Professional Documents
Culture Documents
Conference on
Health and Social Care Information Systems and Technologies
Abstract
Implementation of Cybersecurity controls in Portugal is not a simple task. Critical Infrastructure Protection
initiatives and the parties associated to the implementation, which are Health Ministry Institutions and national
healthcare organizations, should consider many factors related to the concern. Some independent parties have
been trying to implement it, but remain isolated activities with readiness frail. It is important to consider that
implementing controls is not worth unless we are surely aware the added value that will be produced. In other
words, if the organization wont be able to increase benefits and the same time optimize the risks the readiness
of controls related are not producing value. Before the real implementation can take place two key factors can
be used to increase the success of the implementation. One is the adoption and adaptation of know reference
model frameworks related with security and risk management to help the orchestration of techniques; and the
other is the embracing the industry collaboration collecting slices, knowledge and security artefacts already in
place to achieve the readiness. This paper presents a reference model based on COBIT 5* building blocks to
enable initiatives for healthcare sector as factors to be considered when Portuguese Health Ministry needs to
implement general cybersecurity controls and practices in Portugal. This analysis can be continued by the
implementation of the risk and security framework and the operationalization of the risk and security
continuous improvement program, understanding how it can contribute to support better governance,
management and operation of the Portuguese Healthcare Information System (eSIS) in general and the risk and
security goals in particular.
Management; Industry Enablers; Security; Risk; ENISA; SANS; HIPAA; ISO 27001; COBIT; eHealth
COBIT 5 is a framework created by ISACA for the Governance and Management of Enterprise information technology (IT). It is a
supporting toolset that allows managers to bridge the gap between stakeholder needs and technical issues and risks.
I. Introduction
During 2013 and 2014 healthcare companies saw about 70 percent increase in cyber-attacks, with IDC Health
Insights [1] estimating that half of all healthcare organizations experienced one to five cyber-attacks in 2014, a
third of which succeeded. Overall, the healthcare industry accounted for 26.4 percent of all breaches in 2014.
There are many initiatives separately to implement Cybersecurity controls in e-health. Rarely the institutions
think the cybersecurity controls as part of a management security system. In fact only a few institutions try to
implement a fully secure manage automated system from the management to the operations. Most automates
the initiatives as a partial and operational system to bring quick and visible results. In fact, they arent
sustainable in time, it means the investment have doubtful value. The implementation of an improvement
program of risk practices and safety involves several stakeholders related to the system. Various factors need to
be studied and considered to assess the readiness of the various parties implementing risk and safety
programme. IT governance represents a well discussed set of concepts for ensuring the optimal utilization of IT
[2] [3].
This paper presents a study and a new structured method, even so with modest results, for ensuring the benefits
in a national wide implementation of risk and security related good practices, lead by Ministry of Health Shared
Services where the alignment and sharing between several parties involved and the industry partners are the
most critical success factors.
Ministry of Health Shared Services Mainly denominated SPMS, Ministry of Health Organization
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization.
ISO/IEC 27001:2013 is an information security standard published by the International Organization for Standardization (ISO) and
CMMI ) ,or specific healthcare requirements or good practices (ISO 27799, HIPAA ), meeting the most
relevant stakeholder needs like ensuring secure care delivery processes in Portugal in public and private sector
as well the surrounding regions like European members states.
Increasing the security of peoples health information - proactive solutions for data protection and
protection against information leak and terrorism, while respecting privacy;
the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
**
ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management(ITSM)
that focuses on aligning IT services with the needs of business
Capability Maturity Model Integration (CMMI) is a process improvement training and appraisal program and service especially in
software development.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub. L. 104191, 110 Stat. 1936, enacted August 21, 1996)
was enacted by the United States Congress . HIPAA protects health insurance coverage for workers and their families when they change or
lose their jobs. HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards
for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.
Increasing security for society as a whole - addressing socio-economic, political and cultural aspects
of ehealth security, ethics and values, acceptance of security solutions, social environment and
perceptions of security;
Increasing the governance and management of security aligning the security needs with national
health goals, institution goals and ICT related goals; and implement security capabilities that can
impact on the value creation;
Increasing the security of critical infrastructure - examining and securing infrastructures in areas such
Administrative and Care Delivery National Health Service Institutions;
Intelligent surveillance and ehealth security - technologies, equipment, tools and methods for
managing good practices and implementing controls and procedures;
Restoring security and safety in case of crisis Business Continuity Operations of Institutions through
security coordination and resiliency;
Security research and analysis - research efforts covering public and security aspects, while taking into
account legal issues and data protection.
The EU becomes a stronger global player in the market. This will allow people in Europe access to trustworthy
European solutions (ICT products, services and software) that take into consideration fundamental rights, such
as the right for privacy. On 18 December 2015, the Commission launched a public consultation [8],
accompanied by a policy roadmap, to seek stakeholders' views on the areas of work of a future public-private
partnership, as well as on potential additional policy measures - in areas such as certification, standardization,
and labelling that could benefit the European cybersecurity industry. The public-private Partnership (PPP) on
cybersecurity intents to strengthen EU's cybersecurity industry. The programme for consultation ended on 11
March 2016 and the European Commission as enforced the Digital Single Market Strategy.
The aim of the PPP was to stimulate the European cybersecurity industry by:
bringing together industrial and public resources to improve Europe's industrial policy on cybersecurity,
focusing on innovation and following a jointly-agreed strategic research and innovation roadmap
helping build trust among Member States and industrial actors by fostering bottom-up cooperation on
research and innovation
Helping stimulate cybersecurity industry by aligning the demand and supply for cybersecurity products
and services, and allowing the industry to efficiently elicit future requirements from end-users
Leveraging funding from Horizon 2020 and maximizing the impact of available industry funds through
better coordination and better focus on a few technical priorities
Providing visibility to European Risk and Insurance excellence in cyber security and digital privacy
Ensuring that every stakeholder uses the same language and understand what are the main goals and
metrics related with cybersecurity
The PPP built on the Strategic Research Agenda (SRA) [9] in the area of secure information and
communication technologies (ICT), developed by the NIS Platform and published in September 2015.
V. Methodology
To address the problem from central to the cross level organization a national working group for Risk and
Information was created. The major objective for the group is to evaluate the maturity of the management and
good practices already in place and developed conditions to improve, adapt, promote and monitor results from
the adoption of a common governance and management framework and the implementation of local operational
security controls and procedures.
A framework that will: i) align national health services objectives and institution goals with risk management
scope and Information security bodies goals; ii) gain a common vision for Information Security Management
that includes processes, organizational structures, resources needed, competencies and principles and policies;
and iii) Promote good practices sharing and resources related with the governance, management and operation
of risk and security. COBIT 5 framework was used to promote the importance of adopting and approach
oriented to principles and not only to specifics when working in a cyber context, and introducing a holistic
view of cybersecurity introducing seven enablers, which are factors that individually or collectively affect the
success of the governance and management of enterprise IT in general and security in particular. By adopting
this framework Portuguese Healthcare Institutions agree on common security goals and metrics, promote the
spirit of sharing information and visibility, as well as mechanisms to exchange information, in order to enhance
the dissemination of good practices, especially in peripheral entities that are limited in resources and expertise
to implement their own security.
On the figure 2 the seven enablers and the relation with the goals, resources and IT related risk.
Risk and Security Framework
Stakeholder Needs
Institution Goals
LoBRelated
RelatedGoals
Goals
LoB
LoBRelated
RelatedGoals
Goals
LoB
Process
Information
Services,
Infrastructure and
Applications
Organizational
Structures
Process
Culture, Ethics
and Behaviours
Information
Services,
Infrastructure and
Applications
Process
Use
Manage / Use
People(Security View)
Information/Data LAyer
Software/Solutions layer
Good practices
Internal
Technology Layer
Infraestructure and networks
External
Devices
Guidelines
Guidelines
Monitor
Implementation
Good Practices
Definition
eSIS
Stakeholders
Stakehodlers Needs
Goals
eSIS Goals
Implementation
SPMS
Local Institutions
Governance
and
Management
Operations
External
Internal
External
Internal
SPMS Goals
SPMS ICT (Security view)
Risks
Monitor
Institution Goals
Enterprise IT
(Security view)
LoB
LoB
LoB Goals
IT Related Goals
(Security View)
LoB Goals
LoB Governance
and Management
Enablers
IT Governance
and
Management
Enablers (Security
View)
IT Governance
and
Management
Enablers (Security View)
LoB Governance
and
Management
Enablers
Cybersecurity controls; or general recommendations for implementing operational practices in local entities.
Although is not intent to be compulsory but we understand that should be activated as best practices and
guiding principles obviously after becoming a validated guideline. The institutions should assess the maturity
of their practices (is expected driving at least to level 3) and return the completed form on registered security
dashboard. In a future the idea is that the institution will do it directly in the system. When an institution
approved its policy it means they agree to use it internally and approves the good practice for being followed.
What should the programme requires from hospitals/health organizations:
1 They should enable a good practice;
2 - They should respond within a specified period;
3 - They should give the evaluation record (complied or not);
A.2 - Activation
Activation Kit
Self Assessent
report
Activation Kit
Aproved
A.4 Implementation
Activated
Meet the
requirements?
B. Audit/Assurance
DASHBOARD
A.5 - Planning
Action Plan
Yes
Subtitle:
A. Good practices Activation
No
B. Audit/Assurance
10
H
Critical Security Control #1:
Inventory of Authorized and
Unauthorized Devices
Subtitle:
H Cyber Higiene
Based on the replies of the institutions intended to be an integrated view of the implementation level of
cybersecurity controls at the level of applications, systems and networks, as well as a set of management
indicators that may be analyzed in a future. Is important to realize that is not intended with this exercise to
prescribe the type or method for the controls implementation, but give autonomy to the institutions to have a
clear view of good cybersecurity practices that can be implemented, to decide and try to adopt by themselves or
assisted by any external provider. An important exercise is related the management metrics that should report
and practices of audit / assurance that should be applied later. The activation plan of controls groups will focus
on the activation of the priority groups of controls to ensure "security hygiene" (groups 1-5), followed by the
11
areas that the specific features of eHealth environment deserve if all of importance (example: group # 13: Data
Protection, group # 16: Account Monitoring and Control).
The compilation of the program information in the "Security Dashboard" will allow the eHealth Unit
environment respond globally on the level of adoption of good cybersecurity practices at the level of
applications, systems and networks and communications.
VII.
Expected Results
Based on the matrix risk and security dashboard Information about the maturity of each local institution
implementing good practices, is expecting, while providing overall information about how the National Health
System is regarding risk and security, the dashboard as a key instrument to promote continuous improvement
and to prepare audit/assurance initiatives to the institutions.
Risk and Security Continuous Improvement Dashboard
Ilustrative
Good Practices
and Guidelines
SPMS
Local
Institution
- 01
Local
Institution
- 02
Local
Institution
- 03
Local
Institution
- 04
Local
Institution
- 05
Local
Institution
- 06
Local
Institution
- XX
Total
Risk and
Security
Related
Goals
Guidelines
100%
100%
100%
100%
100%
100%
100%
100%
Governance
and
Management
Enablers
Guidelines
0%
0%
0%
0%
0%
0%
0%
0%
Operational
Resources &
Practices
Guidelines
100%
50%
0%
100%
50%
0%
50%
50%
Continuous
Improvement
Overview
Total
67%
50%
33%
67%
50%
33%
50%
50%
12
VIII.
This paper document the building blocks and good practices used in the design of the eSIS Risk and Security
Framework and how the framework is planned to be adopted in the Portuguese healthcare system by
implementing the Portuguese Health System Risk and Security Program. The next step of the work will be
the implementation and operationalization of the program, in particular the activation of the Risk and Security
good practices, both in SPMS and in local institutions.
This model is adopted for healthcare institutions but can be tested abroad (other sectors/industries) and context,
location and/or culture that would best lend itself to the framework (or theoretical model). Thus, we
recommend that some theories and methods should be used to support the analysis of each of the initiatives in
order to complement industry good practices with valuable data to support scientific work.
We understand also that the future work will bring different research opportunities since it will allow to
recognise and validate in practice how the framework and program can actually contribute for the continuous
improvement of the risk and security of all the health care system in Portugal. During the implementation of the
Good Practices Activation Program it will be possible to collect and validate data through interviews, field
surveys and questionnaires that will contribute to understand what type of governance, management or
operation good practices have a better contribute to mitigate eSIS ICT Related Risks and to support eSIS
related Goals. Since we are using the model for the first time we will promote further research examining of the
framework and even the results achieved. We intend to report to the academy and offer a set of activities and
clues that researchers can browse for opening immense research questions within this perimeter. Researchers
can take within this scope, propose monitor the results of artefacts and evaluate the effectiveness and quality of
the initiatives.
When related with the research strategy the most appropriate is to examine and experiment the results as well
benefit from new possible goals that should provide clear and open questions remaining the domain. However,
we should awake for the limitations in wide-ranging related with the difficulty in collecting data from
institutions (time-frame, legal authorization, low technical skills...), the inability to invest budget internally and
the lack of concern from the administration boards for the importance of the issues involved.
13
IX. Acknowledgments
Appreciations to everyone whose participation made this study and work possible, as colleagues and the
members of the board of the SPMS, Private Partners, eHealth ENISA Security Group Team and a special
appreciation to GOVaaS Governance Advisors, as-a-Service.
X. References
[1] Cyber-Security in Healthcare - Understanding the New World Threats, John Gomez, Sensato CEO Colin Konschak, Divurgent CEO &
Managing Partner, 2015
[2] P. Weill and J.W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior
Results, Boston: Harvard Business Press, 2004.
[3] S. De Haes and W. Van Grembergen, "IT governance structures, processes and relational mechanisms: Achieving IT/business
alignment in a major Belgian financial group", 2005.
[4] Cybersecurity Framework Comments Reveal Views on a Framework Update, Increased Need to Share Best Practices and Expand
Awareness, NIST, ITL, Evelyn Brown, 2015
[5] The National Institute of Standards and Technology (NIST) is seeking information on the Framework for Improving Critical
Infrastructure Cybersecurity (the Framework).
[6] COBIT Control Objectives for Information and related Technology, control focuses on IT. Visit www.isaca.org.
[7] Cybersecurity and update from ENISA, ENISA Executive Director, Prof. Dr. Udo Helmbrecht Speech at Industry, Research and Energy
Committee Meeting European Parliament 21ST, April 2016
[8] Public Consultation, https://ec.europa.eu/digital-single-market/en/news/public-consultation-public-private-partnership-cybersecurityand-possible-accompanying-measures, assessed on 02 April 2016
[9] Cybersecurity strategic research agenda SRA, https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3documents/strategic-research-agenda-draft-v02.63/at_download/file, assessed on 02 April 2016
[10] ISO/IEC 27002:2005 Information technology - : Security techniques - Code of practice for information security management,
International Standards Organization, 2005.
[11] ISO/IEC 27001:2005 Information technology: Security techniques - Information security management systems - Requirements,
International Standards Organization, 2005.