Everyone who has ever had contact with a general practitioner, a pharmacist or a specialist in the hospital knows that digitalisation in the healthcare industry is also taking place at a great pace. Patient data are exchanged between healthcare providers and, where required, with chain partners. Healthcare providers are constantly looking for new technologies to prevent and treat a disease. Technologies develop rapidly and are an important incentive, whilst the pace in the area of the supply of information also increases. However, consequently, a larger digital dependence is created.
Digital dependence and risks
Digital dependence brings about risks, for instance when it comes to threats that disrupt the continuity and quality of the healthcare. To continue guaranteeing continuous and high-quality healthcare, a dynamic approach is required. One that should continuously be adjusted in order to detect and analyse changing risks, and to react when this is required. According to the National Cyber Security Centre, professional criminals and malicious parties still represent the biggest risk. They inflict most of the damages through, inter alia, digital sabotage and espionage, resulting in discontinuity within an organisation. For healthcare providers this means that patients are not being assisted because outpatient clinics are closed and operations are postponed.
Measures
To prevent this digital threat, it is important that the correct measures are taken, in order to continue providing good healthcare, so that the importance of the patients always comes first. These measures are outlined in, inter alia, NEN 7510. A component that is deemed to be very important in terms of continuity of healthcare and information security is an Information Security Management System. Effective from 1 July 2017, NEN 7510 has become mandatory for healthcare organisations, and the Healthcare and Youth Inspectorate (JGJ) enforces on the basis of this set of standards. For the time being, certification is not mandatory (yet) but is important in order to demonstrate that the standards and requirements that are imposed by NEN 7510 are met. In this respect, it is not about complying with all guidelines in detail, but that the organisation set up its information household adequately and can also demonstrate this.
Tesorion has meanwhile earned its merits within the healthcare industry. In this respect, the services are geared to the way that a healthcare provider set up its cyber-security. This can vary from specific T-Core services to comply with NEN 7510 and ‘CISCO-as-a-Service’ to the deployment of the CERT for emergencies.
Below, we briefly outline what standards are applicable. It is indicated per step / type of cyber-security solution how implementation assists in complying with the said specific standard. Because Tesorion believes in an ‘open’ concept, where possible, already existing hardware is included in the total solution.
Modular approach / structure
If cyber-security is professionalised (further) within an organisation, or set up as an internal organisation, then an initial step is usually the implementation of security monitoring.
- Security of network services
Insight into suspicious data flows. This may imply that the healthcare provider needs to deal with the loss of the availability. Standard 13.1.2. - Information security events
Information security events should be assessed in order to determine whether they need to be classified as information security incidents. Standard 16.1.4.
There are various ways of giving substance to this. This depends partly on the scope and the level of knowledge of the IT Department within the healthcare provider. Immunity is extremely suitable for automated detection and reaction. However, an internal department regularly appears to be busy and little time and budget is available to ensure that the level of knowledge of employees is kept at the required level. A Security Operations Centre (SOC) can then offer a solution to yet be able to guarantee the security of data and systems.
A step further is the component application security monitoring. This examines, inter alia, the following items - Vulnerability management
Information about technical vulnerabilities of systems, servers, network components, and applications can be demonstrated in a transparent manner and be prioritised on the basis of the established business critical systems. Standard 12.6.1. - Response to information security incidents
React to information security incidents according to the procedures. The T-CERT assists and helps in the analysis and mitigation of attacks, with counselling during the preparation of the correct procedures. Standard 16.5.1.
- Lessons learnt from information security incidents
Knowledge from information security incidents is used to reduce the probability or impact of future incidents. It is important that a growth track is followed in the course of which lessons are learnt from previous incidents. Standard 16.1.6. - The collection of documentary evidence
Define and apply procedures for the identification, collection, acquisition, and retention of information that can serve as evidence. A.16.1.7 - Systems
Systems that process personal information about patients are secured by the Security Information & Event Management (SIEM). This keeps track of what user obtains access via this system, processes or handles information, and can supply an audit report with correct documentary evidence. Standard 12.4.1 - Audit registrations
Audit registrations secured in the SOC of Tesorion where they cannot be manipulated by employees. Standard 12.4.2. - Log files
The SIEM can collect log files of administrators and operators and correlate them in the course of which it is assessed whether these activities are suspicious. Standard 12.4.3 - Documentary evidence
By recording implemented actions, changes, and other activities in the form of logging, documentary evidence is formed. Standard 16.1.7.
With a gradual approach, Tesorion offers a clear path with specific services to ensure that the quality of good healthcare is and remains guaranteed. A secure environment, both physically for patients, clients, and employees and digitally!
