Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Similar documents
The NIS Directive and Cybersecurity in

The Network and Information Security Directive - ENISA's contribution

Network and Information Security Directive

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Discussion on MS contribution to the WP2018

European Union Agency for Network and Information Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Securing Europe s IoT Devices and Services

NIS Directive development The Incident Notification Framework

Directive on security of network and information systems (NIS): State of Play

ENISA Cooperation in the EU / NIS Directive

IoT and Smart Infrastructure efforts in ENISA

Directive on Security of Network and Information Systems

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

ENISA s Position on the NIS Directive

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Cyber Security in Europe

NIS Standardisation ENISA view

Enhancing the cyber security &

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Package of initiatives on Cybersecurity

Regulating Cyber: the UK s plans for the NIS Directive

ENISA EU Threat Landscape

Call for Expressions of Interest

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Securing Europe's Information Society

NIS-Directive and Smart Grids

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

The Digitalisation of Finance

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

Security frameworks for Gov Clouds: A Technical Analysis

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Technical guidelines implementing eidas

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

GDPR Update and ENISA guidelines

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

ENISA S WORK ON ICS AND SMART GRID SECURITY

EISAS Enhanced Roadmap 2012

Cybersecurity Strategy of the Republic of Cyprus

CTI Capability Maturity Model Marco Lourenco

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Cyber security: a building block of the Digital Single Market

Valérie Andrianavaly European Commission DG INFSO-A3

Cyber Security. Activities of an national insurance association based on the example of VVO

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Cyber Security in Europe and CEER s new PEER initiative

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

Cyber Security Beyond 2020

Cybersecurity Package

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

Security Aspects of Trust Services Providers

The SPARKS Project Motivation, Objectives and Results

Critical Infrastructure Protection in the European Union

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

ehealth action in the EU

Birgit Morlion. DG Communications Networks, Content and Technology (DG CONNECT)

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

European Union Agency for Network and Information Security

Report of the Working Group on mhealth Assessment Guidelines February 2016 March 2017

Achieving Global Cyber Security Through Collaboration

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Security and resilience in Information Society: the European approach

13967/16 MK/mj 1 DG D 2B

Meeting minutes of NLO annual meeting of 8 June 2016

Cybersecurity & Digital Privacy in the Energy sector

Building a Resilient Security Posture for Effective Breach Prevention

CYBER SECURITY AIR TRANSPORT IT SUMMIT

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Mapping of the CVD models in Europe

Minutes of National Laison Officer s Meeting,

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

The commission communication "towards a general policy on the fight against cyber crime"

Digital Health Cyber Security Centre

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

10025/16 MP/mj 1 DG D 2B

ENISA today and in the future

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Kick-off Meeting DPIA Test phase

Improving Resilience in European e-communication networks MTP 1

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Mozilla position paper on the legislative proposal for an EU Cybersecurity Act

CEF ehealth DSI 2018 Technical Boot Camp State of Play

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

ehealth Interoperability Workshop the Government and Expert View CEN/ISSS ehealth Standardization Focus Group, targets and work plan

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Improving recognition of ICT security standards Recommendations for the Member States for the conformance to NIS Directive

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Transcription:

Security and resilience for ehealth Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA European Union Agency For Network And Information Security

Securing Europe s Information society 2

Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in Policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice 3

Predicting the future: Hospitals under attack 4

Indicative list of Incidents - DDoS in central Health Information System in Finland (KELA), causing disruption for two days. - Two hospitals in Germany were victims of ransomware campaigns in February. Neuss-based Lukas Hospital did not have email access and was conducting business using pencils, paper and fax machines. Klinikum Arnsberg hospital was also affected by a ransomware attack. - Hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS). - Theft of healthcare data in hospital in Greece, causing loss of data of patients. - And many more 5

The Network and Information Security Directive 6

Obligations for MSs on OESs - Identification of operators of essential services - Minimum security measures to ensure a level of security appropriate to the risks - Incident notification to prevent and minimize the impact of incidents on the IT systems that provide services - Make sure authorities have the powers and means to assess security and check evidence of compliance for OES 7

Working groups under the NISD NIS Directive Groups Cooperation Group CSIRT ENISA Identification Criteria Subgroup Security Measures Subgroup Incident Reporting Subgroup ENISA 8

NIS directive - TIMELINE August 2016 - Entry into force February 2017 6 months Cooperation Group starts its tasks August 2017 February 2018 12 months 18 months Adoption of implementing on security and notification requirements for DSPs Cooperation Group establishes work programme 9 May 2018 21 months Transposition into national law November 2018 27 months Member States to identify operators of essential services May 2019 May 2021 33 months (i.e. 1 year after transposition) 57 months (i.e. 3 years after transposition) Commission report - consistency of Member States' identification of OES Commission review 9

And this is not the only legislation targeting healthcare - General Data Protection Regulation - Implementation of security measures - Reporting data breaches to DPA - Perform Privacy impact assessment - Medical Devices Regulation - Compliance to safety and performance requirements for medical devices manufacturers - Notification obligation in the case of an incident in a vigilant system - Use of harmonized standards 10

Cyber Security in the Healthcare Sector situational analysis - Healthcare organisations are considered Operators of Essential Services thus is scope of the NISD - Low maturity on cyber security in the healthcare sector i.e. hospitals don t have a CISO - Hospitals are easy targets for malicious attackers i.e. cases of ransomware attacks in hospitals across the EU, DDoS attack in Finnish ehealth system - Lack of security awareness in the involved stakeholders and use of walk arounds i.e. physicians, administrative parsonel, patients etc - Life span of the medical devices in use i.e. CAT scanners or MRI machines can be outdated and patch management process usually is a third party task to perform

Cyber Security in the Healthcare Sector ENISA activities Security and Resilience for ehealth Infrastructures and Services (2015) Cyber Security for Smart hospitals (IoT in Healthcare) (2016) NISD implementation in Healthcare in the MS (details ) Cloud security in ehealth (on going) [OES-DSP dependency] Security self assessment questionnaire

NISD Implementation in the Healthcare Sector in the MS - 2017 Perform stocktaking of existing guidelines/schemes in the different Member States and international standards on cyber security in healthcare. Identify of baseline security measures for healthcare organisations. Identify incident notification approaches. Map interdependencies to other sectors and Digital Service Providers. Survey on Incident Reporting open for dissemination! https://ec.europa.eu/eusurvey/runner/incidentreporti ng_oes 13

ehealth experts group ENISA collaborates with HCO to setup pilots across the EU 14

Dissemination Activities - 1 st ehealth Security workshop 2015 Brussels, together with DG CNCT H3-2 nd ehealth Security workshop 2016 Vienna, together with the Hospitals Association of Vienna - Session moderation during ehealth Week 2017, speaking slot at ehealth Network meeting 2017 - Mini workshops with stakeholders around the EU MS - 3 rd ehealth Security workshop 2017 location tbc 15

Next steps for ehealth Security in ENISA Support in the criteria for the identification of Healthcare organisations in the scope of the NISD Raise awareness in the MS through organizing workshops and dedicated meetings Build on the baseline security measures for healthcare organisations as required by the NISD Identify incident reporting mechanisms for healthcare sector Signify security measures for IoT devices/components supporting core healthcare services Establish procurement guidelines for obtaining secure systems and devices in the healthcare organisations Find synergies with stakeholders under the implementation of the upcoming Medical Devices Regulation 16

Join us!! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 ehealthsecurity@enisa.europa.eu info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback