Cyber-Physical Security in Healthcare

Introduction

Critical infrastructure (CI) is an asset or system which is essential for the maintenance of vital societal functions. The damage to a CI, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behavior, may have a significant negative impact for the security of the EU and the well-being of its citizens. Over the last decade, healthcare sector has been considered as a CI and the most vulnerable one, facing numerous physical-cyber threats that affect citizens’ lives and habits, increase their fears and influence hospital services provision. Healthcare sector as a CI is safeguarding people, services, systems and physical infrastructure providing vital operation to the health services.

Health sector is responsible for delivering services that improve, maintain or restore the health of individuals and their communities (World Health Organisation, 2019). These services are large and complex, affect and get affected by multiple interacting actors, such as doctors, nurses, patients, citizens, medical suppliers, health insurance providers etc., with different backgrounds, knowledge, organizational beliefs, interests and culture. Health systems could provide services that are personal and non-personal. Personal health services can be therapeutic or rehabilitative and are delivered to patients and citizens individually. Non-personal health services are actions applied to individuals or collectives and might refer to health education (Peters, Kandola, Elmendorf, & Chellaraj, 1999).

Health services are widely relying on information systems (IS) to optimize organization and costs, whereas ethics and privacy constraints severely restrict security controls and thus increase vulnerability.

Threats in the healthcare sector can result in economic damage, human casualties, property destruction, and hospital assets functionality disruption that can produce cascading effects and harm patients’ and citizens’ confidence. Today, healthcare landscape is facing major threats, which cannot be analyzed as physical or cyber independently, and therefore it is critical to develop an integrated approach in order to fight against such combination of threats. Cyber-physical attacks are the results of the exploitable vulnerabilities that need to be considered by hospitals.

In this chapter, we will focus on a framework related to the enhancement of Hospitals’ security and resilience, and respective solutions that will improve physical and cyber security to prevent and detect complex attacks, to promote incident responses and mitigate the impacts, based on the work implemented and further foreseen under SAFECARE project (H2020-GA787005),. In these terms, we will initially analyze the normative literature on CI and healthcare sector security and safety challenges and protection. In doing this, we will present healthcare critical assets’ vulnerabilities and describe cyber-physical threats that can affect them (as they have been identified in SAFECARE). In addition, SAFECARE architecture solution will be presented, including a cyber-physical security system and proposed strategies that can boost their protection; avoid threats’ cascading effects; enhance internal and external stakeholders’ communication and response; mitigate impacts; and maintain healthcare services secure and available to citizens. Finally, some representative scenarios that will be validated during the project will be analyzed.