ENISA ROLE AND WORK ON THE eHEALTH DOMAIN
Transcript of ENISA ROLE AND WORK ON THE eHEALTH DOMAIN
Dr. Evgenia NikolouzouOfficer in Network and Information SecurityENISA – The EU Agency for Cybersecurity
CYBERSEC4HEALTH, Brussels
10 07 2019
ENISA ROLE AND WORK ON THE eHEALTH DOMAIN
AGENDA
Situational analysis of cybersecurity in eHealth
• Current and evolving cybersecurity landscape in the sector
Evolving regulatory landscape for cybersecurity in eHealth
• Implementation status of the NIS Directive
• Cybersecurity Act / Cybersecurity Certification Framework
ENISA’s on-going activities in eHealth
• 2019 report on procurement guidelines for Healthcare organisations
• Cyber Europe 2020
• 5th eHealth Security Conference organised by ENISA in Barcelona
The NIS Directive and Cybersecurity in eHealth
4
eHEALTH CYBERSECURITY –SITUATIONAL ANALYSIS
The NIS Directive and Cybersecurity in eHealth
• Confidence in response: 92% up from 82% two years ago
• Patching: 87% claim to frequently patch systems
• Investment: More healthcare organizations (28%) are spending 11-20% more on cybersecurity than in 2017
• Outdated systems: Number of devices running on Windows XP has fallen from 1 in 5 to 1 in 10
Source: Infoblox - Cybersecurity in Healthcare, 2019
• 200% increase in software supply chain attacks
• 600% increase of attacks on IoT devices, 29% on ICS
• 46% increase in ransomware variants
Source: Infoblox - Cybersecurity in Healthcare, 2019
Source: IBM, Cost of a Data Breach, 2018
6
• Identification of operators of essential services
• Minimum security measures to ensure a level of security appropriate to the risks
• Incident notification to prevent and minimize the impact of incidents on the IT systems that provide services
• Make sure authorities have the powers and means to assess security and check evidence of compliance for OES
OBLIGATIONS FOR MS ON OES
The NIS Directive and Cybersecurity in eHealth
10
CYBERSECURITY ACT
The NIS Directive and Cybersecurity in eHealth
ENISA Reform• An EU Agency for Cybersecurity
• Stronger Mandate
• Permanent Status
• Adequate Resources
EU Cybersecurity Certification Framework• One framework, many schemes
• Certificates valid across all MS
• Roles for MS and ENISA
• Voluntary and risk-based approach; any need for mandatory schemes to be identified
11
A proactive continent
The EU Cybersecurity Certification Framework - An Overview
• Security certification of products has been tantamount to common criteria
• Within EU
• SOG-IS MRA is the forum for common criteria certification
• Several national and sectorial initiatives focus on security certification
“the provision of assessment and
impartial third-party attestation that
fulfilment of specified requirements
has been demonstrated”(*)
(*) ISO/IEC 17067:2013
Certification entails
12
• Addresses market fragmentation • Products, services, processes
• Proposes a risk-based approach for voluntary certification• EU declaration of conformity
• Defines assurance levels
• Basic, Substantial, High
• Defines the role for Member States• Propose the drafting of a candidate scheme
• Participate in the European Cybersecurity Certification Group (ECCG) which
is composed of national certification supervisory authorities
• Involved in the adoption of an implementing act
• Tasks outlined as per Regulation (EU) 765/2008 on accreditation and market surveillance
Goals of the new framework
The EU Cybersecurity Certification Framework - An Overview
13
• Prepare candidate cybersecurity certification schemes or review existing ones, on the basis of: • The Union Rolling Work Program (URWP) for EU Cybersecurity Certification
• A specific request from the Commission or ECCG
• Maintain a dedicated website providing information on: • EU cybersecurity certification schemes
• National certification schemes replaced by EU ones
• A store of EU statements of conformance
• Assist the Commission to provide secretariat to the ECCG
• Along with the Commission, co-chair the Stakeholder Cybersecurity Certification Group (SCCG)
Key provisions for ENISA 1/2
The EU Cybersecurity Certification Framework - An Overview
14
• Provide secretariat to the SCCG
• While carrying out its tasks take into account the requirements on: • Security objectives of EU cybersecurity certification schemes
• Assurance levels
• Elements of EU cybersecurity certification schemes
• Participate in the peer review of National Cybersecurity Certification Authorities
• Potentially provide guidance on areas such as:• Conformity self assessment
• Cybersecurity information for certified products, services and processes
• Third country agreements with European Commission on certification
Key provisions for ENISA 2/2
The EU Cybersecurity Certification Framework - An Overview
15
ENISA mission in cybersecurity certification
CSA implementation: an ENISA update
Key outputs
• Draft and finalised candidate certification schemes products, services and processes
• Secretariat support (SCCG) and Co-chair SCCG (w/ Commission)
• Support the Commission to Chair ECCG
• Support review of adopted certification schemes
• Implement and maintain CSCF public website
• Support peer review between national cybersecurity certification authorities
• Advice on market aspects relevant to cybersecurity certification
To contribute to the emerging EU framework for the certification of
products, services and processes
To draw up certification schemes in line with the Cybersecurity
Act providing stakeholders with a sound service that adds value to
the EU while supporting the framework
19
Conformity assessment against a scheme
The EU Cybersecurity Certification Framework - An Overview
EU Cybersecurity Certification Scheme
Conformity Assessment Body
Applies & Assesses conformity to
Requirements Evaluation Process
Certification Report
EU
EU Member State
National Certification
Authority
National Accreditation Body
AccreditsSupervises
EU
Certifies Product
Conformity
EU
20
Areas of certification interest
Areas of interest Lead stakeholders
SOG-IS MS, EC
Cloud computing CSP Cert consortium, EC
IoT EC, other e.g. Internet Society
5G EC
Banking supervision ECB
IACS EC/JRC
Vertical industries and areas TBD
The EU Cybersecurity Certification Framework - An Overview
22
• Procurement guidelines for Cybersecurity in Healthcare organisations
• Target audience: healthcare organisations/hospitals
• Entire applicable procurement scope of a healthcare organisation (products,
services, infrastructure etc.)
• Interviews with healthcare organisations to take place
• Stock-taking of existing guidelines/regulations
ENISA 2019 REPORT FOR eHEALTH CYBERSECURITY
The NIS Directive and Cybersecurity in eHealth
THANK YOU FOR YOUR ATTENTION
European Union Agency for Cybersecurity
Vasilissis Sofias Str 1, Maroussi 151 24
Attiki, Greece
+30 28 14 40 9711
www.enisa.europa.eu