Skip to main content

Protection and privAcy of hospital and health iNfrastructures with smArt Cyber sEcurity and cyber threat toolkit for dAta and people

Periodic Reporting for period 1 - PANACEA (Protection and privAcy of hospital and health iNfrastructures with smArt Cyber sEcurity and cyber threat toolkit for dAta and people)

Reporting period: 2019-01-01 to 2020-06-30

PANACEA delivers a complete cybersecurity toolkit providing a holistic approach for Health Care Institutions made up of a combination of technical (SW platforms for dynamic risk assessment, secure information sharing & security-by-design) and non-technical (procedures, governance models, people behaviour tools) elements.
The PANACEA toolkit consists of four technological outputs and five technical tools:
• a dynamic risk assessment & mitigation tool (Dynamic Risk Management Platform, DRMP), helping to perform risk assessment evaluation and mitigation measures,
• a secure information sharing tool for the protection of data (Secure Information Sharing Platform, SISP)
• a security-by-design & certification framework (Security by Design Framework, SbDF). The SbDF will leverage on two software tools: Secure Design Support Tool (SDSP) and Compliance Support Tool (CST).
• a tool/technology for identification & authentication, Machine to Machine and Human To Machine (Identity Management Platform, IMP)
Moreover, it comprises three organizational outputs:
• a tool composed by models, guidelines and best practices for training & education (Training & Education for Cybersecurity Tool, TECT)
• a tool aimed at resilience governance (Resilience Governance Tool, RGT)
• a tool for secure behaviours nudging (Secure Behaviour Nudging Tool, SBNT)
Each component of the PANACEA Solution Toolkit can be implemented and used separately by the management and the security staff of the healthcare centre. Once implemented, they operate by protecting an ecosystem made up of a variety of components, e.g.
• The Healthcare Centre (HCC) network composed of operators, patients, citizens, security staff, medical doctors, nurses, top management, employees and administrative staff.
• The clinical information systems and related processes
• The administrative information systems
• The connected devices used in and outside of the hospital
The Solution Toolkit will also be able to manage secure information sharing with other HCCs, even when these HCCs are not fully adopting the toolkit.

PANACEA is focused on ten main objectives:

1 Develop and validate tools for dynamic risk assessment and mitigation
2 Develop and validate tools for Secure Information Sharing
3 Develop and validate tools for System Security-by-design and certification
4 Develop and validate tools for identification and authentication
5 Develop and validate an educational package for cybersecurity in the health sector
6 Develop and validate tools for resilience governance
7 Develop tools for secure behaviors nudging
8 Develop and validate Implementation Guidelines for cybersecurity solutions adoption
9 Develop and validate a Security-ROI methodology
10 Engage a representative community of stakeholders and identify a sustainability path for the PANACEA vision

PANACEA can bring an important contribution to the European society. Healthcare structures, according to the EU Directive 2016/1148 (of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union) are “essential services”. They are an attractive target for cybercrime for two fundamental reasons: healthcare is a rich source of valuable data and its defences are weak. Key reasons of weakness include:
• Complexity: multiplicity of connected end-points, many different interconnected systems, digitalization of patient data.
• Barriers to the adoption of security solutions, due to complexity, skill shortage, performance concerns, lack of budget, lack of organisational buy-in.
• Human error, because healthcare staff are overwhelmed by their professional workload (rush is a constant of their work environment).
PANACEA toolkit addresses all the aforementioned weaknesses, contributing to a “people-centric” vision for cybersecurity in healthcare, and thus ensuring that an so important essential service is available for the society as a whole.
With the kick-off of the project activities, the Consortium has established the guidelines for the future development of the project: management procedures, governance structure, communication processes, reporting and monitoring of activities and results.
During the first three quarters of the first year, the activities of the project (under WP1) were mainly aimed at eliciting all business, user and technical requirements to be fulfilled by the toolkit. These requirements guided the design of the different tools within the toolkit.

Among the seven main components of the toolkit, the development of the four technological tools was driven by User Requirements, System Requirements and high-level design. While, non-technological tools were driven by the User Requirements.
Furthermore, the extensive elicitation of scenarios and use cases was performed, to inform the scope of the development of the tools during the second year and to allow proper validation of the toolkit during the third year.
The research Work Package (WP2), completed its activities by M15 (on time) with all analysis needed for WP3-4-5, these WPs proceeded in their Tasks: key results include algorithms for risk assessments, visual analytics, staff behaviors profiling.
Under WP3 and 4, final design deliverables for the risk assessment (DRMP), Secure Information Sharing (SISP), Security by Design Framework (SbDF) and Identification Management Platform (IMP) were submitted in time at M15.
The implementation of the technical tools is proceeding as scheduled and consolidated prototypes of all of them have been already released by M18
At M18 non-technical tools of the toolkit (Governance, Education and Nudging),were in the initial implementation phase (under WP5).
In the context of dissemination activities, the PANACEA website (www.panacearesearch.eu ) has been developed and it is constantly updated, as well as social media channels (Youtube, Linkedin and Twitter).
And finally, the compliance with the ethics requirements were also tackled by the Consortium and given the comments from the EC Reviewers, the activities there will be intensified in the next 6 months. In particular, all new Deliverables include a section dedicated the Ethical an Privacy aspects.
PANACEA is progressing properly towards its defined objectives, without major delays despite the difficult Covid19 situation.
Among the activities carried out by the team, advancements over the state-of-the-art have been achieved on several topics:
Threat modelling
Attack modelling
Response management
Visual analytics
Secure information sharing
Identification/authentication
Secure behaviors nudging tools

As general impacts, PANACEA looks to:
Reinforce Europe‟s position as a key security provider for Healthcare IT systems;
Allow for a continued development and improvement of fully tailored identity management and secure
data management solutions for Healthcare;
Proceed with the development of new products such as Connected Object management platforms to
secure connected medical devices;
Accelerate its growth in the Healthcare ecosystem to attract more customers and to increase its market share
with the target to reach $2bn revenues by 2020;
Extend and reinforce its European network of stakeholders and decision makers.