Healthcare Organizations (HCOs) technology must operate for the society every day, 24 hours a day to ensure quality of care, patient safety and data privacy. However, HCOs attract cybercrime for their rich data and weak defences, due to technology complexity, organizational barriers to adopt security solutions, non-secure human behaviours. They must comply with EU Directive 2016/1148 (NIS).
To reduce weakness and support compliance, PANACEA project has pursued 10 objectives. 9 have consisted in developing and validating 9 associated tools, collectively responding to a holistic, people-centric, adoption-oriented perspective:
A. Technical tools
1) Dynamic Risk Management Platform (DRMP), a software to rapidly analyse possible new types of attack and provide dynamic risk evaluation (of IT systems, medical devices, people) and prioritized remediations
2) Secure Information Sharing Platform (SISP), a fully GDPR compliant software to secure clinical data and image user-friendly sharing between different HCOs
3) Security by Design Framework (SbDF), includes 2 software-supported guides for developers and hospitals: 1) to ensure, with the Compliance Support Tool (CST), the compliance with standards (e.g. GDPR, ISO 27001) of the design and deployment “process” of information systems and medical devices (the “product”) 2) to identify, with the Secure Design Support Platform (SDSP), “product” vulnerabilities and risks and to define security controls/requirements to be applied along the design life-cycle
4) Identity Management Platform (IMP), includes 2 software: 1) Human to Machine authentication (H2M), for face identification through employee’s smartphone to access workstations equipped with a camera 2) Machine to Machine authentication (M2M), ensuring that, when a machine connects to another machine, this connection is expected, comes from a trusted machine, and the messages are for sure coming from it
B. Non-technical tools
5) Resilience Governance Tool (RGT) includes 1) a check-list to assess the gaps of the HCO in relation to diverse cybersecurity standards (e.g. ISO 27001, AgID) and 2) guidelines to build an IT-security organisation to govern all the cybersecurity processes
6) Secure Behaviour Nudging Toolkit (SBNT), a method to identify barriers to secure behaviours, and then identify, design and deploy context-specific “nudges” (“gentle” behaviour influencers, e.g. Posters, Memes, Screensaver messages)
7) Training & Education for Cybersecurity Tool (TECT), a method to develop voiceless video clips (1-2 minutes) with cartoons describing real risky situations for awareness raising
C. Tools to facilitate the adoption of cybersecurity solutions by HCOs
8) Cybersecurity Return on Investment (C-ROI), a method supporting HCO’s to decide on investments in cybersecurity, maximizing the return in terms of maturity level increase
9) Implementation Guidelines Tool (IGT), guidelines supporting a HCO in selecting and deploying the PANACEA tools that fit its needs.
The tenth objective is to engage a representative community of stakeholders and identify a sustainability path for the PANACEA vision.