The European Cyber Security Organisation (ECSO), in collaboration with its members and the ECSO Chief Information Security Officers (CISO) Community from the healthcare sector, has been gathering insights into the sector's current challenges across the EU and exploring potential solutions. These findings were recently discussed at ECSO’s "Cybersecurity in Healthcare: Insights from Security Professionals" webinar.
The EU is developing an action plan to emphasise the need for up-to-date cybersecurity in hospitals and healthcare providers, with a strategy that will be introduced during the first 100 days of Ursula von der Leyen mandate. In response, ECSO decided to collect inputs from its members regarding the main challenges in this sector and their solutions, along with a complexity level and their criticality.
The main constraint present in this sector is budget, making securing digital infrastructure and ensuring privacy increasingly difficult. Collaboration between public administration, healthcare professionals and business are essential to improve security.
Despite the current policy initiatives, such as the NIS2 directive, the Cyber Resilience Act and the GDPR, the healthcare sector remains a frequent target of cyberattacks and its cybersecurity maturity is still insufficient to protect critical infrastructure.
Insights from security professionals reveal that in the healthcare sector, especially in hospitals and healthcare providers, IT and security are still an afterthought, despite them being foundational for modern healthcare delivery. The lack of integrated cybersecurity in medical product development, reliance on legacy systems and difficulty in managing supply chain risks further increases the sector's vulnerabilities. Additionally, difficulties in attracting and retaining skilled cybersecurity talent, along budget constraints, further hinder the progress in addressing these issues.
To address those challenges, several solutions are proposed:
- Direct funding or fiscal incentives should be provided to healthcare organizations to ensure security without hindering patient care.
- Centralised IT infrastructure, secure cloud services and public-private partnerships should be developed to improve cybersecurity resources, and incident response support should be provided at European level (e.g., European Healthcare CSIRT; Cyber Reserves).
- Political initiatives and targeted awareness campaigns can raise the priority of IT and cybersecurity in healthcare organisations, while upper management must be held accountable for a proper risk management process.
- Healthcare requires a unique cybersecurity framework, with streamlined standards and unified risk assessment to identify systemic risks and prioritise resource allocation. Sector-specific Cyber Threat Intelligence products and vulnerability monitoring should be implemented. Stronger security requirements for medical devices and their supply chain can ensure manufacturers meet the cybersecurity standards. A risk-based approach should be adopted to secure legacy systems and critical infrastructure, with public-private partnerships to alleviate the staff shortages.
In conclusion, healthcare's cybersecurity is a complex issue that requires a coordinated approach. More attention should be given to alleviate budget constraints, secure the supply chain and develop secure technology.
For more information, visit:
https://ecs-org.eu/?publications=cybersecurity-in-healthcare-insights-from-security-professionals
Author Linkedin Profile: Marcello Carboni, Cyber Security Specialist, 8 West Consulting https://www.linkedin.com/in/marcello-carboni-b01228186/
