The NIS Directive and Cybersecurity in

Similar documents
Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

The Network and Information Security Directive - ENISA's contribution

Network and Information Security Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Directive on security of network and information systems (NIS): State of Play

Directive on Security of Network and Information Systems

European Union Agency for Network and Information Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Discussion on MS contribution to the WP2018

ENISA Cooperation in the EU / NIS Directive

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

NIS-Directive and Smart Grids

Securing Europe s IoT Devices and Services

NIS Directive development The Incident Notification Framework

NIS Standardisation ENISA view

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

ENISA s Position on the NIS Directive

ENISA EU Threat Landscape

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

IoT and Smart Infrastructure efforts in ENISA

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

Securing Europe's Information Society

Call for Expressions of Interest

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Enhancing the cyber security &

Regulating Cyber: the UK s plans for the NIS Directive

Cyber Security in Europe

Cyber Security Beyond 2020

EU policy on Network and Information Security & Critical Information Infrastructures Protection

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Cybersecurity Strategy of the Republic of Cyprus

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

The Digitalisation of Finance

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Security and resilience in Information Society: the European approach

Cybersecurity & Digital Privacy in the Energy sector

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

13967/16 MK/mj 1 DG D 2B

Cyber Security in Europe and CEER s new PEER initiative

EISAS Enhanced Roadmap 2012

Technical guidelines implementing eidas

Package of initiatives on Cybersecurity

Security Aspects of Trust Services Providers

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

Critical Infrastructure Protection in the European Union

Valérie Andrianavaly European Commission DG INFSO-A3

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

ENISA S WORK ON ICS AND SMART GRID SECURITY

General Framework for Secure IoT Systems

GDPR Update and ENISA guidelines

National Policy and Guiding Principles

NW NATURAL CYBER SECURITY 2016.JUNE.16

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Manchester Metropolitan University Information Security Strategy

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cybersecurity Package

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Version 1/2018. GDPR Processor Security Controls

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

The NIST Cybersecurity Framework

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

WELCOME ISO/IEC 27001:2017 Information Briefing

Towards a European Cloud Computing Strategy

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Future-Proof Security & Privacy in IoT

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Medical Device Cybersecurity: FDA Perspective

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

In Accountable IoT We Trust

Why you should adopt the NIST Cybersecurity Framework

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Google Cloud & the General Data Protection Regulation (GDPR)

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

ehealth action in the EU

Horizon 2020 Security

European Union Agency for Network and Information Security

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Cyber Security Strategy

Business Continuity Management

Promoting Global Cybersecurity

GDPR: A QUICK OVERVIEW

Transcription:

The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security

Agenda 1 2 The NIS Directive and cybersecurity in ehealth & ENISA work in ehealth security ENISA supporting the implementation of the NIS Directive for ehealth

The NIS Directive and cybersecurity in ehealth & ENISA work in ehealth security

Securing Europe s Information society

Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in Policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice

Predicting the future: Hospitals under attack

The Network and Information Security Directive

Obligations for MSs on OESs - Identification of operators of essential services - Minimum security measures to ensure a level of security appropriate to the risks - Incident notification to prevent and minimize the impact of incidents on the IT systems that provide services - Make sure authorities have the powers and means to assess security and check evidence of compliance for OES

Working groups under the NISD NIS Directive Groups Cooperation Group CSIRT ENISA Identification Criteria Subgroup Security Measures Subgroup Incident Reporting Subgroup ENISA

NIS directive - TIMELINE August 2016 - Entry into force February 2017 6 months Cooperation Group starts its tasks August 2017 February 2018 12 months 18 months Adoption of implementing on security and notification requirements for DSPs Cooperation Group establishes work programme 9 May 2018 21 months Transposition into national law November 2018 27 months Member States to identify operators of essential services May 2019 May 2021 33 months (i.e. 1 year after transposition) 57 months (i.e. 3 years after transposition) Commission report - consistency of Member States' identification of OES Commission review

And this is not the only legislation targeting healthcare - General Data Protection Regulation - Implementation of security measures - Reporting data breaches to DPA - Perform Privacy impact assessment - Medical Devices Regulation - Compliance to safety and performance requirements for medical devices manufacturers - Notification obligation in the case of an incident in a vigilant system - Use of harmonized standards

ehealth Experts Group ENISA collaborates with HCO to setup pilots across the EU

Cyber Security in the Healthcare Sector ENISA activities Security and Resilience for ehealth Infrastructures and Services (2015) Cyber Security for Smart hospitals (IoT in Healthcare) (2016) NISD implementation in Healthcare in the MS (on-going) Cloud security in ehealth (on-going) [OES-DSP dependency]

ENISA work to secure Smart Hospitals Objectives Improve security and resilience of hospitals information systems Identify common cyber security threats and challenges and, Present mitigation measures to address them Support pilots in hospitals across the EU Secure devices and systems to improve patients safety

Recommendations For Hospitals ENISA recommendations: Establish effective enterprise governance for cyber security Implement state-of-the-art security measures Provide specific IT security requirements for IoT components in the hospital Invest on NIS products over IoT components Establish an information security sharing mechanism Conduct risk assessment and vulnerability assessment Perform pen testing and auditing Support multi-stakeholder communication platforms (ISACs) and information sharing alternatives Invest on cyber security for IoT components

Recommendations For IoT devices manufacturers ENISA recommendations: Incorporate security into existing quality assurance systems Involve third parties in testing activities Consider applying medical device regulation to critical infrastructure components Support the adaptation of information security standards to healthcare Involve HCO throughout the whole device lifecycle

Recommendations For Policy makers ENISA recommendations: Promote collaboration on cyber security across Europe Develop awareness raising on IoT threats and risks Establish a governance model for cyber security Integrate (trade-off risk/investment) security in business processes Define security requirements to ensure security for safety A public private partnership can lead to a better cooperation

ENISA supporting the implementation of the NIS Directive for ehealth

NISD Implementation in the Healthcare Sector in the MS - 2017 Perform stocktaking of existing guidelines/schemes in the different Member States and international standards on cyber security in healthcare. Identify of baseline security measures for healthcare organisations. Identify incident notification approaches. Map interdependencies to other sectors and Digital Service Providers. Survey on Incident Reporting open for dissemination! https://ec.europa.eu/eusurvey/runner/incidentreporti ng_oes

Identification of Baseline Security Measures for Healthcare Organisations Is there some NIS measure that you apply missing from this mind map?

Identification of Baseline Security Measures for Healthcare Organisations DOMAIN MEASURES HIGH MEDIUM LOW TOP 10 NIS Measures Please rate the NIS measures in terms of priority for your organisation Governance and management Network and communications security Asset management Monitoring and auditing Resilience Logical and physical security Incident management Supply chain security Interoperability and portability Information security governance and management Select Rating Information security policies and standards Select Rating Risk management and assessment Select Rating Compliance Select Rating Human resource security Select Rating Secure network components Select Rating Secure network architecture Select Rating Remote connection security Select Rating Communications security Select Rating Patch management Select Rating Software control Select Rating Configuration management Select Rating Information classification and protection Select Rating Media security Select Rating Auditing and logging Select Rating Monitoring Select Rating Security accreditation Select Rating Business continuity management Select Rating Disaster recovery management Select Rating Identity and access management Select Rating Physical access security Select Rating Healthcare facilities security Select Rating Preparation and readiness Select Rating Handling and response Select Rating Contractual and service agreements Select Rating Supplier risk management Select Rating Service delivery management Select Rating Mobile device security Select Rating Application portability Select Rating Data portability Select Rating 21

Identification of Baseline Security Measures for Healthcare Organisations Which NIS measures are implemented in your organisation and are more mature in your organisation? For each of the security measures of high and medium importance/maturity please provide concrete examples of physical, technical and administrative controls.

Identification of Operators of Essential Services (OES) An Operator of Essential Services is defined as any public or private entity which: provides a service which is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems an incident would have significant disruptive effects on the provision of that service. Energy Transport Sector Subsector Types of entity Electricity Oil Gas Air transport Rail transport Water transport Road transport N/A N/A Banking N/A N/A Financial market infrastructures Drinking water supply and distribution Digital inrastructure N/A N/A N/A N/A N/A Internet Exchange Points (IXP) DNS service providers TLD name registries

Definition of Digital Service Providers DSP means any legal person that provides a digital service as defined in the following: Types of digital services Online marketplace Cloud computing service Online search engine An online marketplace allows consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contracts.. Cloud computing services covers services that allow access to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services An online search engine allows the user to perform searches of, in principle, all websites on the basis of a query on any subject. It may alternatively be focused on websites in a particular language

Interdependencies of Healthcare Organisations Information Systems (1/3) What dependencies on services provided by OES and DSP are in place with regards to: Business processes (e.g. finance process provided by the banking sector). Essential services provided (e.g. electricity provided by the energy sector). Information systems (e.g. provision of DNS services by providers).

Interdependencies of Healthcare Organisations Information Systems (2/3) What are the specific services that are provided by the OES and DSP and may affect the essentials service provided by healthcare providers? Please provide detailed information about: The dependencies of other sectors on the provided service (detailed description). The impact of dependency disruption/essential service provision and the criticality level of each one for the healthcare providers.

Interdependencies of Healthcare Organisations Information Systems (3/3) What practices have you adopted and what measures have you implemented in order to adequately protect the aforementioned dependencies? In which ways can the interdependencies be further secured from the healthcare organisations perspective? What do you consider as the most critical success factor?

Incident Reporting for OES in the context of the NIS Directive Current incident reporting mechanisms/frameworks Are you overseeing any type network and information security (cyber security) incident notification mechanism used within the sector/subsector selected above? - Yes, national law - Yes, EU regulation/directive - Yes, international regulation - Yes, standard (non-mandatory) - Yes, industry standard (mandatory) - Yes, guideline (non-mandatory) - Yes, other mandatory initiative - Yes, other non-mandatory initiative - Yes, internal policy only - No

Incident Reporting for OES in the context of the NIS Directive Measuring the impact of cyber incidents When measuring the significance of the impact of cyber incidents affecting systems used in the provision of services, which of the following parameters do you take into account? - the number of users affected that are relying on the service provided by the operator - the duration of the incident - the geographical spread with regard to the area affected by the incident - the dependency of other sectors on the service provided by the affected entity - the impact the incident could have on economic and societal activities or public safety - the importance of the affected entity for maintaining a sufficient level of the service, taking into - account the availability of alternative means for the provision of that service - the market share of the affected entity (answer suitable only for authorities) - none of the above

Incident Reporting for OES in the context of the NIS Directive Measuring the impact of cyber incidents Please provide units of measure and thresholds used for the parameters above when determining significance of incidents: Unit of measure Threshold for becoming critical Text the number of users affected the duration of the incident the geographical spread with regard to the area affected by the incident the dependency of other sectors on the service provided by the affected entity impact the incident could have on economic and societal activities or public safety the importance of the affected entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service the market share of the affected entity (answer suitable only for authorities)

Incident Reporting for OES in the context of the NIS Directive Measuring the impact of cyber incidents What are the most common threats causing cyber incidents in your organisation? What do you think are the primary root causes that determine incidents having a significant impact on the services provided (disruption of confidentiality, integrity or availability); - Human Errors - Malicious actions - Natural phenomena - System failures - Third party failures - Other types of root causes - Do not know

Next steps for ehealth Security in ENISA Support in the criteria for the identification of Healthcare organisations in the scope of the NISD Raise awareness in the MS through organizing workshops and dedicated meetings Build on the baseline security measures for healthcare organisations as required by the NISD Identify incident reporting mechanisms for healthcare sector Signify security measures for IoT devices/components supporting core healthcare services Establish procurement guidelines for obtaining secure systems and devices in the healthcare organisations Find synergies with stakeholders under the implementation of the upcoming Medical Devices Regulation

Join us at the ehealth Security Conference!

Join us!! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 ehealthsecurity@enisa.europa.eu info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback