ENISA Procurement Guidelines for Cybersecurity in Hospitals

こんにちは、丸山満彦です。

ENISAが、サービス、製品、インフラストラクチャを病院が調達する際のサイバーセキュリティガイドラインであるProcurement Guidelines for Cybersecurity in Hospitalsを公表していますね。。。

ベストプラクティスが、関連性のある調達の種類と低減できる脅威に紐付されていて、特定の脅威に焦点を当てたい病院が簡単にフィルタリングできるように工夫をしていますね。

● ENISA

・2020.02.24 Procurement Guidelines for Cybersecurity in Hospitals

・[PDF] PROCUREMENT GUIDELINES FOR CYBERSECURITY IN HOSPITALS - Good practices for the security of Healthcare services - FEBRUARY 2020

-----

1. INTRODUCTION
 1.1 OBJECTIVES
 1.2 SCOPE
 1.3 TARGET AUDIENCE
 1.4 METHODOLOGY
 1.5 POLICY CONTEXT
   1.5.1 European Policy
   1.5.2 International Policy
 1.6 STRUCTURE OF THE REPORT
2. PROCUREMENT IN HOSPITALS
 2.1 PROCUREMENT PROCESS
 2.2 TYPES OF PROCUREMENT
 2.3 RELEVANT INDUSTRY STANDARDS AND GUIDELINES
 2.4 CYBERSECURITY CHALLENGES
3. CYBERSECURITY IN PROCUREMENT
 3.1 THREAT TAXONOMY
   3.1.1 Natural phenomena
   3.1.2 Supply chain failure
   3.1.3 Human errors
   3.1.4 Malicious actions
   3.1.5 System failures
 3.2 RISKS IN PROCUREMENT
4. GOOD PRACTICES FOR CYBERSECURITY IN PROCUREMENT
 4.1 GENERAL PRACTICES
 4.2 PLAN PHASE PRACTICES
 4.3 SOURCE PHASE PRACTICES
 4.4 MANAGE PHASE PRACTICES
5. OUTLOOK
A ANNEX: INDUSTRY STANDARDS

EXECUTIVE SUMMARY

As cybersecurity becomes more of a priority for hospitals, it is essential that it is integrated holistically in the different processes, components and stages influencing the healthcare ICT ecosystem. Procurement is a key process shaping the ICT environment of  modern hospitals and, as such, should be at the forefront when it comes to meeting cybersecurity objectives.

This report aims to provide hospital procurement officers and CISOs/CIOs with a comprehensive set of tools and good practices that can be adapted to the hospitals’ procurement process in order to ensure that cybersecurity objectives are met. In this context, the report maps good practices in three distinct phases comprising the procurement lifecycle, namely plan, source and manage. Indeed, cybersecurity considerations are relevant for all three phases and this report offers an easy-to-use guide for hospitals to improve their procurement process from a cybersecurity perspective.

This report provides the context for addressing cybersecurity in procurement by defining the three procurement phases, identifying 10 types of procurement (assets, products, services etc.) for which cybersecurity considerations are relevant, lists industry standards with cybersecurity aspects relevant to these types of procurement and highlights the main respective cybersecurity challenges. A threat taxonomy and a list of key risks associated with procurement are also presented. All this information is accompanied by quick guides providing insights as to how hospitals can use it in their procurement process.

The report concludes with a comprehensive set of good practices (GP) for cybersecurity in procurement. These good practices can be general practices applicable throughout the procurement lifecycle or may be relevant to individual procurement phases. All good practices are linked to types of procurement for which they are relevant and to threats which they can mitigate, providing an easy to filter set of practices for hospitals who want to focus on particular aspects. Overall, hospitals are encouraged to adopt these good practices for cybersecurity in procurement:

General practices:

• Involve the IT department in procurement
• Vulnerability management
• Develop a policy for hardware and software updates
• Secure wireless communication
• Establish testing policies
• Establish Business Continuity plans
• Consider interoperability issues
• Allow auditing and logging
• Use encryption

Plan phase:

• Conduct risk assessment
• Plan requirements in advance
• Identify threats
• Segregate network
• Establish eligibility criteria for suppliers
• Create dedicated RfP for cloud

Source phase:

• Require certification
• Conduct DPIA
• Address legacy systems
• Provide cybersecurity training
• Develop incident response plans
• Involve supplier in incident management
• Organise maintenance operations
• Secure remote access
• Require patching

Manage phase:

• Raise cybersecurity awareness
• Perform asset inventory and configuration management
• Dedicated access control mechanisms for medical device facilities
• Schedule penetration testing frequently or after a change in the architecture/system