Procurement Guidelines for Cybersecurity in Hospitals, ENISA

Executive Summary.

As cybersecurity becomes more of a priority for hospitals, it is essential that it is integrated holistically in the different processes, components and stages influencing the healthcare ICT ecosystem. Procurement is a key process shaping the ICT environment of modern hospitals and, as such, should be at the forefront when it comes to meeting cybersecurity objectives.

This report aims to provide hospital procurement officers and CISOs/CIOs with a comprehensive set of tools and good practices that can be adapted to the hospitals’ procurement process in order to ensure that cybersecurity objectives are met. In this context, the report maps good practices in three distinct phases comprising the procurement lifecycle, namely plan, source and manage. Indeed, cybersecurity considerations are relevant for all three phases and this report offers an easy-to-use guide for hospitals to improve their procurement process from a cybersecurity perspective.

This report provides the context for addressing cybersecurity in procurement by defining the three procurement phases, identifying 10 types of procurement (assets, products, services etc.) for which cybersecurity considerations are relevant, lists industry standards with cybersecurity aspects relevant to these types of procurement and highlights the main respective cybersecurity challenges. A threat taxonomy and a list of key risks associated with procurement are also presented. All this information is accompanied by quick guides providing insights as to how hospitals can use it in their procurement process.

The report concludes with a comprehensive set of good practices (GP) for cybersecurity in procurement. These good practices can be general practices applicable throughout the procurement lifecycle or may be relevant to individual procurement phases. All good practices are linked to types of procurement for which they are relevant and to threats which they can mitigate, providing an easy to filter set of practices for hospitals who want to focus on particular aspects. Overall, hospitals are encouraged to adopt these good practices for cybersecurity in procurement:

1.General practices:

1.1. Involve the IT department in procurement,

1.2. Vulnerability management,

1.3. Develop a policy for hardware and software updates,

1.4. Secure wireless communication,

1.5. Establish testing policies,

1.6. Establish Business Continuity plans,

1.7. Consider interoperability issues,

1.8. Allow auditing and logging,

1.9. Use encryption.

2. Plan phase:

2.1. Conduct risk assessment,

2.2. Plan requirements in advance,

2.3. Identify threats,

2.4. Segregate network,

2.5. Establish eligibility criteria for suppliers,

2.6. Create dedicated RfP for cloud.

3. Source phase:

3.1. Require certification,

3.2. Conduct DPIA,

3.3. Address legacy systems,

3.4. Provide cybersecurity training,

3.5. Develop incident response plans,

3.6. Involve supplier in incident management,

3.7. Organise maintenance operations,

3.8. Secure remote access,

3.9. Require patching.

4. Manage phase:

4.1. Raise cybersecurity awareness,

4.2. Perform asset inventory and configuration management,

4.3. Dedicated access control mechanisms for medical device facilities,

4.4. Schedule penetration testing frequently or after a change in the architecture/ system.

1. INTRODUCTION.

Healthcare is becoming increasingly connected, as medical technology companies currently manufacture more than 500,000 different types of medical devices, such as wearables, implantable and stationary medical devices. The Internet of Medical Things market in Europe alone is expected to grow from 11 billion in 2017 to 40 billion in 2022, while the European medical technology market was estimated at roughly 115 billion in 2017.

At the same time, a study showed that U.S. hospitals had, on average, between 10 and 15 connected devices per bed, exemplifying how the proliferation of medical technology solutions has completely changed the ICT landscape in healthcare organisations worldwide. All these devices are made by different manufacturers, and all must effectively communicate with each other to deliver patient care.

The increasing interconnection of medical devices and the use of remote connections for their maintenance; the need to continuously monitor the patients -even the ones out of the hospital; the use of smartphones to access health information by patients and doctors; along with the inability of the information technology (IT) department to apply patches and the usual lack of budget for cybersecurity services and solutions, make the healthcare sector especially vulnerable. Cybersecurity should be considered in the early days of purchasing assets (infrastructure, software, systems, devices etc.) for healthcare organisations.

1.1 OBJECTIVES.

This study focuses on one part of the vast healthcare ecosystem: the hospital. The hospital is considered as a collection of assets (infrastructure, software, systems, devices etc.), and cybersecurity should be explicitly addressed in all its different components. Overall, the objective of this study, is to provide healthcare professionals in hospitals with guidelines on how to improve their procurement process to meet cybersecurity objectives.

These guidelines cover multiple topics and range from good organisational practices for the healthcare organisations themselves, up to what information to request from suppliers as cybersecurity “evidences” when procuring systems and services.

1.2 SCOPE.

The scope of this study is on hospitals: the most complex and critical healthcare organisations and the main stakeholder for procurement. Also hospitals often face lack of resources, so this report aims at being a “guidebook” for healthcare professionals. Many of the practices and recommendations will be useful to other healthcare organisations as well, as procurement processes can be very similar. The procurement guidelines proposed in this report cover the entire procurement scope of healthcare organisations that can potentially impact cybersecurity.

1.3 TARGET AUDIENCE.

This report is addressed to healthcare professionals occupying technical positions in hospitals, i.e. Chief-level executives: CIO, CISO, CTO, IT teams as well as procurement officers in healthcare organisations.

This report may be of interest to manufacturers of medical devices that provide products to hospitals; in this case products can be (but are not limited to) medical devices, clinical information systems, networking equipment, cloud services, etc. When these manufacturers offer services or products, they will know the security requirements that the hospital expects them to fulfil and they can provide evidence to prove it.

1.4 METHODOLOGY.

Information presented in this report is the result of analysis of data received through a series of interviews. The interviews were conducted with subject matter experts from hospitals, policy makers or regulators (ministries of health), medical device manufacturers and cybersecurity experts with a focus in healthcare. The report was validated by the experts participating in the survey/interviews, as well as with the ENISA eHealth Security Experts Group.

This methodology enabled ENISA to engage actively with the interested stakeholders and:

- identify the types of procurement and corresponding assets with relevance to the hospitals’ cybersecurity objectives,

- identify possible threats, risks and challenges related to procurement in hospital organisations,

- list good practices related to healthcare procurement in order to meet cybersecurity objectives, and

- map the proposed good practices to types of procurement for which they may be used and to threats for which they are relevant.

1.5 POLICY CONTEXT.

1.5.1 European Policy.

Legislation plays a major role in defining the cybersecurity requirements that should be described in the technical specifications when obtaining products and services in a hospital. Some of the most prominent are presented below:

1.5.1.1 The Network and Information Security Directive (NISD).

The Network and Information Security Directive (NISD) 2016/1148/EU, which came into force in May 2018, has two main goals: the implementation of minimum security requirements and the establishment of cybersecurity notifications for both Operators of Essential Services and Digital Service Providers. Healthcare providers, namely hospitals, are identified as Operators of Essential Services in most Member States. Therefore, these organizations will have to take into account the Directive and the respective national law when contracting a product or service.

The Directive goes beyond implementation of security requirements, as it gives power to the regulatory bodies to audit the Operators of Essential Services to ensure the level of cybersecurity in the organization is acceptable and as per the provisions of the Directive. In the hospital ecosystems, this can be translated as cybersecurity requirements for all the products so it should be included as a provision in the procurement process. One vulnerable device/system/service can result into great cybersecurity impact for the hospital as an operator of essential service.

1.5.1.2 Medical Device Regulation (MDR).

The Medical Device Regulation (MDR) is a new regulation that includes specific provisions related to the IT security (hardware, software etc.) for all medical devices. The General Safety and Performance Requirements defined within the MDR (Medical Devices/SW) include:

- repeatability, reliability and performance according to the intended use,

- the principles of development life cycle, risk management, verification and validation,

- the use of software in combination with mobile computing platforms,

- IT security measures, including protection against unauthorised access.

The Medical Device Coordination Group (MDCG) published the Guidance on Cybersecurity for medical devices in December 2019 in order to provide manufacturers with guidance on how to fulfil all the relevant essential requirements of the MDR. These cybersecurity requirements, listed in Annex I of the Medical Devices Regulations, deal with both pre-market and post-market aspects. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The MDCG provides advice to the Commission and assists the Commission and the Member States in ensuring a harmonised implementation of medical devices Regulations.

1.5.1.3 General Data Protection Regulation (GDPR).

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It sets the rules for the processing and free movement of personal data and applies to all domains of the public and private sector; however, some specific derogations are defined for data concerning health, aiming at protecting the rights of data subjects and confidentiality of their personal health data and at the same time preserving the benefits of data processing for research and public health purposes.

GDPR treats health data as a "special category" of personal data which are considered to be sensitive by nature and imposes a higher standard of protection for their process. Organizations processing health data have the following obligations (among others):

- to implement appropriate technical and organisational measures to ensure security of the processing systems, services and personal data,

- to perform data protection impact assessment, and

- to report data breaches which are likely to result in a risk to the rights and freedoms of individuals within 72 hours after having become aware of.

Article 4 (12) of the GDPR defines a “personal data breach” as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; It has to be noted that if a data breach incident impacts the continuity of the health services as well, then it has to be reported according to the NIS Directive.

1.5.2 International Policy.

1.5.2.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This Act required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

1.5.2.2 FDA Guidance for cybersecurity.

This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should address in the design and development of their medical devices as well as in preparing premarket submissions for those devices. If a manufacturer would aim for internal markets, then the device should comply with both European and international law.

2. PROCUREMENT IN HOSPITALS.

2.1 PROCUREMENT PROCESS.

Understand where cybersecurity fits in the different phases of the procurement lifecycle. This section indicates what cybersecurity considerations should be addressed when planning procurement, in the source process and in the post-sales/manage phases.

Since the hospital ecosystem is comprised by several IT components, cybersecurity should be examined separately in all these different components. Cybersecurity should be part of all different stages of the procurement process. In this section, we present the common stages of the procurement process for obtaining products and services (including medical devices, information systems and infrastructures), together with some considerations as per each stage of the process.

- Plan phase: Initially, the hospital analyses its needs and collects requirements from several divisions internally. For example, in the case of obtaining a new cloud service, the CTO should identify the needs and understand what kind of usability this service will offer.

- Source phase: Afterwards, the requirements are translated into technical specifications and, in collaboration with the procurement office, the sourcing process begins (e.g., a tender is published). The hospital receives the designated offers, the committee (including the CTO/ CISO or and member of the IT team) evaluates the offers and selects the most appropriate products. Negotiations are conducted with the contractor and the contract is awarded.

- Manage phase: Finally, the contract (management and monitoring) is assigned to the business owner within the hospital. The assigned officer is responsible for closing the tender and receiving any feedback from users on the actual performance of the equipment/system/service.

Throughout the different phases of the procurement lifecycle, the hospital should ensure cybersecurity is considered as a requirement for the product/service to be procured. Relevant considerations may include:

- Plan phase: The cybersecurity risks associated with a new procurement are assessed and specific cybersecurity requirements for the new procurement are defined.

- Source phase: Cybersecurity requirements are translated into technical specifications and product security features and supplier responsibilities for cybersecurity aspects are clarified and included in the contracts.

- Manage phase: Cybersecurity aspects, such as incidents and new vulnerabilities are continuously monitored and corrective measures, such as patching are applied to maintain a high level of security. Similarly, at the end of the products lifecycle, secure disposal is required for privacy reasons as devices have patient information stored.

2.2 TYPES OF PROCUREMENT.

Cybersecurity considerations are relevant for a number of different types of procurement. Consult the following list to understand if the specific type of procurement you are planning/managing has possible cybersecurity implications that should be addressed.

As discussed throughout this document, the hospital is an ecosystem comprised by several components and cybersecurity should be a priority for all these different components. In this chapter we created a taxonomy to categorise the types of procurement and eventually investigate how cybersecurity is addressed in each type.

2.3 RELEVANT INDUSTRY STANDARDS AND GUIDELINES.

There already exist a number of regulations, international standards and good practices on healthcare systems, products and services that include cybersecurity baselines. Consult the mapping in this section to see if a relevant industry standard is available for the specific type of procurement you are planning/managing.

There are several international standards and good practices in the market related with healthcare procurement. The following section lists existing standards and protocols that directly, or indirectly, have a relation to procurement.

An industry standard very relevant to cybersecurity and procurement is the Manufacturer Disclosure Statement for Medical Device Security (MDS2). The MDS2 form provides medical device manufacturers with a means of disclosing the security-related features of their medical devices. The MDS2 form provides a set of medical device security questions and allows for comparison of security features across different devices and different manufacturers.

As of today, ISO is developing more than 25 new standards in Medical Informatics, some of the most interesting being:

- ISO/DTR 22696 Health informatics — Guidance for identification and authentication for connectable personal healthcare devices,

- ISO/DTR 21332 Health informatics — Cloud computing considerations for health information systems security and privacy,

- ISO/WD 13131 Health informatics — Telehealth services — Quality planning guidelines,

- ISO/AWI 22697 Health informatics — Application of privacy management to personal health information.

2.4 CYBERSECURITY CHALLENGES.

Many systems, products or services procured by hospitals introduce or are characterised by significant cybersecurity challenges. Consult this section for a list of the key relevant challenges and identify what are the major challenges associated with the specific type of procurement you are planning/managing. Work jointly with your IT, security or risk departments to identify the best ways to address the relevant challenges.

According to the answers from the interviews with the stakeholders, the most challenging type of procurement was “Medical Devices” (100% of the answers) followed by “Industrial Control Systems” and “Clinical Information Systems”. As one interviewee pointed out, the most challenging threats are normally associated with procurements for which the IT department is not typically involved.

Other interesting challenges not included in the list but pointed out by the stakeholders were “Maintenance Services” and challenges associated with free software handed over by some medical suppliers.

Based on the feedback from the interviews with the stakeholders, several key challenges associated with procurement in healthcare organisations were identified. These challenges have been grouped based on the previously defined types of procurement.

Clinical Information Systems.

- Component vulnerability: Information systems in healthcare organisations are usually made of different pieces from different suppliers. Besides that, these systems interact and share files and data, so a vulnerability of one component can affect others.

- Increasing interoperability: Software specialization, and new trends as big data, analytics, create the need of sharing patient data between different systems. This process needs to be done in a secure way, using appropriate protocols and transmitting only the required data to only the right receiver.

- Full continuous operation: Healthcare organisations usually operate 24x7, and resources are scarce, so stopping a modality or even a desktop computer can impact seriously the service. When an incident is detected, it is sometimes really difficult to isolate the equipment, and thus this make propagation easier. In such cases the procurement process should require from providers contingency plans and redundancy.

Medical devices.

- Manufacturing processes: Although this topic has been traditionally strictly controlled by medical device suppliers, actually it is very common to have third-party suppliers of software and electronics in their supply chain. This introduces new challenges for manufacturers: they need not only to check materials, durability, or sterilization, they now have to test software and electronics to ensure they are robust and secure before putting the device into the market.

- Rented equipment: Especially when considering expensive healthcare equipment, it is common to rent devices that could have been previously used by other healthcare organisations, and often come with default set up. Procurement of rental services should establish measures to avoid risks of this practice.

- Legacy devices: Medical equipment usually is very expensive; these devices are expected to be in service for many years. Due to this long life cycle, buyers can sometimes have difficulties in getting maintenance support from manufacturers. For this reason, vulnerabilities cannot always be corrected, and thus can be exploited through cyberattacks.

- Hidden functionalities: Medical equipment is always complex to manage and set up. Neither doctors nor the IT department are usually trained on new equipment. The habitual action is to leave this equipment in a standard setup, so preventing default passwords and ensure that unknown functionalities are not activated is another challenge in these environments. Devices can have operative procedures implemented (e.g. requests for date/time, communication of technical & service data to the manufacturer, requests for maintenance, automatic updates etc.) unknown to the buyer that could trigger security alerts on the IPS system of the hospital. That interconnectivity opens up an array of opportunities for malicious individuals to gain access to the organization’s IT infrastructure.

- Updates / Lifecycle management: The most recent devices have usually the functionality of being operated remotely. This allows the providers to reduce maintenance costs and perform other operations. But these cases, if ignored or neglected, can result in back doors in the organisation because they are often set up without knowledge of the IT department.

Building Management Systems – Industrial Control Systems.

- IT/OT hybrid solutions: Hybrid solutions make possible the convergence between digital and physical worlds, ranging from smart buildings to digital twins, and including for example real time location systems for patients and valuable assets, hospital laundries, pharmacy systems, or surgery blocks. Of course, this opens a new scenario for threats and risks that healthcare organisations should deal with.

Networking.

- Unprotected protocols: As in other sectors, protocols have been designed with the use cases in mind but ignoring abuse cases. On the other hand, health data is very persistent: a data leakage could have permanent impact in patients. Improving the security of protocols used to exchange patient data is crucial.

Professional services.

- Human factors: Users’ awareness allows healthcare organisations to improve their level of protection almost exponentially. In healthcare, nonetheless, the pressure and the need of providing urgent health care sometimes makes more likely for a user to relax good practices in cybersecurity to provide health care to patients.

- Patient safety: In healthcare organisations there are two specific conditions that make information systems different from the rest of the IS:

(1) Patient data is permanent, cannot be changed if privacy is broken (as you could do with your credit card number for example); and

(2) cyberattacks can become physical and cost human lives.

Clinicians work hard to improve patient safety and medical devices and IT services must be considered another layer in patient safety. This should be the key in the procurement phase specific cybersecurity requirements.

3. CYBERSECURITY IN PROCUREMENT.

3.1 THREAT TAXONOMY.

Different types of procurement are associated with various threats to a hospital's ICT environment. Consult the threat taxonomy presented in this section together with your IT, security or risk department to identify which threats are most relevant to your organisation. This activity should be part of the IT tasks in the hospital regardless of the procurement potential. You can then prioritise the good procurement practices presented in Chapter 4 that can mitigate the identified threats.

Threat sources are the other risk factors that must be taken into consideration when analysing risk. A threat source is characterized as:

(i) the intent and method targeted at the exploitation of a vulnerability; or

(ii) a situation and method that may accidentally exploit a vulnerability.

Some examples of threat sources are: an individual, an organization, a customer, hack activist, a user, a privileged user/administrator, failure of a storage device, failure of a temperature control, failure of an operating system, fire. Keep in mind that the list of threat sources is quite large. Previously referenced NIST Special Publication 800-30 Guide for Conducting Risk Assessments appendix D, contains table D-2 with a useful taxonomy of threat sources.

Based on the last ENISA reports on Smart Hospitals (2016) and the 2018 threat landscape report this study analyses the top cyber threats with a specific focus in healthcare ( for example medjacking and medical equipment threats).

3.1.1 Natural phenomena.

Fire, floods or earthquakes are infrequent but possible threats for the infrastructure and overall equipment (devices, network components etc.). Habitually, computerized tomography scan machines, magnetic resonance imaging equipment, radiotherapy equipment and other highly expensive devices are usually located in the ground floor or at the basement of the hospitals -either by regulatory laws or just because their weight and dimensions- and are specially affected by this type of phenomena. It should be noted, that failures due to floods or fires i.e. broken pipe flooding the basement of a patient room can have different impact than a disaster due to natural phenomena (wildfire, storm, tsunami etc.) and eventually could affect the whole hospital and its surrounding or supply chain provider.

3.1.2 Supply chain failure.

Cloud Services provider failure.

Not all services are hosted in hospital servers. Accounting, salaries, stock control may be outsourced and depend on third party cloud services. Nearly all of the personal IoT medical devices work in the cloud. In fact, some hospitals -especially regional or small associated centres-, can have their entire electronic health record system located in other site. These services, if not adequately backed up to work off-line, may cause severe disruptions in the provision of medical services.

Network provider failure.

A network failure can have devastating effects. Most of the main hospital centres form a hub between the main building and its associated centres -mostly radiology or ambulatory or day-care centres-. Redundancy and topology design are crucial when mitigating this type of threat.

Power supply failure.

Loss of electricity can be of importance depending of the equipment affected. Intensive care units, operative rooms, servers and clients are usually protected by uninterruptible power sources or batteries but other equipment such as MRI or CT machines can be compromised.

Medical device manufacturer failure / non-liability.

All medical devices can have design errors in their systems. These latent errors may arise under certain circumstances during the normal use of the device. Most of the times, these errors are known and cannot be mitigated because the device does not allow for updates. If the manufacturers who make this equipment are acquired by larger companies or run out of business there may be problems with device updates or repairs. Also, security information shared with third parties can be compromised.

3.1.3 Human errors.

Medical system configuration error.

Not changing factory-default passwords is one of the most common errors that gives attackers access to the devices once they have gained access to the network. Other errors of this kind can be, for example, to configure our device to allow incoming connections from any address or communicate using non-encrypted protocols.

Absence of audit logs.

Logs are a crucial part of the secure-test-analyse-improve strategy of security. If we assume that sooner or later our system will be compromised, logs are one of the most useful tools that we can use to trace back how attackers gained access to our system. We can also evaluate how much information was compromised. Keeping the logs secure is one of the most important tasks of security, although its absence does not compromise already implemented security.

In some circumstances logs may be a legal requirement for normal operation of the system (e.g. access to medical history).

Unauthorised access control / lack or processes.

Due to the variety of roles in a hospital (i.e. physicians, caregivers, administration) access control procedures should be in place. As the priority to all hospital staff is care, workarounds are often the case when it comes to access control (including all types of access control from buildings to systems and accounts). This poses great threats to the hospital interconnected environment.

Non-compliance (BYOD).

Today’s employees want the freedom to work from any location and any device at any time of day. These individuals are increasingly using their personal mobile devices to undertake work tasks. From a business perspective, enabling BYOD is an advantageous strategy. However, bring-your-own-device (BYOD) can also represent a significant risk for organisations. For the IT department, there is massive pressure to find a way to securely enable BYOD. Failure to do so can lead to malware outbreaks, noncompliance with regulatory requirements, and corporate exposure in the wake of personal device theft.

Medical staff / patient error.

There is always the possibility of human error when entering data by either part, particularly when entering the clinical history number. Sometimes two patients can have identical names and the clinical information of one can be written on the medical history of the other. This is of critical importance when the information provided will activate subsequent clinical decisions that will affect the patient’s health: e.g. a patient with the same name as other could be misdiagnosed of cancer.

In the worst case the patient could receive non-needed surgery (amputations) or radio/chemotherapy. On the contrary, a patient with cancer could receive an invalid report of normality and delay a treatment that could potentially improve his/her status.

Although the impact is low because only affects one or two patients, global impact on the company’s or healthcare organisation's reputation can be very high.

3.1.4 Malicious actions.

Malware: Virus, Ransomware, BYOD.

In healthcare organisations, IT systems are strongly interconnected and difficult to isolate without generating service disruption, creating a comfortable ecosystem for malware. Enterprises with a very large number of devices may have difficulties updating their licenses because of the elevated costs.

Adware is one of the easiest ways to distribute malware and more often ignored by users . Ransomware is perhaps the most known threat for healthcare organisations, due mainly to the Wannacry case. Ransomware usually makes indiscriminate low-cost attacks.

It’s very easy to infect healthcare infrastructure because of two factors;

(i) software infrastructure is hard to keep updated because it’s very difficult to get a downtime slot,

(ii) machines that run legacy software that only works on specific OS or drivers’ version turns out to be an easy target for these attacks.

Many of these legacy devices that cannot be updated act as reservoirs for the malware helping it spread through the network. Enterprises that allow bring-your-own-device (BYOD) without appropriate policies are exposed to additional risks.

Hijack: Cryptojacking / Medjacking.

Medical equipment needs usually real time communications, and clinicians need also a quick response from the system when they look for patient data or test information. Dedicating processor time or communication capacity to mining cryptocurrency impacts performance and of course, the health care provision.

The difference between cryptojacking and medjacking is basically the kind of hardware involved. In the first case we are talking about general purpose IT infrastructure and in the second we are referring to IT-based medical equipment.

Social engineering: Phishing, Baiting, Device cloning.

Compromised email (phishing, spam and spear-phishing) is the dominating attack vector for malware infections. According to Verizon DBIR, email compromise was the attack vector for 92,4% of detected malware.

Most organizations still allow access to private mail web accounts in most of the computers of the hospital. Mail addresses from clinicians are easy to collect through hospital public directories, existing presentations on the web, etc.

In our research, we found both cases of using professional e-mail accounts for personal matters, and cases of using personal e-mail accounts for professional matters. Fight against phishing is not easy: keeping an adequate user awareness is very difficult.

Multiple factors have been blamed: most personnel in the health field has no technical knowledge at all, a stressful environment with high pressure, shift work, staff rotation, and a lack of understanding between IT team and clinicians.

Device cloning (ID cards) requires a high level of specialization and the necessity to get closer to the victim to clone his/her ID. Two factor identification has made this type of threat very unlikely.

Theft: Device, Data.

The cost of medical devices is very high. Stealing of medical equipment is a very common crime. Devices are usually sold in the second-hand market of underdeveloped countries or for veterinary uses for a fraction of their price. Small to medium-sized portable devices as ultrasound equipment, EKG, defibrillators, infusion pumps or vital signs monitors are among the most robbed pieces.

Devices should not expose medical data unless adequately logged in. Unfortunately, most of them use the factory default credentials.

The lack of involvement of IT security department in setting up and managing medical equipment, the lack of risk-awareness of the staff can generate information leaks that could impact on reputation, patient privacy, penalties, or even patient safety.

Medical device tampering.

Unprotected communications between medical devices and servers can result in tampering of the information. Sophisticated man-in-the-middle (MITM) attacks can change the data coming from vital signs monitors, laboratory, pathology reports or even DICOM images coming from CT scans, MRI or ultrasound systems in their way to the PACS server.

Skimming.

Skimming (stealing of credit card information) can occur from breaches in patients’ administrative data. It is unlikely to occur in public health systems where no payment is the rule and social security numbers are used instead. That is not the case in private institutions.

When protection of administrative data becomes secondary against protection of medical records, a breach can occur more easily.

Large shopping areas, and e-commerce systems seem to be the target for this type of organized criminals. Great effort from some public and private organizations has been made in the last years to prevent fraud in this area and is out of the scope of this report.

Denial of service.

Denial of Service is a very common cyberattack that can take down servers at a healthcare organisation, especially because they are usually reluctant to use public cloud infrastructure, so the capacity of servers is limited. The impact can be high, depending on the type of systems affected.

Web based attacks.

Extended use of undocumented web services for interoperability purposes, and the delay in applying updates, trying to keep the system configuration without changes and to reduce the downtime as much as possible, makes it easier to exploit known vulnerabilities.

Web application attacks

SQL Injection and Denial of Service represent the 68,8% of web application attacks, while in government institutions represent only the 26% or 27,7% globally. SQL injection alone represents the 46% in the case of healthcare, similar percentage to energy and manufacturing companies, another environment where industrial equipment is very frequent.

Insider threat.

Hospital staff can act as insider threats, at any position (physicians, nurses, administrative, maintenance, etc.), but patients or guests can act also from within the hospital, given that access cannot be restricted to certain areas.

Physical manipulation / damage.

Medical equipment can be very expensive, and many times, physical access is granted to non-authorized or poorly trained personnel -if not-trained at all-, allowing manipulation, damages, theft or loss of this equipment or the information assets they contain.

Identity theft.

There are 2 cases: employees’ identity or patients’ identity. The first case can be dangerous because impersonating a doctor or nurse allows, for example, to do wrong prescriptions or diagnose a patient of a certain disease, and the second case could be used to fraud the healthcare system and introduce wrong diagnoses as well.

Cyber espionage.

Interest of multinational pharmaceutic industries or other interest groups on clinical research results or patient data can be one the drivers of this kind of threats. Cases have been documented of new technology that it’s being tested in a hospital and other nations have been spying with the intention of copying this new technology or treatment.

Components mechanical disruption.

Imaging devices such as MRI machines and CT scanners, include mechanical components which are remotely controlled. A compromise can transfer control to a malicious actor and they can cause undesired movement of these components. This can have direct impact to the patient.

3.1.5 System failures.

Software failure.

Any piece of software can have errors. Special security measures are taken in devices such as infusion pumps, electrosurgical units, ventilators, medical use lasers, or devices that use ionizing radiation to work -radiology and radiotherapy equipment- that could generate physical damage if an error occurred. Lessons have been learned from severe incidents occurred in the past. The general rule is: all measures have to be taken so no overdose can be administered under any circumstance.

These devices undergo extensive tests before going out to the market. In few occasions, their software is updated by the manufacturer.

Servers are more prone to failure, not only because of failures in the design of their dedicated software but because they rely in other software platforms (operating systems, programming frameworks, databases) that can fail as well. If fact, experience has shown us that many errors occur after a software update.

Failures in medical servers occur normally as latent errors and, in some occasions, can stop the service. They habitually disappear after server reboot. Analysis of the generated logs is crucial to find what the cause of the error was.

Failures that do not cause server breakdowns or service disruption (loss of patients’ appointments or patient’s clinical information, for example) are usually detected several months after the system has been running. Several specially prepared tests should be run to ensure that the system does what it is expected to do.

As these systems run 24-7, finding downtime slots to run the tests can be very difficult if not impossible.

Frequent server failures deteriorate medical care and degrade confidence in the institution.

Outdated firmware.

Lack of procedures in place to update firmware in all devices (medical or not) in the hospital, is a top threat for healthcare organisations and namely hospitals. Legacy systems and software offer back doors to malicious actors that can access sensitive healthcare data.

Device failure.

Failure of simply limited/reduced capability may severely impact processes that rely, e.g. on the real-time collection of patient data, such as glucose measuring devices;

Network components failure.

The interconnected ecosystem of a hospital has to be resilient as the requirement for real time data analysis is high. If a component fails this can cause unavailability of a system, which can have cascading effects to other healthcare systems (i.e. Patient Health Record).

Insufficient maintenance.

Lack of updates or lack of patching is another very common threat that can have great impact to the healthcare organisation, i.e. malware spread. Operational issues might be left unresolved eventually jeopardising patients’ health.

3.2 RISKS IN PROCUREMENT.

Each type of procurement carries its own risk factors. Consult the following list to identify the main risks associated with the specific type of procurement you are planning/managing. Work jointly with your IT, security or risk departments to identify the best ways to address the relevant risks.

Each type of procurement carries its own risk factors. It is important that administrators of healthcare organisations understand these risk factors and the negative impact they could cause on the IT infrastructure, patients’ health, patients’ information, diagnosis and quality of service.

4. GOOD PRACTICES FOR CYBERSECURITY IN PROCUREMENT.

How to use the good practices of this chapter:

Step 1: Identify the type of procurement you are planning/managing.

Step 2: (Optional) Identify the threats you are most interested in mitigating.

Step 3: Identify the good procurement practices relevant for the identified type of procurement (and threats).

Step 4: Assess on which phase of the procurement lifecycle cybersecurity should be addressed. Understand the description and objectives to be achieved in the selected good practices in the corresponding phase.

Step 5: Using the graphs provided, understand in which procurement phases each good practice can be implemented.

Step 6: See the indicative examples of how to implement each practice or evidence that can be requested from supplier; adapt to your own procurement practices/methodology as needed.

This chapter presents good practices for enhancing cybersecurity in procurement. The good practices categorised per phase of the procurement lifecycle and for each one of these description, examples, procurement type addressed, mitigated threat and evidence are included. The general practices apply to all three stages of the lifecycle. In some cases, a good practice may apply to two phases, in which case they are categorised under the phase where they should first be applied or where they are most relevant.

The list of good practices below is by no means exhaustive; it gives however a solid advantage to the healthcare IT professional responsible for purchasing equipment in a hospital. The set of good practices are the collective result of all input received by healthcare professionals interviewed. The reader can adapt the list based on the priorities of his/her organization.

4.1 GENERAL GOOD PRACTICES.

GP 1. Involve the IT department in procurement.

GP 2. Implement a vulnerability identification and management process.

GP 3. Develop a policy for hardware and software updates.

GP 4. Enhance security controls for wireless communication.

GP 5. Establish testing policies.