ENISA: hospitals next target for cyber-attacks

28 November 2016
That, at least, is what ENISA (European Union Agency for Network and Information Security) states in a report that sets the scene on information security for the adoption of IoT in Hospitals. ENISA is in good company. Recently several reports have commented on the vulnerability of healthcare when it comes to cyber attacks.

  • Better awareness hospitals doesn’t yet translate into better security
  • Ransomware presents growing threat to healthcare
  • Healthcare executives fear more hacks
  • Healthcare needs to start worrying about its IT vulnerability

The ENISA study which engaged information security officers from more than ten hospitals across the EU, depicts the smart hospital ICT ecosystem; and through a risk based approach focuses on relevant threats and vulnerabilities, analyses attack scenarios, and maps common good practices.  A rough estimation on the cost of cyber security incidents in hospitals shows that a change in mentality is required. The need for improved, and even remote, patient care drives hospitals to transform by adapting smart solutions, ignoring sometimes the emerging security and safety issues.

The report recommends:

  1. Healthcare organisations should provide specific IT security requirements for IoT components and implement only state of the art security measures
  2. Smart hospitals should identify the assets and how these will be interconnected (or connected to the Internet) and based on this identification adopt specific practices
  3. Device manufacturers should incorporate security into existing quality assurance systems and involve healthcareorganisation from the very beginning when designing systems and services.

ENISA Executive Director, Udo Helmbrecht, commented: “Interconnected, decision making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals”.  

Healthcare up on the agenda

Healthcare is moving up on the policy agenda: the adoption of the NIS Directive includes in scope healthcare organisations. ENISA in 2017 will work on supporting the Member States introducing baseline security measures to the critical sectors, focusing on healthcare organisations. Moreover, in continuation to this work, ENISA will look more closely at cyber security issues in medical devices.
The report findings were presented in the 2nd ENISA eHealth security workshop, which was organised on the 23rd of November, together with the Vienna Hospitals Association. In a session dedicated to “IoT Security for eHealth”, experts from the private and public healthcare sector, organisations and policy makers, exchanged views and experiences through live demos.

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. The Agency is located in Greece with its seat in Heraklion Crete and an operational office in Athens. ENISA is actively contributing to a high level of network and information security (NIS) within the Union, since it was set up in 2004, to the development of a culture of NIS in society and in order to raise awareness of NIS, thus contributing to proper functioning of the internal market.