CENTERIS 2016 - Conference on ENTERprise Information Systems / PRojMAN 2016 International Conference on Project MANagement / HCIST 2016 - International

Conference on
Health and Social Care Information Systems and Technologies

Cybersecurity Match Supply And Demand in Portuguese

HealthCare Sector Industry Collaboration
Gomes, M. M. Ruiab; Soares, H. Brunoc
a

Shared Services of Ministry of Health - Lisbon, Portugal,

b
ISCTE Business School, Lisbon Portugal
c
ISCAC Coimbra Business School

Abstract

Implementation of Cybersecurity controls in Portugal is not a simple task. Critical Infrastructure Protection
initiatives and the parties associated to the implementation, which are Health Ministry Institutions and national
healthcare organizations, should consider many factors related to the concern. Some independent parties have
been trying to implement it, but remain isolated activities with readiness frail. It is important to consider that
implementing controls is not worth unless we are surely aware the added value that will be produced. In other
words, if the organization wont be able to increase benefits and the same time optimize the risks the readiness
of controls related are not producing value. Before the real implementation can take place two key factors can
be used to increase the success of the implementation. One is the adoption and adaptation of know reference
model frameworks related with security and risk management to help the orchestration of techniques; and the
other is the embracing the industry collaboration collecting slices, knowledge and security artefacts already in
place to achieve the readiness. This paper presents a reference model based on COBIT 5* building blocks to
enable initiatives for healthcare sector as factors to be considered when Portuguese Health Ministry needs to
implement general cybersecurity controls and practices in Portugal. This analysis can be continued by the
implementation of the risk and security framework and the operationalization of the risk and security
continuous improvement program, understanding how it can contribute to support better governance,
management and operation of the Portuguese Healthcare Information System (eSIS) in general and the risk and
security goals in particular.
Management; Industry Enablers; Security; Risk; ENISA; SANS; HIPAA; ISO 27001; COBIT; eHealth

COBIT 5 is a framework created by ISACA for the Governance and Management of Enterprise information technology (IT). It is a
supporting toolset that allows managers to bridge the gap between stakeholder needs and technical issues and risks.

I. Introduction
During 2013 and 2014 healthcare companies saw about 70 percent increase in cyber-attacks, with IDC Health
Insights [1] estimating that half of all healthcare organizations experienced one to five cyber-attacks in 2014, a
third of which succeeded. Overall, the healthcare industry accounted for 26.4 percent of all breaches in 2014.
There are many initiatives separately to implement Cybersecurity controls in e-health. Rarely the institutions
think the cybersecurity controls as part of a management security system. In fact only a few institutions try to
implement a fully secure manage automated system from the management to the operations. Most automates
the initiatives as a partial and operational system to bring quick and visible results. In fact, they arent
sustainable in time, it means the investment have doubtful value. The implementation of an improvement
program of risk practices and safety involves several stakeholders related to the system. Various factors need to
be studied and considered to assess the readiness of the various parties implementing risk and safety
programme. IT governance represents a well discussed set of concepts for ensuring the optimal utilization of IT
[2] [3].
This paper presents a study and a new structured method, even so with modest results, for ensuring the benefits
in a national wide implementation of risk and security related good practices, lead by Ministry of Health Shared
Services where the alignment and sharing between several parties involved and the industry partners are the
most critical success factors.

II. Risk and Security good practices in the Healthcare

Each institution needs to be concerned about the protection of their vital and critical information assets from
cyber-attacks, threats from healthcare activities to on-line trading and banking, identity theft, malware attacks
and many other hazards. All the institutions should have an information security risk management programme
in place to identify, analyze and evaluate their risks, and to treat them by implementing appropriate security
controls as well to regularly monitor and review the effectiveness of their security. For that, particular attention
should be given to the alignment of frameworks and standards, as well to governance, management and
operational good practices. While governance and management frameworks [4] should be adapted to each
environment and can support in the identification of why security is important to the entire organization and to
the ICT environment, the security related good practices, goals and related risks; operational standards and
procedures must be implemented to ensure quality and normalization to areas where compliance must be
mandatory.
By adopting a security and risk framework [5] institutions have the opportunity to agree on the same goals,
direction and structure, improving communication and collaboration among others and allowing each
institution to adjust their operational controls and practices to add value to the protection of the institution
assets.
Using a framework like COBIT 5 [6] as a starting point to the development of the risk and security framework
allowed Portuguese Health Ministry to use the same language between institutions and to manage different ICT
good practices, either related with risk and security (ISO 31000 , ISO/IEC 27001), other ICT areas (eg. ITIL**

Ministry of Health Shared Services Mainly denominated SPMS, Ministry of Health Organization

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization.

ISO/IEC 27001:2013 is an information security standard published by the International Organization for Standardization (ISO) and

CMMI ) ,or specific healthcare requirements or good practices (ISO 27799, HIPAA ), meeting the most
relevant stakeholder needs like ensuring secure care delivery processes in Portugal in public and private sector
as well the surrounding regions like European members states.

III. Industry leads

The cybersecurity market is one of the fastest growing markets in the ICT sector, yields economic opportunities
[7] not only in Portugal but for Europe. In fact the suppliers and providers are manufacturers that have the
greatest knowledge of the trends and capabilities of the systems. Cybersecurity industry will allow European
businesses to seize these opportunities and reinforce trust of citizens and business in the digital world,
contributing to the goals of the Digital Single Market Strategy. The market supply for ICT security products
and services is fragmented, and therefore companies are often not able to achieve the necessary economies of
scale to be competitive. As a consequence, citizens and businesses across Europe are dependent on nonEuropean solutions when searching for viable technologies to protect their online activities. SPMS is
committed to adopt an innovative cybersecurity programme to preserve health information protecting citizens
at the same time promoting the industry at the Portuguese market, as well as using the EUs industry
opportunities.
The contribution from ENISA is notorious, connecting people and organizations to bring knowledge and
support of the EU Commission, the 28 Member States and industry participants. ENISA has repeatedly called
for security by design and the EU technology needs to address security of digital products as a market
differentiator. They fully participate in the Commission initiatives, such as the CEF*** program and continue to
find and deliver network and information security exercises and skills enhancement that are particularly
relevant to be delivered EU.
People in general recognises that this will place an additional cost on Industry, but the importance of
information security will prevail and the extra cost will be justified in terms of consumer confidence and the
added value by the use of appropriate security standards in public procurement.

This initiative brings strong emphasis on the following:

Increasing the security of peoples health information - proactive solutions for data protection and
protection against information leak and terrorism, while respecting privacy;

the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
**
ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management(ITSM)
that focuses on aligning IT services with the needs of business

Capability Maturity Model Integration (CMMI) is a process improvement training and appraisal program and service especially in
software development.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub. L. 104191, 110 Stat. 1936, enacted August 21, 1996)
was enacted by the United States Congress . HIPAA protects health insurance coverage for workers and their families when they change or
lose their jobs. HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards
for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.

European Network Information Security Agency - ENISA

***
Connecting Europe Facility CEF Programme supports trans- European networks and infrastructures in the sectors of transport,
telecommunications and energy

Increasing security for society as a whole - addressing socio-economic, political and cultural aspects
of ehealth security, ethics and values, acceptance of security solutions, social environment and
perceptions of security;

Increasing the governance and management of security aligning the security needs with national
health goals, institution goals and ICT related goals; and implement security capabilities that can
impact on the value creation;

Increasing the security of critical infrastructure - examining and securing infrastructures in areas such
Administrative and Care Delivery National Health Service Institutions;

Intelligent surveillance and ehealth security - technologies, equipment, tools and methods for
managing good practices and implementing controls and procedures;

Restoring security and safety in case of crisis Business Continuity Operations of Institutions through
security coordination and resiliency;

Security research and analysis - research efforts covering public and security aspects, while taking into
account legal issues and data protection.

The EU becomes a stronger global player in the market. This will allow people in Europe access to trustworthy
European solutions (ICT products, services and software) that take into consideration fundamental rights, such
as the right for privacy. On 18 December 2015, the Commission launched a public consultation [8],
accompanied by a policy roadmap, to seek stakeholders' views on the areas of work of a future public-private
partnership, as well as on potential additional policy measures - in areas such as certification, standardization,
and labelling that could benefit the European cybersecurity industry. The public-private Partnership (PPP) on
cybersecurity intents to strengthen EU's cybersecurity industry. The programme for consultation ended on 11
March 2016 and the European Commission as enforced the Digital Single Market Strategy.
The aim of the PPP was to stimulate the European cybersecurity industry by:

bringing together industrial and public resources to improve Europe's industrial policy on cybersecurity,
focusing on innovation and following a jointly-agreed strategic research and innovation roadmap

helping build trust among Member States and industrial actors by fostering bottom-up cooperation on
research and innovation

Helping stimulate cybersecurity industry by aligning the demand and supply for cybersecurity products
and services, and allowing the industry to efficiently elicit future requirements from end-users

Leveraging funding from Horizon 2020 and maximizing the impact of available industry funds through
better coordination and better focus on a few technical priorities

Providing visibility to European Risk and Insurance excellence in cyber security and digital privacy

Ensuring that every stakeholder uses the same language and understand what are the main goals and
metrics related with cybersecurity

The PPP built on the Strategic Research Agenda (SRA) [9] in the area of secure information and
communication technologies (ICT), developed by the NIS Platform and published in September 2015.

IV. Problem Definition

Implementation of organizations end-to-end Cybersecurity controls for critical Infrastructure is not a guileless
task. But even more difficult is to sustain, and make useful, the control initiatives in an organizations living
daily operations. The major question when a government intends to protect their assets and maintains
continuous operations is how the Ministry of Health aims to ensure the contribution of Information and
Technologies for value creation. In this context the central element in the creation of value is risks optimization
and security management with the use of Information and Technology, which is why it was considered a
critical and relevant area for detailed analysis. The main problems concerned are: i) Currently risk management
and information security and technology is made at the level of local units, with no structures to facilitate the
appropriate sharing of best practice to ensure better management and operation of these areas in its different
components (Organization, People, Processes and Technologies); and ii) Some independent parties have been
trying to implement controls, but remain isolated and they are not in medium and long -term economically and
sustainable. The controls implementation is not worth unless we are surely aware the added value that will be
produced. Thus, a reference model and programme for the Health Information System is mandatory to able
better coordination and sharing of best practices in governance and management, thus enabling an
improvement of central and local information systems, but also the entire ecosystem involving the society and
the industry.
Notice the risk versus investment diagram (figure 1) to understand the investment dimension for risk mitigation
at the local units.

figure 1 Risk Vs Investment

V. Methodology
To address the problem from central to the cross level organization a national working group for Risk and
Information was created. The major objective for the group is to evaluate the maturity of the management and
good practices already in place and developed conditions to improve, adapt, promote and monitor results from
the adoption of a common governance and management framework and the implementation of local operational
security controls and procedures.
A framework that will: i) align national health services objectives and institution goals with risk management
scope and Information security bodies goals; ii) gain a common vision for Information Security Management
that includes processes, organizational structures, resources needed, competencies and principles and policies;
and iii) Promote good practices sharing and resources related with the governance, management and operation
of risk and security. COBIT 5 framework was used to promote the importance of adopting and approach
oriented to principles and not only to specifics when working in a cyber context, and introducing a holistic
view of cybersecurity introducing seven enablers, which are factors that individually or collectively affect the
success of the governance and management of enterprise IT in general and security in particular. By adopting
this framework Portuguese Healthcare Institutions agree on common security goals and metrics, promote the
spirit of sharing information and visibility, as well as mechanisms to exchange information, in order to enhance
the dissemination of good practices, especially in peripheral entities that are limited in resources and expertise
to implement their own security.

On the figure 2 the seven enablers and the relation with the goals, resources and IT related risk.
Risk and Security Framework
Stakeholder Needs

Institution Goals

LoBRelated
RelatedGoals
Goals
LoB
LoBRelated
RelatedGoals
Goals
LoB

ICT Related Goals (Security view)

ICT Governance and Management Enablers

Organizational
Structures

Process

LoB Governance and Management Enablers

Culture, Ethics
and Behaviours

Principles, Policies and Frameworks

Information

ICT Related Risks

(Security view)

Services,
Infrastructure and
Applications

People, Skills and

Competencies

Organizational
Structures

Process

Culture, Ethics
and Behaviours

Principles, Policies and Frameworks

Information

Services,
Infrastructure and
Applications

Process

Use

Manage / Use

ICT Operational Resources & Practices

Procedures (Security View)

Technologies (Security View)

People(Security View)

Information/Data LAyer
Software/Solutions layer
Good practices

Internal

Technology Layer
Infraestructure and networks

External

Devices

figure 2 Risk and Security Framework Overview

Follows the Portuguese Health System Risk and Security Program. The importance of Risk and Security
Documentation Repository as a central repository with templates, guidelines and good practices aligned with
the national risk and information security framework as needed.

Portuguese Health System Risk and Security Program

Risk and security dashboard
Monitor

Partilha de boas prticas

Good Practices Activation Program

Risk and Security
Documentation
Repository

Good practices sharing

Guidelines

Guidelines

Monitor

SPMS Initiatives Portfolio

Implementation

Good Practices
Definition
eSIS
Stakeholders

Stakehodlers Needs

Goals

eSIS Goals

Implementation

SPMS

Local Institutions

Governance
and
Management

Operations

External
Internal

External
Internal
SPMS Goals
SPMS ICT (Security view)

Risks

Monitor

Local Initiatives Portfolio

Institution Goals
Enterprise IT
(Security view)

LoB

LoB

eSIS ICT Related Risks

ICT Related Risks

(Security View)

LoB Related Risks

ICT Related Risks

(Security View)

LoB Related Risks

eSIS ICT Related Goals

ICT Related Goals (Security

View)

LoB Goals

IT Related Goals
(Security View)

LoB Goals

LoB Governance
and Management
Enablers

IT Governance
and
Management
Enablers (Security
View)

eSIS ICT Governance

and Management
Enablers

eSIS ICT Operational

Resources &
Practices

IT Governance
and
Management
Enablers (Security View)

IT Operational Resources & Practices (Security View)

LoB Governance
and
Management
Enablers

IT Operational Resources & Practices (Security View)

figure 3 Risk and Security Documentation Repository

While the implementation of initiatives in the field of information security, the entities should be directed to
give priority to effective controls with low / average investment level for reaching greater risk reduction. In
addition should be required ways to centralize services (in the case of disaster recovery regional site) and/or
collaboration between entities (e.g. for software development or awareness-raising actions) that will meet the
security requirements of information with better cost/benefit ratio, which is especially critical for small entities
that do not have their own resources for this purpose.

VI. Sharing and Evaluating Good Practices (Activation Program)

Some examples of mechanisms for sharing information are the risk and security documentation repository with
templates, guidelines and good practices aligned with the national risk and information security framework as
well the procedures to persuade sharing and evaluating Good Practices (activation Kits). The risk and security
dashboard with Information about the maturity of each local institution implementing good practices is another
key instrument to promote continuous improvement and to prepare audit/assurance initiatives. SPMS have a
directory that represents the guidelines database of activation kits. As soon something is produced a kit also is
associated to figure out as a possible guideline to activation. The SPMS plans to document 122 artefacts, such
as: Security related goals; Security management practices; Security Information Polices and Guidelines;

Cybersecurity controls; or general recommendations for implementing operational practices in local entities.
Although is not intent to be compulsory but we understand that should be activated as best practices and
guiding principles obviously after becoming a validated guideline. The institutions should assess the maturity
of their practices (is expected driving at least to level 3) and return the completed form on registered security
dashboard. In a future the idea is that the institution will do it directly in the system. When an institution
approved its policy it means they agree to use it internally and approves the good practice for being followed.
What should the programme requires from hospitals/health organizations:
1 They should enable a good practice;
2 - They should respond within a specified period;
3 - They should give the evaluation record (complied or not);

Follows the activation kits:

A. Procedures to persuade sharing and evaluating Good Practices (activation Kits):
Packages used by SPMS to promote risk information security good practices. Each activation kit have
information about the requirements, maturity models, templates/guidelines and metrics that need to be provided
by local institutions to populate risk and security dashboard. Follow figure 4 the activation kit.
ENTIDADE
ENTIDADE
Local
Institution

Good Practices Activation Program

A1. Activation Preparation

A.2 - Activation

Activation Kit

A.3 Self ASsessment

Self Assessent
report

Activation Kit

Aproved

A.4 Implementation

Activated

Meet the
requirements?

B. Audit/Assurance

C. Monitor and Control

DASHBOARD

A.5 - Planning
Action Plan

Yes

A.6a Report compliance

A.7 Update dashboard

A.6b Report non-compliance

Subtitle:
A. Good practices Activation

No

B. Audit/Assurance

C. Monitor and Control

figure 4 Activation Kits

10

B. Using Cybersecurity Controls on Activation Program

Taking into account precisely the issue of cybersecurity we have considered it as a starting point for the
adoption of the list of controls "CIS
- Controls for Effective Cyber Defense Version 6.0"
(https://www.cisecurity.org/critical-controls.cfm), a form has been created for each group of controls, where the
main features are described, such as description and objectives of the control group; mapping with good
reference practices; adapted control lists to the reality of the eHealth environment; management requirements
(metrics and values); and good referral practices for audit / assurance initiatives. In fact for each group of
controls has been created an activation kit for each institution to assess their implementation and maturity of
minimum control requirements.

H
Critical Security Control #1:
Inventory of Authorized and
Unauthorized Devices

Critical Security Control #2:

Inventory of Authorized and
Unauthorized Software

Critical Security Control #3: Secure

Configurations for Hardware and
Software

Critical Security Control #4:

Continuous Vulnerability
Assessment and Remediation

Critical Security Control #5:

Controlled Use of Administrative
Privileges

Critical Security Control #6:

Maintenance, Monitoring, and
Analysis of Audit Logs

Critical Security Control #7: Email

and Web Browser Protections

Critical Security Control #8:

Malware Defenses

Critical Security Control #9:

Limitation and Control of Network
Ports

Critical Security Control #10: Data

Recovery Capability

Critical Security Control #11: Secure

Configurations for Network Devices

Critical Security Control #12:

Boundary Defense

Critical Security Control #13: Data

Protection

Critical Security Control #14:

Controlled Access Based on the
Need to Know

Critical Security Control #15:

Wireless Access Control

CCS eSIS #16: Account Monitoring

and Control

Critical Security Control #17:

Security Skills Assessment and
Appropriate Training to Fill Gaps

Critical Security Control #18:

Application Software Security

Critical Security Control #19:

Incident Response and
Management

Critical Security Control #20:

Penetration Tests and Red Team
Exercises

Subtitle:

H Cyber Higiene

figure 5 Cybersecurity Controls

Based on the replies of the institutions intended to be an integrated view of the implementation level of
cybersecurity controls at the level of applications, systems and networks, as well as a set of management
indicators that may be analyzed in a future. Is important to realize that is not intended with this exercise to
prescribe the type or method for the controls implementation, but give autonomy to the institutions to have a
clear view of good cybersecurity practices that can be implemented, to decide and try to adopt by themselves or
assisted by any external provider. An important exercise is related the management metrics that should report
and practices of audit / assurance that should be applied later. The activation plan of controls groups will focus
on the activation of the priority groups of controls to ensure "security hygiene" (groups 1-5), followed by the

11

areas that the specific features of eHealth environment deserve if all of importance (example: group # 13: Data
Protection, group # 16: Account Monitoring and Control).
The compilation of the program information in the "Security Dashboard" will allow the eHealth Unit
environment respond globally on the level of adoption of good cybersecurity practices at the level of
applications, systems and networks and communications.

VII.

Expected Results

Based on the matrix risk and security dashboard Information about the maturity of each local institution
implementing good practices, is expecting, while providing overall information about how the National Health
System is regarding risk and security, the dashboard as a key instrument to promote continuous improvement
and to prepare audit/assurance initiatives to the institutions.
Risk and Security Continuous Improvement Dashboard
Ilustrative
Good Practices
and Guidelines

SPMS

Local
Institution
- 01

Local
Institution
- 02

Local
Institution
- 03

Local
Institution
- 04

Local
Institution
- 05

Local
Institution
- 06

Local
Institution
- XX

Total

Risk and
Security
Related
Goals

Guidelines

100%

100%

100%

100%

100%

100%

100%

100%

Governance
and
Management
Enablers

Guidelines

0%

0%

0%

0%

0%

0%

0%

0%

Operational
Resources &
Practices

Guidelines

100%

50%

0%

100%

50%

0%

50%

50%

Continuous
Improvement
Overview

Total

67%

50%

33%

67%

50%

33%

50%

figure 6 Risk and Security Continuous Improvement Dashboard

50%

12

VIII.

Conclusions and Future Work

This paper document the building blocks and good practices used in the design of the eSIS Risk and Security
Framework and how the framework is planned to be adopted in the Portuguese healthcare system by
implementing the Portuguese Health System Risk and Security Program. The next step of the work will be
the implementation and operationalization of the program, in particular the activation of the Risk and Security
good practices, both in SPMS and in local institutions.
This model is adopted for healthcare institutions but can be tested abroad (other sectors/industries) and context,
location and/or culture that would best lend itself to the framework (or theoretical model). Thus, we
recommend that some theories and methods should be used to support the analysis of each of the initiatives in
order to complement industry good practices with valuable data to support scientific work.
We understand also that the future work will bring different research opportunities since it will allow to
recognise and validate in practice how the framework and program can actually contribute for the continuous
improvement of the risk and security of all the health care system in Portugal. During the implementation of the
Good Practices Activation Program it will be possible to collect and validate data through interviews, field
surveys and questionnaires that will contribute to understand what type of governance, management or
operation good practices have a better contribute to mitigate eSIS ICT Related Risks and to support eSIS
related Goals. Since we are using the model for the first time we will promote further research examining of the
framework and even the results achieved. We intend to report to the academy and offer a set of activities and
clues that researchers can browse for opening immense research questions within this perimeter. Researchers
can take within this scope, propose monitor the results of artefacts and evaluate the effectiveness and quality of
the initiatives.
When related with the research strategy the most appropriate is to examine and experiment the results as well
benefit from new possible goals that should provide clear and open questions remaining the domain. However,
we should awake for the limitations in wide-ranging related with the difficulty in collecting data from
institutions (time-frame, legal authorization, low technical skills...), the inability to invest budget internally and
the lack of concern from the administration boards for the importance of the issues involved.

13

IX. Acknowledgments

Appreciations to everyone whose participation made this study and work possible, as colleagues and the
members of the board of the SPMS, Private Partners, eHealth ENISA Security Group Team and a special
appreciation to GOVaaS Governance Advisors, as-a-Service.

X. References
[1] Cyber-Security in Healthcare - Understanding the New World Threats, John Gomez, Sensato CEO Colin Konschak, Divurgent CEO &
Managing Partner, 2015
[2] P. Weill and J.W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior
Results, Boston: Harvard Business Press, 2004.
[3] S. De Haes and W. Van Grembergen, "IT governance structures, processes and relational mechanisms: Achieving IT/business
alignment in a major Belgian financial group", 2005.
[4] Cybersecurity Framework Comments Reveal Views on a Framework Update, Increased Need to Share Best Practices and Expand
Awareness, NIST, ITL, Evelyn Brown, 2015
[5] The National Institute of Standards and Technology (NIST) is seeking information on the Framework for Improving Critical
Infrastructure Cybersecurity (the Framework).
[6] COBIT Control Objectives for Information and related Technology, control focuses on IT. Visit www.isaca.org.
[7] Cybersecurity and update from ENISA, ENISA Executive Director, Prof. Dr. Udo Helmbrecht Speech at Industry, Research and Energy
Committee Meeting European Parliament 21ST, April 2016
[8] Public Consultation, https://ec.europa.eu/digital-single-market/en/news/public-consultation-public-private-partnership-cybersecurityand-possible-accompanying-measures, assessed on 02 April 2016
[9] Cybersecurity strategic research agenda SRA, https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3documents/strategic-research-agenda-draft-v02.63/at_download/file, assessed on 02 April 2016
[10] ISO/IEC 27002:2005 Information technology - : Security techniques - Code of practice for information security management,
International Standards Organization, 2005.
[11] ISO/IEC 27001:2005 Information technology: Security techniques - Information security management systems - Requirements,
International Standards Organization, 2005.