Overall Security of Critical Health Systems: Unite to Protect — The European SAFECARE Project (by Philippe Tourron)

When preliminary risk analyses for protection of systems are conducted, the most critical assets to be protected must be identified.
What is the most precious asset — the asset that everybody seeks to protect? HEALTH.

Protection of patients, patient data and staff data is a mandate and a given for all health systems, be they hospitals or health monitoring organisations.
To rein in threats, certain now-conventional actions are often taken. These may consist of measures of physical protection (access control, video protection, emergency power, fire protection, etc.) or digital protection (authentication, anti-virus software, blocking of cyber threats, etc.). However, threats evolve quickly. They are becoming increasingly complex and may be combined.
How can all the events that may be precursors to an incident be taken into account when their origins are as varied as the types of medical equipment and the spectrum of reasons for hospital admission?

The SAFECARE project (a project of the Horizon 2020 programme funded by the European Union) aims to unite partners that represent a broad spectrum of elements of physical and digital health systems in order to propose an innovative approach and system to respond to a need for “heightened vigilance,” ultimately decreasing reaction time and aiding in decision-making during crisis management.

Project background

The SAFECARE project stems from the fact that both physical attacks and cyberattacks are evolving, becoming more complex, becoming more common and being combined with increasing frequency. This calls for a response with:

• Agile detection,
• Agile response,
• Sharing of identified threats,
• Sharing of counter-measures,
• (Agile) coordination of (internal/external) resources for defence.

This three-year project of the European Horizon 2020 programme is directed by the Marseille Public University Hospital System (AP-HM) (coordinator). Consisting of a consortium of 21 partners from 10 European countries, it is intended to strengthen the security of critical health infrastructure in the event of a physical attack or a cyberattack. SAFECARE shall seek to improve threat prevention, detection and response capabilities.

Fig. 1: Key elements of the SAFECARE project

Health systems: complex and sprawling worlds unto themselves

Health systems are worlds unto themselves populated by individuals who represent a mandate for and yet a real challenge to protection. Some are, of course, patients. Others are staff, who, on the one hand, care for and protect patients and, on the other hand, require protection themselves.
Risks have many sources. They may be physical risks, with unfortunate acts of violence that are all too often reported and feared, or they may be cyber risks, with attacks that sometimes target health data or medical equipment in order to paralyse the functioning of that equipment and therefore patient care.
A hospital site must reconcile its mission to welcome all and facilitate access to care with its responsibility to protect people. This renders prevention complex. Moreover, advances in technology are bringing about increasing, and increasingly fast, incorporation of new resources to facilitate the use of powerful tools for health professionals.

Complex perimeters to protect

People: patients, visitors, staff, companies operating on site or remotely and their behaviours must all be taken into account (access, mobility, location, etc.).

Premises: often sprawling and open to the city

Security resources: as facilities change over time, systems may come to co-exist; their interoperability in terms of functioning and surveillance may be limited.

Technical and logistical resources: these include various management technologies (e.g. SCADA) which sometimes differ with respect to age and design. The systems directed may be classified as industrial systems for particular purposes in the health domain (storage of medicines, surgical instruments, etc.).

Medical equipment: medical equipment with a wide variety of makers and versions often co-exists with systems that resist security updates, anti-virus programs and other protection systems. This may disrupt treatment and transmission of data concerning patient laboratory results and procedures. Today, medical equipment is undergoing a revolution tied to the Internet of Things (IoT). This revolution entails all the difficulties associated with security and compromises made in the interest of reducing time to market.

Information system media and health data: computers and telephones now form part of healthcare and health management systems, both at a hospital level and at a country level. Availability, integrity and confidentiality all contribute to care. Events that affect these three elements of information security may impact people’s health and personal lives, as the GDPR observes.

And yet a great deal of information is already available

All these elements often include management and supervision systems but are generally managed by players with different professions and different objectives for protection. They have stronger or weaker monitoring and alert capabilities and can rarely be consolidated or correlated.
Therefore, the initial challenge of the SAFECARE project is to bring together information sources in order to model risks and determine indicators of their origins.

Fig. 2: Architecture and ecosystem of the SAFECARE project

Objective no. 1: To gather events that act as indicators of the security of critical elements

First, these critical elements must be identified. Next, all events must be captured to produce a picture of their “health status” and the behaviours of sources of potential risks for the entire perimeter, including: building management (energy, climate control, access, etc.), medical equipment and IT services as well as risk situations perceived by staff (physical threats, verbal threats, individuals with suspicious behaviour, etc.).

After that, sensors relevant to each situation must be available. A particular goal of the project is to provide a model and tools for detection of threats to medical equipment.
Ultimately, we aim to make it easier to collect and format this data and add it to a knowledge base of events that will serve as the heart of the detection and protection system.

Objective no. 2: To become agile when faced with weak signals as well as multiple and combined physical and cyber threats

Risk modelling (using the EBIOS Risk Management method developed by the French Network and Information Security Agency [ANSSI]) and ontology development to enable modelling of impact propagation are two major design phases in the project. Rules for impact propagation and decision-making will be incorporated into the central database, and tools to represent semantic networks to translate these scenarios will be developed to facilitate learning and aid in decision-making. Artificial intelligence technologies will enable learning from risk situations, in particular for the cyber perimeter.

Objective no. 3: To provide a simple picture to security operators

Facilitating detection and prevention involves alerting relevant security players (guards, fire-fighters, police, SOCs, etc.) by suitable modes of communication (voice messages, videos, signals, graphs, mobility tools, etc.) in the event of a situation.
The solutions proposed will make it easier to communicate, issue alerts and get help quickly and efficiently as alerts will be accompanied by information. This will help to curb uncertainty and ultimately optimise detection and protection.

Objective no. 4: To provide a clear picture to decision-makers in crisis management

Providing precise indicators of an incident and assessing propagation scenarios are crucial for limiting the impact of that incident (for example, which sites are threatened by a potential or actual attack on medical equipment?).

Objective no. 5: To facilitate communication and organise resources

Beyond security players, communication must enable health professionals to recognise the degree of reliability of their medical equipment and premises (can resources be used in full trust?). Information on availability of health infrastructure in the event of a major incident at a hospital-wide, regional or national scale might also be much more extensive.

Conclusion:
Unite to protect — this is the way forward to defend health infrastructure, staff and patients. The SAFECARE project translates this necessary sharing to the European level among players in health operations security (police and fire-fighters) and industry as well as universities and scientific institutions. Efforts to train and help each other extend beyond SAFECARE. Maintaining a certain agility of defence to match the agility of threats represents a challenge for all security players in Europe and throughout the world.

Philippe Tourron,
Chief Information Security Officer (CISO) — European SAFECARE Project Director. Digital Services Division — Marseille Public University Hospital System (AP-HM).

SAFECARE (SAFEguard of Critical heAlth infrastructuRE) has received funding as part of the “Secure societies — Protecting freedom and security of Europe and its citizens” challenge of the Horizon 2020 Research and Innovation programme of the European Union under grant agreement 787002.