ENISA publishes procurement guidelines for cybersecurity in hospitals
The EU Agency for Cybersecurity (ENISA) published a cybersecurity procurement guide for hospitals.
The hospital is a vast ecosystem comprised of an entire network of devices, equipment and systems that often require connection to external systems, making monitoring and control a very hard task to do. This is due to the high sensitivity of medical data and the potential vulnerability the sector is faced with, cybersecurity has to be applied every step of the way to ensure patient data privacy and the availability and resilience of healthcare services at the same time.
A cybersecurity procurement guide for hospitals
The Procurement Guidelines for Cybersecurity in Hospitals published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment.
This new report outlines good practices and recommendations for including cybersecurity as a provision in the procurement process in hospitals. Initially the report presents the set of hospital assets and the most prominent cybersecurity threats linked to them.
After categorising the procurement process in three steps, namely “Plan, Source and Manage”, it identifies the cybersecurity requirements associated with each step. To make this even easier, the guide provides suggestions for evidence on how the requirements can be fulfilled by the provider.
The EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, stated:
“Protecting patients and ensuring the resilience of our hospitals are a key part of the Agency’s work to make Europe’s health sector cyber secure”
Who can use the guide?
This report is addressed to healthcare professionals occupying technical positions in hospitals, i.e. Chief-level executives: CIO , CISO, CTO, IT teams as well as procurement officers in healthcare organisations.
It may be of interest to manufacturers of medical devices that provide products to hospitals (medical devices, clinical information systems, networking equipment, cloud services, etc.). When these manufacturers offer services or products, they will know the security requirements that the hospital expects them to fulfil and they can provide evidence to prove it.