloud) is a Cloud environment where the Cloud infrastructure is owned, governed and run by the government or a state-owned entity using own resources or a selected third-party provider. In addition, the governmental Cloud enables the public body to provide services to public sector stakeholders, to citizens and enterprises. For the purpose of this report, the definition of governmental Cloud is presented based on ENISA’s reports.


2.2.3 Division of responsibilities.

Similarly depending on the service model selected, the responsibilities might lie either on the side of the customer or of the provider; the higher you move in the service stack as a customer the fewer technical responsibilities one has to implement. Note that this diagram is for illustration only and does not provide an exhaustive list of security processes on the provider’s or the customer’s side. In specific settings there may be specific agreements about the outsourcing of security tasks. An IaaS provider, for example, might have a service for patching the Operating System (OS) of customers. Sometimes such services are offered by a third-party (and this is also known as Security-As-A-Service or SECaaS).

At this point, it needs to be stressed that cybersecurity is always a shared responsibility- so regardless of the service model acquired, the customer always has a role in the cybersecurity or privacy requirements adoption.



From the data protection perspective, the definitions and most likely assignment of roles are as follows:

- Data controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” GDPR Art. 4(7).

- Data processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” GDPR Art. 4 (7). Depending on the service model (IaaS/PaaS/SaaS), the data processor might be the CSP or the customer. The higher a healthcare organisation moves up the Cloud services stack, the more processing power the Cloud provider has.


2.3 TYPES OF CLOUD SERVICES IN HEALTHCARE.

In the healthcare sector, Cloud solutions exist for different healthcare services and their number is increasing. In this chapter, we provide a non-exhaustive overview of the currently identified Cloud solutions for healthcare systems. These solutions may come in different cloud service types (e.g. SaaS, PaaS etc.) or cloud deployment models. The following descriptions focus primarily on the types of functions and services supported by existing cloud services as opposed to the deployment models and relevant architectures.


3. CYBERSECURITY CONSIDERATIONS IN CLOUD FOR HEALTHCARE.

3.1 CLOUD SECURITY CHALLENGES FOR HEALTHCARE.

In this section, we present the main challenges regarding Cloud security, derived from the input of different experts collected through interviews. Even if the list is not exhaustive, the identified challenges comprise trends and obstacles regarding cybersecurity and data protection of the healthcare sector and the risks from Cloud-based healthcare services.

- Lack of trust of Cloud solutions: Overall, it has become evident that stakeholders in the healthcare sector (patients, physicians, medical staff, and healthcare organisation management) indicated a lack of trust of Cloud solutions. For example, patients' concern for their medical data being stored at the facilities Cloud service provider is often reduced due to the pre-existing relationship of trust between patient and doctor and due to the higher valuation of the patient’s health over data protection and cybersecurity. In the case of medical staff, they tend to be less aware of cybersecurity and data protection.

Therefore, it is a challenge to raise awareness for security-related topics and train in new authentication or identification technology. Also, human resources do nοt need to necessarily understand security and technologies- however they should be aware of the offerings of the Cloud providers in terms of that expertise. Without training and education, the occurrence of human errors and social engineering attacks is more likely.

- Lack of security and technology expertise: Moving the entire IT infrastructure or individual services from on site to the Cloud requires human resources that understand Cloud technologies and the associated security and data protection aspects. These knowledge requirements may not be covered by the same IT personnel responsible for the on-site infrastructure and eventually result in job termination. To migrate back from the Cloud to on-site infrastructure may be more challenging under such circumstances. Furthermore, the demand for Cloud security experts for the healthcare sector is higher than its supply, hindering Cloud computing advancement.

- Cybersecurity investment is not a priority: A lack of healthcare organisation management support or restricted public financing results in less financial support to further promote the digitalisation and to increase cybersecurity and data protection maturity in the healthcare sector.

- Proving regulatory compliance of the CSP: In several cases, Cloud customers have difficulty identifying which Cloud service provider is compliant with their set of legal requirements which sometimes limits their options for CSP collaboration. Assessment by the cloud customer of the Cloud provider’s compliance is rarely possible or only with considerable financial resources. However, many CSPs provide this publicly via their compliance websites, and is often backed up from independent 3rd parties or even, sometimes, through government certification/assurance programs. In the other hand, regulatory requirements are so complex when it comes to healthcare-related data that CSPs do not even include these types of customers in their business model.

- Integration of Cloud with legacy systems difficulties: The integration of Cloud solutions with already existing healthcare organisation infrastructure or connecting several devices in-house and cross border, involves a great challenge and even results in refraining from using Cloud services. Moreover, in most cases, legacy systems are a part of health IT infrastructure. These systems are not supported by updates from their suppliers, which complicates integration and interoperability with new technology. Consequently, this makes these systems vulnerable to cybersecurity attacks. Hybrid deployment models allow a mix of health IT systems to partner with CSP services/solutions to deliver the most customizable needs to health care organisations. At the same time, the cost of deploying extra security features or integrating security elements with the on premise security perimeter is very high.


3.2 DATA PROTECTION CHALLENGES IN THE CLOUD.

Similarly, in this section we present the main data protection-related challenges as derived from interviews with experts focusing mostly on the technical requirements for Cloud services in healthcare:

- Privacy by design techniques: The healthcare provider needs to understand whether the Cloud provider has followed a privacy-by-design approach (both policies and measures) when developing and deploying the service. The GDPR introduces a legal requirement on privacy by design and by default for both data controllers and data processors. Some of the techniques mentioned are minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing and enabling the controller to create and improve security features. Such approaches and strategies can be achieved through the use of particular technologies and policies, such as authentication, attribute-based credentials, secure private communications, anonymity and pseudonymity, statistical disclosure control, privacy preserving computations, and others.

- Data management: Healthcare organisations as authorised parties (after receiving consent) collect, structure and manage patient data. In some cases the information is automatically transferred to the Cloud (i.e. from a medical device) or it is input by a delegated party (i.e. medical practitioner). Depending on the type of service in the Cloud, the input information might be created by a different actor making accuracy of information a great issue. Controls for ensuring data accuracy should be in place, even if performed by third parties. Organisations need to establish their own data governance model/frameworks for understanding what kind of data is the most sensitive and then applying the required level of controls. Another issue to consider is interoperability, specifically for healthcare. This is a sector where Cloud computing brings many benefits due to its flexible range of services.

- Data deletion: It is extremely important to be able to erase data after retention time has expired, but also upon data subject’s request without undue delay. The data subjects can substantiate their requests with one of the grounds foreseen in GDPR, such as when the data is no longer necessary for the initial purpose or when the data subject withdraws consent. Cloud providers have partially addressed the issue of identifying storage areas of chunks of information (data tagging). However, effective deletion of data is still a technical challenge.

- Data portability: This challenge goes hand in hand with vendor lock-in, the most common risk regarding Cloud Computing. Data portability refers to the transfer of one’s data from one provider to another without loss upon their request. For healthcare certain standards are in place (like HL7) to ensure interoperability and thus portability.

- Encryption: One of the most important and at the same time difficult measures to implement is encryption. It is important to ensure secrecy and integrity but it has to be applied in all the different channels of data transfer and storage. Encryption measures need to be implemented at both client and server level but also in the channel that connects them. Responsibility then resides in both the Cloud customer and the Cloud provider and has huge implications from a technical and legal perspective. At the same time, few CSPs share the encryption keys with their customer leaving full control to the provider.


3.3 CYBERSECURITY THREATS.

Following the threat taxonomy of ENISA’s procurement guide (ENISA, 2020), this section shows how the specific cybersecurity in healthcare can have implications for Cloud services.












4. USE CASES.

In this section, three use cases of Cloud services for healthcare are shown, including a reference Cloud architecture, factors to be considered during risk assessment, and risk mitigation measures.


4.1 USE CASE 1 - ELECTRONIC HEALTH RECORD.

An electronic health record (EHR) provides services to a wide range of potential users: patients, doctors, nurses, public health officials, and more. These systems collect, store, manage and transmit sensitive health data such as patients’ contact details, social insurance numbers, medical examinations’ results, pathologies, allergies, diagnosis, and treatment plan.

Healthcare professionals are provided with an overview of the history and the status of the patients’ health and can access it if needed from pre-defined terminals within the healthcare provider’s premises. After each examination or consultation, patient records are updated with the latest data by the treating doctor or nurse either by scanning paper-based documents or manually diagnosing and treatment plans.

Paper-based documents containing patient data are increasingly replaced with EHR in many countries, allowing health information to be shared in an easy-to-use and standardised way between different stakeholders such as healthcare professionals and patients. Solutions in this area often involve the use of Cloud computing resources or partially Cloud-based components. Patients can access and manage their EHR through a patient portal, which is usually integrated into Cloud solutions.



ASSESSING CYBERSECURITY RISK IMPACT.

When conducting a risk assessment for similar use cases, healthcare organisations should take into account the possible impact of a cybersecurity incident on confidentiality (e.g. data breach leading to exposed patient data), integrity (e.g. alteration of important patient data) or availability (e.g. timely access to patient data during emergency treatment). This would allow the healthcare organisation to assign an appropriate quantitative or qualitative value to the risk impact depending on the specific risk assessment methodology used. A brief description of factors to be considered for risk impact assessment is listed below:



ASSESSING RISK LIKELIHOOD.

The table below describes how the main Cloud security threats may be relevant for the reference Cloud architecture and the specific use case. Healthcare organisations should use the information below when assessing the likelihood of a cybersecurity risk. It should however be noted that the descriptions below only refer to the described use case and additional factors related to the operational context of the healthcare organisation should be considered before determining the risk likelihood.




CONCLUSION.

For a number of years healthcare organisations have been contemplating moving part of their ICT infrastructure and services to the Cloud. Over this period, a number of healthcare-specific solutions have been developed using a variety of service models and deployment models fit for purpose. The on-going pandemic has further highlighted the importance of certain healthcare services that could benefit significantly from a move to the Cloud.

The potential improvements in availability, scalability and reliability of services such as telemedicine, wider deployment and use of EHR and medical devices for remote patient care come on top of the cybersecurity, economic and efficiency benefits Cloud services can bring to healthcare organisations.

Yet, the level of adoption of Cloud services in healthcare remains low and generally limited to administrative processes. A number of factors contribute to this, including lack of trust in Cloud services, lack of expertise, compliance requirements, particularly in relation to data protection, and more.

This report aims to help healthcare organisations in taking the next step towards further adoption of Cloud services. Built around three standard use cases of Cloud services in a healthcare context, this report highlights the main factors to be considered from a cybersecurity and data protection standpoint when assessing the relevant risks.

The factors can be used in any risk assessment methodology that the healthcare organisations are currently using. Moreover, the report proposes a set of security measures for healthcare organisations to implement when planning their move to Cloud services.

These measures cover both cybersecurity and data protection aspects and are linked to the procurement guidelines for healthcare organisations previously published by ENISA. While this report is a step towards supporting healthcare organisations in taking the next step towards Cloud services it is not enough on its own.

Healthcare organisations would require additional support, such as specific guidance from national and EU authorities, industry standards on Cloud security, especially in a healthcare context, clear guidelines from Data Protection Authorities on moving healthcare data to the Cloud and collaboration with Cloud service providers and medical device manufacturers to develop suitable Cloud solutions.