Cybersecurity for Hospitals
The mainstream Coalition focus groups are organised per cyber security domain ranging from technical domains (e.g., crypto, cloud, OT/ICS Security) to more governance-oriented focus groups (e.g., GRC, Privacy & Data Protection, EU Regulations & Standardizations).
Objectives
In 2021, many hospitals expressed the need for a dedicated transversal focus group dedicated to their sector given their specific needs and the sense of urgency. End 2021, the Coalition board approved the creation of this new “Cyber security for Hospitals” Focus Group.
The hospital sector is increasingly affected by cyber incidents. Hospitals are making significant efforts to increase cyber security but face limited resources. Cooperation is vital in this regard and must go beyond sharing information among themselves to make the best use of limited resources.
This Focus Group encourages such cooperation and provides a forum for exploring collective actions such as joint affiliation to a SOC/SIEM or agreements with the insurance industry on the long-term insurability of hospitals. Such an approach is not only more cost-effective but also addresses the scarcity of required expertise.
This Focus Group encompasses three sub-groups:
Cyber security architecture & operations
Governance
This sub-group aims at developing a prioritized body of knowledge consisting of open (RFC-like) and continually maintained set of documents, where each document
- Describes one or a variety of possible reference architectures and matching implementation examples
- Provides additional non-technical guidance (budget, caveats, …)
- References covered control objectives and tactics/techniques (2-way index)
- Serves as a reference base for vendors/integrators for healthcare specific implementations
- Serves as a practical manifestation of existing frameworks.
This sub-group also concentrates on the actions to be taken to achieve NIS2 compliance.
Supply Chain Management
This sub-group wants to make sure that every IT & IOMT (internet of medical things) purchase is secure & compliant by providing basic rules on cybersecurity to procurement.
The goal is to help every hospital stand equally strong and help suppliers understand the rules of procurement. This sub-group also examines how frame agreements can be scaled up.
Topics
During past plenary sessions the Centre of Cybersecurity Belgium (CCB) presented its services for hospitals as well as its Cyberfundamentals framework, a set of guidelines structured in four maturity levels to ensure and continuously improve cyber security both within the public and private sectors. Members are also exposed to the publications and tools developed by the European Union Agency for Cybersecurity (ENISA). The CCB also presented the results of the 2022 ENISA cybersecurity exercise to test the response to attacks on EU healthcare infrastructures and services.
Practices
There are two plenary in-person meetings a year.
The sub-groups operate autonomously, gather at their own pace but at least once per quarter. These meetings can be either in-person or virtual. However, there are interdependencies among the various sub-groups. Therefore, each sub-group is assigned a segment of the plenary meeting to present their activities and achievements of the previous period.
How to join the group
All health care institutions are eligible to join this Focus Group provided they have a Coalition membership. Health care institutions are exonerated from membership fee payment.
Members providing IT and security solutions to the hospital are also welcome to join the Focus Group. They can provide insights into the latest threats and vulnerabilities, as well as the best practices for securing IT systems in hospitals.
