Protection and privAcy of hospital and health iNfrastructures with smArt Cyber sEcurity and cyber threat toolkit for dAta and people

Healthcare Organizations (HCOs) technology must operate for the society every day, 24 hours a day to ensure quality of care, patient safety and data privacy. However, HCOs attract cybercrime for their rich data and weak defences, due to technology complexity, organizational barriers to adopt security solutions, non-secure human behaviours. They must comply with EU Directive 2016/1148 (NIS).
To reduce weakness and support compliance, PANACEA project has pursued 10 objectives. 9 have consisted in developing and validating 9 associated tools, collectively responding to a holistic, people-centric, adoption-oriented perspective:
A. Technical tools
1) Dynamic Risk Management Platform (DRMP), a software to rapidly analyse possible new types of attack and provide dynamic risk evaluation (of IT systems, medical devices, people) and prioritized remediations
2) Secure Information Sharing Platform (SISP), a fully GDPR compliant software to secure clinical data and image user-friendly sharing between different HCOs
3) Security by Design Framework (SbDF), includes 2 software-supported guides for developers and hospitals: 1) to ensure, with the Compliance Support Tool (CST), the compliance with standards (e.g. GDPR, ISO 27001) of the design and deployment “process” of information systems and medical devices (the “product”) 2) to identify, with the Secure Design Support Platform (SDSP), “product” vulnerabilities and risks and to define security controls/requirements to be applied along the design life-cycle
4) Identity Management Platform (IMP), includes 2 software: 1) Human to Machine authentication (H2M), for face identification through employee’s smartphone to access workstations equipped with a camera 2) Machine to Machine authentication (M2M), ensuring that, when a machine connects to another machine, this connection is expected, comes from a trusted machine, and the messages are for sure coming from it
B. Non-technical tools
5) Resilience Governance Tool (RGT) includes 1) a check-list to assess the gaps of the HCO in relation to diverse cybersecurity standards (e.g. ISO 27001, AgID) and 2) guidelines to build an IT-security organisation to govern all the cybersecurity processes
6) Secure Behaviour Nudging Toolkit (SBNT), a method to identify barriers to secure behaviours, and then identify, design and deploy context-specific “nudges” (“gentle” behaviour influencers, e.g. Posters, Memes, Screensaver messages)
7) Training & Education for Cybersecurity Tool (TECT), a method to develop voiceless video clips (1-2 minutes) with cartoons describing real risky situations for awareness raising
C. Tools to facilitate the adoption of cybersecurity solutions by HCOs
8) Cybersecurity Return on Investment (C-ROI), a method supporting HCO’s to decide on investments in cybersecurity, maximizing the return in terms of maturity level increase
9) Implementation Guidelines Tool (IGT), guidelines supporting a HCO in selecting and deploying the PANACEA tools that fit its needs.
The tenth objective is to engage a representative community of stakeholders and identify a sustainability path for the PANACEA vision.

The project from Jan 2019 to Feb 2022 went through 4 phases to deliver the 9 tools:
1) elicitation of user and technical requirements and use-cases definition
2) core research, key results include algorithms for dynamic risk management and for ranking mitigation actions, visualization schemes to support decision process, staff behaviours profiling.
3) development of all tools and of a framework for the integrated use of the toolkit
4) validation of all tools in 22 use cases in 3 HCOs and 4 medical device/system developers.
Dissemination included: 35 events attended as speaker/panellist, 6 events organized, 8 publications, input to ISO standardization (Technical Report ISO/IEC SC 372: Biometrics. International), key role in organizing 3 webinars with CUREX and SPHINX (H2020 projects).
Results related to the tenth objective include: 1) 1160 stakeholders engaged (76% HCOs, 16% peer projects and research institution, 5% policy makers, 3% HW/SW providers and integrators) 2) Memorandum of Understanding (MoU) to collaborate for joint exploitation signed by 13 of the 15 partners.
On 1st March 2022, the partners launched the PANACEA Healthcare Cybersecurity Advisory Services (PHCAS), a collaboration mechanism defined in the MoU for joint exploitation.
Despite Covid-19 and severe cyberattack in May 2021 to the Irish HSE (a PANACEA’s HCOs), 80% of the 30 Deliverables due from Jul 2020 had 0 or 1 month delay and tool validation ended by M36. The project ended with a 2-month delay (M38), to better prepare joint exploitation and disseminate with other H2020 projects.

PANACEA contributes to progress beyond the state of the art at two levels.
At individual tool level:
• DRMP includes 1) novel multi-dimensional attack model, based on relationship in/between four “layers” of items (people, ICT and medical devices, business processes, access rights) 2) high-performance algorithm to identify the most critical items 3) semi-automatic identification of the best portfolio of remediations given overall cost 4) innovative visual analytics environment.
• SISP allows HCOs to exchange any type of data using a peer-to-peer ticketing approach; is GDPR compliant, with control over data flow, selective sharing controls, reliable and decentralized deployment model, capability to share heavy images responding to healthcare standards
• CST guides the user to easily verify process compliance to all the applicable standards; SDSP guides the user to run smoothly a complex product risk assessment and evaluate security controls;
• IMP-H2M embodies a unique combination of features: GDPR compliance, 2 factors, works on shared workstations, user-friendliness; IMP-M2M offers storage of sensitive data (private key) in a secure module; immunity against replay attacks; state of the art security (FIDO concepts)
• RGT is based on multi-standard control list, with easy-to-use graphic summary; provides organizational guidelines tailored on HCOs, involving C-level and staff acting as "cybersecurity angels" with colleagues.
• SBNT provides an actionable toolkit, developed by a team of psychologists; facilitates the design of tailored non-training mechanisms to influence behaviour
• TECT delivers videoclips based on proven pedagogical methods; is use-case based, customizable, addressing a broad range of roles, short, accessible via PC, laptop, tablet or mobile phone.
• C-ROI method evaluates the return in terms of compliance improvement, more convincing, vs financial return models, for HCO top management, in a context where compliance with NIS is key
At toolkit level, PHCAS proposes to the market an innovative “niche product”, i.e. multi-disciplinary advisory services to help clients (HCOs) in adopting a holistic approach to cybersecurity assessment and preparedness through an integrated toolkit that combines technical and non-technical measures.
The adoption of the project’s results would impact on
• HCOs: as users and buyers of technology and cybersecurity solutions would increase their capability to holistically manage their cybersecurity and influence suppliers
• Cybersecurity solutions suppliers: would be pushed to provide more innovative solutions
• Technology suppliers: would be pushed to provide secure-by-design products
• Population: would benefit from higher probability of business continuity.