seCUre and pRivate hEalth data eXchange

Cyber-attacks against the healthcare industry soared during the COVID-19 pandemic, more than any other sector, increasing the risk posed to patients and healthcare personnel by cyber criminals who eagerly attempt to capitalise upon the crisis. Traditionally, healthcare has been one of the main targets for adversaries and always among the top 3 most affected domains. According to the latest cyber intelligence reports, there has been a significant increase in the number of breaches and incidents reported within healthcare, where the incidents hold higher relevance than other domains due to its nature that poses unique challenges, such as having actual human lives been put at risk should a threat be materialised.

CUREX addresses the emerging needs of the domain by proposing a risk-based cybersecurity framework that takes into consideration the hospital workflows, as well as the ubiquity of medical devices in care settings. CUREX aims at protecting the health data handled by hospitals from the risks that are propagated all the way from the security gaps in their IT infrastructure by implementing a risk-based approach, performing continuous cybersecurity and privacy risk assessments based on the reported assets, vulnerabilities, and real-time detection of imminent threats. CUREX also offers optimal recommendations for cyber risk mitigations in the form of a decision support tool. Overall, the CUREX Platform encompasses a suite of tools establishing trust between healthcare organisations to accommodate the necessity of exchanging data in a fully GDPR-compliant manner. By capitalising on existing distributed ledger and health technological artifacts, CUREX ensures the accountability and auditability of all transactions between hospitals and care centres. Finally, taking into account the human factor, it improves the cyber hygiene culture among personnel through identifying employee group-specific gaps and needs with regard to raising cybersecurity and data privacy awareness.

CUREX extends the traditional risk management process by implementing a number of capabilities including:

(I) Asset and vulnerability discovery, to discover system assets (e.g. components, services, applications, ports, OS) and any information related to their associated vulnerabilities.
(II) Threat intelligence tools, that apply advanced machine learning algorithms and artificial intelligence techniques for the detection of real time abnormal behaviours on users, and devices, as well as anomalies in the data in order to identify new and unknown threats.
(III) Qualitative cybersecurity and privacy risk assessments, to evaluate the risk levels of the organisation based on the vulnerabilities identified in the infrastructure.
(IV) Recommendation of optimal safeguards strategies to mitigate the identified risks in an optimal way based on multiple factors (such as purchase and implementation cost and the provided security benefits) and reduce risk to acceptable levels.
(V) Α decentralized blockchain network to publish the different outputs and the transaction history to ensure the integrity, accountability, traceability, and auditability of the complete process.

Moreover, as CUREX proposes a holistic and GDPR-compliant risk management approach for healthcare organisations, it cannot afford to disregard the significant role end-users play in the security equation. Therefore, going beyond the technical means, user training and awareness strategies have been included as part of the CUREX cyber hygiene framework to strengthen the healthcare organisations’ defences against social attacks.

CUREX’s result have demonstrated a very strong research potential, inspiring in total 24 scientific publications in prestigious journals and venues. Furthermore, the project’s developments have been presented in 29 events, reaching a diverse and very wide spectrum of stakeholders (from citizens/patients to policy makers) beyond the scientific community.

Overall, the CUREX Platform provides innovative solutions to healthcare organisations’ challenging efforts in preserving their cybersecurity safeguards. Its market potential is indisputable, as it presents a Unique Value Proposition which is based on an integrated system that combines all CUREX state-of-the-art components. With the use of various market prospects and tools, consortium partners were able to identify the roadmap to sustainability against competitors, adaptability from potential customers, and evolution of the CUREX platform as a novel solution offered to the healthcare security sector. There is a strong commercialisation potential that derives from efforts placed in analysing market access and formulating a concise business plan. With an explicit knowledge of the factors that shape the CUREX market adoption and evolution trends, contributing partners are able to pursue this path of commercialisation and bringing this novel service to the market. Market dynamic and competitive framework of the EU market environment, which is the initial target market, pose both opportunities and restraints that CUREX platform addresses through an intuitive go-to-market plan, coupled with an innovative pricing policy.

CUREX does not offer just another cybersecurity generic solution that can be applied on the healthcare sector, as it takes into serious consideration how the healthcare sector operates. Additionally, existing cybersecurity solutions focus on the technology aspects and less on the holistic approach that includes the human factor. CUREX invests on the human factor and their situational awareness while providing a tamper-proof ledger that provides an audit trail with every exchange activity performed on health data. Additionally, one of the most innovative features that makes CUREX unique is the adoption of the blockchain technology which is a system of recording information and works as a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems on the blockchain. Combination of different solutions such as the Optimal Safeguards Tool and Vulnerability Discovery Manager makes the final product very unique as these technologies are innovative and this ensures the highest level of satisfaction to the end users of this solution.

Finally, it is worth mentioning that the social impact assessment performed for the project showed that the end-user acknowledge its multidimensional impact, being very vocal on their perceptions regarding CUREX’s contribution to the global effort to reinforce the critical healthcare infrastructures, raising at the same time the interesting and very significant issues of secure and private health data exchange for both primary (cross-border healthcare services) and secondary (data sharing for research, innovation, etc.) use of data. Overall, the CUREX project positively affects the related industry from a social, technological and economical perspective, by providing a novel and solid solution to the emerging cybersecurity and data privacy needs of the healthcare domain.