How to strengthen incident response in the health sector

The European Union Agency for Cybersecurity issued an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.

Health organizations such as hospitals rely today on complex critical infrastructures in order to operate. For the year 2020, ENISA received a total of 742 reports about cybersecurity incidents with significant impact from the critical sectors under the Directive on security of network and information systems (NIS Directive). The health sector saw an increase of 47% of such incidents in 2020 compared to the previous year.

Cybersecurity attacks on healthcare can be life threatening for patients and provoke effects on the physical world. These attacks may also affect the entire health supply chain with damaging consequences for all stakeholders concerned such as citizens, public authorities, regulators, professional associations, industries, small and medium enterprises.

The number of cyber threats over the years is now rising proportionally to the growing popularity of emerging technologies such as the IoT, AI, big data, cloud computing and the multiplicity of connected devices, among others.

It is the role of Computer Security Incident Response Teams (CSIRTs) to develop the capabilities needed to address such issues and implement the provisions of the NIS Directive.

Objectives

The report assesses the services developed and currently used by CSIRTs across the Member States, analyzes the trends in relation to sector-specific CSIRTs and issues recommendations to strengthen the incident response capabilities (IRC) in the health sector.

The state of CSIRT capabilities in the health sector

National CSIRTs are the entities in charge of incident response in the health sector. Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.

The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.

The study reveals the lack of security culture among Operators of Essential Services (OES). Because the pace of updates quickly outruns the pace of IT technology evolution when healthcare equipment usually has a lifetime of 15 years on average, vulnerabilities tend to accumulate with the obsolescence of the IT layer through the lifecycle of hardware and digital devices.

Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices leading to an extension of the potential attack surface.

The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organizations for each sector. Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.

National health sectoral CSIRTs tend to provide services better suited to the sector.

Recommendations

The sectoral health CSIRTs remain scarce in an environment where specialised support is needed to develop incident response activities. Based on the findings, the recommendations are to:

• Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
• Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
• Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.