Dr. Evgenia NikolouzouOfficer in Network and Information SecurityENISA – The EU Agency for Cybersecurity

CYBERSEC4HEALTH, Brussels

10 07 2019

ENISA ROLE AND WORK ON THE eHEALTH DOMAIN

AGENDA

Situational analysis of cybersecurity in eHealth

• Current and evolving cybersecurity landscape in the sector

Evolving regulatory landscape for cybersecurity in eHealth

• Implementation status of the NIS Directive

• Cybersecurity Act / Cybersecurity Certification Framework

ENISA’s on-going activities in eHealth

• 2019 report on procurement guidelines for Healthcare organisations

• Cyber Europe 2020

• 5th eHealth Security Conference organised by ENISA in Barcelona

The NIS Directive and Cybersecurity in eHealth

3

POSITIONING ENISA’S ACTIVITIES

The NIS Directive and Cybersecurity in eHealth

4

eHEALTH CYBERSECURITY –SITUATIONAL ANALYSIS

The NIS Directive and Cybersecurity in eHealth

• Confidence in response: 92% up from 82% two years ago

• Patching: 87% claim to frequently patch systems

• Investment: More healthcare organizations (28%) are spending 11-20% more on cybersecurity than in 2017

• Outdated systems: Number of devices running on Windows XP has fallen from 1 in 5 to 1 in 10

Source: Infoblox - Cybersecurity in Healthcare, 2019

• 200% increase in software supply chain attacks

• 600% increase of attacks on IoT devices, 29% on ICS

• 46% increase in ransomware variants

Source: Infoblox - Cybersecurity in Healthcare, 2019

Source: IBM, Cost of a Data Breach, 2018

5

THE NIS DIRECTIVE

The NIS Directive and Cybersecurity in eHealth

6

• Identification of operators of essential services

• Minimum security measures to ensure a level of security appropriate to the risks

• Incident notification to prevent and minimize the impact of incidents on the IT systems that provide services

• Make sure authorities have the powers and means to assess security and check evidence of compliance for OES

OBLIGATIONS FOR MS ON OES

The NIS Directive and Cybersecurity in eHealth

7

NIS COOPERATION GROUP

The NIS Directive and Cybersecurity in eHealth

8

SECURITY MEASURES FOR OES

The NIS Directive and Cybersecurity in eHealth

9

NIS DIRECTIVE - TIMELINE

The NIS Directive and Cybersecurity in eHealth

10

CYBERSECURITY ACT

The NIS Directive and Cybersecurity in eHealth

ENISA Reform• An EU Agency for Cybersecurity

• Stronger Mandate

• Permanent Status

• Adequate Resources

EU Cybersecurity Certification Framework• One framework, many schemes

• Certificates valid across all MS

• Roles for MS and ENISA

• Voluntary and risk-based approach; any need for mandatory schemes to be identified

11

A proactive continent

The EU Cybersecurity Certification Framework - An Overview

• Security certification of products has been tantamount to common criteria

• Within EU

• SOG-IS MRA is the forum for common criteria certification

• Several national and sectorial initiatives focus on security certification

“the provision of assessment and

impartial third-party attestation that

fulfilment of specified requirements

has been demonstrated”(*)

(*) ISO/IEC 17067:2013

Certification entails

12

• Addresses market fragmentation • Products, services, processes

• Proposes a risk-based approach for voluntary certification• EU declaration of conformity

• Defines assurance levels

• Basic, Substantial, High

• Defines the role for Member States• Propose the drafting of a candidate scheme

• Participate in the European Cybersecurity Certification Group (ECCG) which

is composed of national certification supervisory authorities

• Involved in the adoption of an implementing act

• Tasks outlined as per Regulation (EU) 765/2008 on accreditation and market surveillance

Goals of the new framework

The EU Cybersecurity Certification Framework - An Overview

13

• Prepare candidate cybersecurity certification schemes or review existing ones, on the basis of: • The Union Rolling Work Program (URWP) for EU Cybersecurity Certification

• A specific request from the Commission or ECCG

• Maintain a dedicated website providing information on: • EU cybersecurity certification schemes

• National certification schemes replaced by EU ones

• A store of EU statements of conformance

• Assist the Commission to provide secretariat to the ECCG

• Along with the Commission, co-chair the Stakeholder Cybersecurity Certification Group (SCCG)

Key provisions for ENISA 1/2

The EU Cybersecurity Certification Framework - An Overview

14

• Provide secretariat to the SCCG

• While carrying out its tasks take into account the requirements on: • Security objectives of EU cybersecurity certification schemes

• Assurance levels

• Elements of EU cybersecurity certification schemes

• Participate in the peer review of National Cybersecurity Certification Authorities

• Potentially provide guidance on areas such as:• Conformity self assessment

• Cybersecurity information for certified products, services and processes

• Third country agreements with European Commission on certification

Key provisions for ENISA 2/2

The EU Cybersecurity Certification Framework - An Overview

15

ENISA mission in cybersecurity certification

CSA implementation: an ENISA update

Key outputs

• Draft and finalised candidate certification schemes products, services and processes

• Secretariat support (SCCG) and Co-chair SCCG (w/ Commission)

• Support the Commission to Chair ECCG

• Support review of adopted certification schemes

• Implement and maintain CSCF public website

• Support peer review between national cybersecurity certification authorities

• Advice on market aspects relevant to cybersecurity certification

To contribute to the emerging EU framework for the certification of

products, services and processes

To draw up certification schemes in line with the Cybersecurity

Act providing stakeholders with a sound service that adds value to

the EU while supporting the framework

16

Stakeholders’ interactions 1/3

CSA implementation: an ENISA update

17

Stakeholders’ interactions 2/3

CSA implementation: an ENISA update

18

Stakeholders’ interactions 3/3

CSA implementation: an ENISA update

19

Conformity assessment against a scheme

The EU Cybersecurity Certification Framework - An Overview

EU Cybersecurity Certification Scheme

Conformity Assessment Body

Applies & Assesses conformity to

Requirements Evaluation Process

Certification Report

EU

EU Member State

National Certification

Authority

National Accreditation Body

AccreditsSupervises

EU

Certifies Product

Conformity

EU

20

Areas of certification interest

Areas of interest Lead stakeholders

SOG-IS MS, EC

Cloud computing CSP Cert consortium, EC

IoT EC, other e.g. Internet Society

5G EC

Banking supervision ECB

IACS EC/JRC

Vertical industries and areas TBD

The EU Cybersecurity Certification Framework - An Overview

21

eHEALTH – ENISA ACTIVITIES

The NIS Directive and Cybersecurity in eHealth

22

• Procurement guidelines for Cybersecurity in Healthcare organisations

• Target audience: healthcare organisations/hospitals

• Entire applicable procurement scope of a healthcare organisation (products,

services, infrastructure etc.)

• Interviews with healthcare organisations to take place

• Stock-taking of existing guidelines/regulations

ENISA 2019 REPORT FOR eHEALTH CYBERSECURITY

The NIS Directive and Cybersecurity in eHealth

23

5TH eHEALTH SECURITY CONFERENCE

The NIS Directive and Cybersecurity in eHealth

THANK YOU FOR YOUR ATTENTION

European Union Agency for Cybersecurity

Vasilissis Sofias Str 1, Maroussi 151 24

Attiki, Greece

+30 28 14 40 9711

info@enisa.europa.eu

www.enisa.europa.eu