ENISA Report - Cloud Security For Healthcare Services
ENISA Report - Cloud Security For Healthcare Services
ENISA Report - Cloud Security For Healthcare Services
CLOUD SECURITY
FOR HEALTHCARE
SERVICES
JANUARY 2021
0
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
ABOUT ENISA
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge
sharing, capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s
infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. For more
information, visit www.enisa.europa.eu.
CONTACT
For contacting the authors please use eHealthSecurity@enisa.europa.eu
For media enquiries about this paper, please use press@enisa.europa.eu.
AUTHORS
Dimitra Liveri, Dr. Athanasios Drougkas, Antigone Zisi, EU Agency for Cybersecurity
ACKNOWLEDGEMENTS
For providing valuable information that helped shape the report (in alphabetical order):
Gioulekas Fotios, University Hospital of Larissa & 5th Regional Health Authority of Thessaly and
Sterea, Greece
1
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Starolis Saulius, National Health Insurance Fund under the Ministry of Health, Lithuania
Žukovskis Raivis, The National Health Service of the Republic of Latvia, Latvia
LEGAL NOTICE
Notice must be taken that this publication represents the views and interpretations of ENISA,
unless stated otherwise. This publication should not be construed to be a legal action of ENISA
or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 2019/881.
This publication does not necessarily represent state-of the-art and ENISA may update it from
time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the
external sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge.
Neither ENISA nor any person acting on its behalf is responsible for the use that might be made
of the information contained in this publication.
COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2021
Reproduction is authorised provided the source is acknowledged.
2
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
LIST OF ABBREVIATIONS
Abbreviations Definitions
DP Data Protection
EC European Commission
EU European Union
GP Good Practice
3
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
MS Member States
OS Operating System
SM Security Measure
4
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
TABLE OF CONTENTS
1. INTRODUCTION 8
1.2 OBJECTIVE 8
1.3 SCOPE 8
1.5 METHODOLOGY 9
4. USE CASES 21
5
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
6. CONCLUSION 39
7. REFERENCES 40
6
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
EXECUTIVE SUMMARY
The healthcare sector is going through the digitalisation process and continuously adopting new
technology to improve patient care, offer new services focusing on patient-at-home care, and
reach operational excellence. The integration of new technology in an already complex IT
infrastructure opens up new challenges regarding data protection and cybersecurity. Moreover,
the ongoing COVID-19 pandemic has been a further catalyst for cyberattacks on healthcare
organisations1,2,3. Typical examples are phishing attacks that aim to collect user credentials of
healthcare professionals and ransomware4 against hospitals and other Healthcare
Organisations (HCO).
At the same time this pandemic stresses the need for remote healthcare services, since the
system was overwhelmed in some countries and physical presence was a risk for the spread of
the pandemic. In this context, Cloud solutions have provided elasticity and fast access for the
deployment of new services including «virtual» health and telemedicine.
This study aims to provide Cloud security practices for the healthcare sector and identify
security aspects, including relevant data protection aspects, to be taken into account
when procuring Cloud services for the healthcare industry.
The set of general practices aims to help IT professionals in the healthcare security contexts to
establish and maintain Cloud security while selecting and deploying appropriate technical and
organisational measures. The identification of relevant threats and risks to Cloud services in the
healthcare industry and security and data protection requirements are also covered by the
scope of this report. Further objectives include the presentation of informative and practice-
oriented use cases and their analysis of relevant threats and Cloud security measures.
The overall conclusion derived from the study, is that Cloud integration in the healthcare sector
in the EU is still in its infancy. Some healthcare organisations hesitate to adopt Cloud services,
because they are challenged by a dense and complex legal basis, and new technologies.
Furthermore, the loss of data governance and processing of personal data in the Cloud makes
healthcare organisations hesitant to adopt Cloud services. Other healthcare organisations use
PaaS for connecting medical devices with a web-application for remote monitoring of patients or
SaaS for documentation and scheduling doctor-patient consultations. Some countries are in the
beginning of forming a Government Cloud (G-Cloud) to satisfy such needs. There are also
various government managed services such as electronic prescription and electronic health
records, which run on government-owned resources, such as private Clouds and state owned
datacentres and Clouds.
The study is structured around three use cases, which are the most prominent in using Cloud or
to be using in the future, namely Electronic Health Record, Remote Care and Medical Devices.
A set of 17 security and data protection measures has been identified to be relevant for
ensuring Cloud security and have been assessed based on the use case.
1
https://www.verdict.co.uk/healthcare/
2
https://healthitsecurity.com/news/covid-19-impact-on-ransomware-threats-healthcare-cybersecurity
3
https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2020-so-far
4
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
7
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
1. INTRODUCTION
The COVID-19 pandemic has pushed Cloud-based technology usage in the healthcare sector,
especially in telemedicine, for patient-doctor consultations and artificial intelligence for triaging
purposes. The further integration of Cloud computing services in the healthcare sector also
raises security and data protection concerns. This report therefore aims to help ensure Cloud
security for healthcare.
1.2 OBJECTIVE
This report's overall objective is to provide the target audience with a set of guidelines to ensure
cybersecurity and security of personal data processing when procuring Cloud services for
providing healthcare services and a clear understanding of the corresponding responsibilities.
The goals are to provide an overview of the landscape of the applicable EU legislative
instruments relevant to Cloud services in the healthcare sector and the main cybersecurity and
data protection challenges, relevant to security of personal data processing, of Cloud customers
from the healthcare sector.
1.3 SCOPE
The study's scope is Cloud services that support the broader eHealth ecosystem, such as
healthcare services and facilities, medical devices and equipment, medical services, or
managed care. It is not limited to a specific Cloud architecture, neither deployment nor service
model. The study focuses on showing relevant threats, measures, and responsibility by
analysing three representative use cases, electronic health record, remote care, and medical
devices.
The set of guidelines for Cloud security of healthcare services (output) is primarily for Cloud
customers, such as healthcare organisations or medical device manufacturers. The study,
investigation, and the output are centred on the European Union and European Free Trade
Association (EFTA) member states.
5
IBM, X-Force Threat Intelligence Index, 2020, pp. 39., see also Moore, J., Which sectors are most vulnerable to cyber
attacks, 2020. https://www.ifsecglobal.com/cyber-security/which-sectors-are-most-vulnerable-to-cyber attacks/
8
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
The report may be useful to IT professionals from medical device manufacturers and possibly,
policymakers and Cloud service providers.
1.5 METHODOLOGY
The applied methodology of this study comprises four steps.
Step 1 Desk Research: Extensive desk research for gathering information identifying
Cloud services supporting healthcare services, Cloud security threats, and security
controls for providing Cloud security for healthcare in general and during the
procuring process.
Step 2 Questionnaire and semi-structured interviews: Experts and
representatives from the healthcare and Cloud technology industry of ENISA’s expert
network have provided information on Cloud-based healthcare services, its
associated risks and opportunities, Cloud security and cybersecurity requirements in
general, and implemented or identified cybersecurity and data protection measures
from their point of view. Interviews have been conducted to collect additional valuable
input from the experts.
Step 3 Analysis: The analysis of the results from step 1 and step 2 provides input for
the report and its objectives. This step supports the identification of security
challenges and the validation of the use cases. Based on the analysis results, the first
draft of the report has been drafted.
Step 4 Review and validation: The last step comprises the review and validation by
ENISA’s expert group. The final version of the report is drafted, taking into account
the feedback from the experts.
9
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
2. HEALTHCARE IN THE
CLOUD
The general conclusion derived from the desk research and expert interviews shows that MS
have a dedicated legislation for healthcare activities (not necessarily covering cybersecurity)
and in several cases they adopt cybersecurity guidelines for Cloud computing; there is no case
of healthcare and Cloud specific legislation. This corresponds to the assessment of the
healthcare sector as critical, thus required to abide by overall cybersecurity legislations and
guidelines.
At the same time, identification of requirements deriving from national or European legislation,
proves crucial when procuring Cloud services. Some healthcare services, electronic health
records for instance, have a separate law entailing security and data protection requirements.
And eventually, to some extent the general practices overlap.
The illustration below depicts the legislative situation regarding Cloud security and healthcare.
From a legal requirements perspective, we examined four topic-related dimensions: privacy,
cybersecurity, Cloud security, and healthcare.
10
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
The most relevant legal documents or guidelines at EU level are summarised below.
The Directive goes beyond implementation of security requirements, as it gives power to the
regulatory bodies to audit the Operators of Essential Services to ensure the level of
cybersecurity in the organisation is acceptable and as per the provisions of the Directive. At the
same time, the Directive puts in scope specific services which span among the designated
essential sectors. In the healthcare ecosystem, this can be translated as cybersecurity
requirements for all products so it should be included as a provision in the procurement
process.
For the Digital Service Providers, the decision on the details of cybersecurity measures resides
with the MS, since the Directive leaves a certain level of flexibility. In the case of Cloud services
offered to an operator of essential healthcare service, both parties need to agree on how the
legal requirements will be met before reaching a contractual agreement.
The GDPR considers health data as a "special category" of personal data which are considered
to be sensitive by nature and imposes a higher standard of protection for their processing.
Organisations (Data controllers) processing health data have the following obligations (among
others):
The GDPR expanded the scope of application of EU data protection law requirements to the
data processors as well. This means that Cloud service providers, acting as data processors on
behalf of the data controller, have obligations as data controllers but their obligations would not
necessarily be the same.
6
https://eur-lex.europa.eu/eli/dir/2016/1148/oj
7
https://eur-lex.europa.eu/eli/reg/2016/679/oj
11
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
between data processor and data controller. This can be used as a basis for Cloud security
requirements solicitation from the healthcare sectors as well.
In 2015, the Joint Action to Support the eHealth Network (JASEHN) issued a report8 on the use
of Cloud computing in health focusing primarily on the secondary use of health data where
amongst other explains the responsibility shift between the HCO and the CSP based on the
service model (IaaS, PaaS, SaaS etc).
In 2018, the European Data Protection Board (EDPB) and the EDPS issued an opinion9
specifically for healthcare namely on data protection for eHealth Digital Service Infrastructure
compiled under the directive on patients’ rights to cross-border healthcare. Amongst other
things, the opinion includes requirements for more secure information exchange (i.e.
encryption), secure data storage and that the EC, as data processor, has to clarify the
governing rules of the processing.
8
https://webgate.ec.europa.eu/chafea_pdb/health/projects/677102/outputs
9
https://edps.europa.eu/data-protection/our-work/publications/opinions/edpb-edps-joint-opinion-ehdsi_en
10
https://www.enisa.europa.eu/topics/cloud-and-big-data
12
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Facilities denote the physical structures and supplies such as networks, cooling,
power, etc.
Organisation denotes the human resources, the policies and procedures for
maintaining the facilities and supporting the delivery of the services.
Public Cloud refers to a shared Cloud infrastructure and computational resources that are
available and reachable over the public internet.
Hybrid Cloud is a model for a group of users that share the same Cloud infrastructure and the
computational resource. The premises may be owned, managed, and operated by one or more
of the organisations in the community, a third party, or both. It may exist on the community’s
location (on-site) or the third-party’s location (off-site).
For the purpose of this report, the definition of governmental Cloud is presented based on
ENISA’s reports11.
11
https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security
13
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
outsourcing of security tasks. An IaaS provider, for example, might have a service for patching
the Operating System (OS) of customers. Sometimes such services are offered by a third-party
(and this is also known as Security-As-A-Service or SECaaS).
From the data protection perspective, the definitions and most likely assignment of roles are as
follows:
Data controller: “the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
processing of personal data” GDPR Art. 4(7).
Data processor: “a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller” GDPR Art. 4 (7).
Depending on the service model (IaaS/PaaS/SaaS), the data processor might be the
CSP or the customer. The higher a healthcare organisation moves up the Cloud
services stack, the more processing power the Cloud provider has.
14
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Table 1: Non-exhaustive overview of the currently identified Cloud solutions for healthcare systems
Enterprise resources planning systems support the management of patients, appointments, medical
staff’s schedules and inventory. Dedicated parts of an ERP system could be available as Cloud-
based solutions, for instance:
Enterprise resource Patient management system
planning systems
(ERP systems) Health insurance management
Billing and human resource management
Other non-clinical data management
Health information systems are used for managing healthcare data and entail demographic and
medical patient data, which comprise records, images, or even videos. In the area of health
information systems, the following types are available or used as a Cloud-based solution:
Electronic health record (EHR)
Picture archiving and communication system (PACS)
Health information
systems (HIS) Electronic prescription information system
Radiology information system (RIS)
Laboratory information system (LIS)
Clinical decision support (CDS)
Remote patient monitoring (RPM)
Middleware is a communication service to transfer data between systems or devices with a different
Communication physical location. For instance, in a Cloud-based solution for a remote monitoring solution, only the
services transfer from the device to the electronic health record is Cloud-based with the medical data being
stored at a data storage facility in the healthcare organisation.
Healthcare organisations use Cloud-based file servers for document archiving or mail servers for
Office management
internal and external communication.
Health data analytics need a lot of computing power. Healthcare organisations outsource this task
with Cloud technologies.
Health data analytics Artificial intelligence12, machine learning is used to support medical research, diagnosis (e.g. cancer13
or cardiac pathology14), data analysis (e.g. glucose measurement), treatment recommendation, and
patient engagement. The use of Cloud computing technology for this area is continuously evaluated.
Medical devices identify data that can be accessed through a mobile app or a web-based platform
from different stakeholders. The healthcare services provided using Cloud-based medical devices are
blood pressure measurement using electronic stethoscope15, glucose measurement, and
Medical devices electrocardiogram. The goal is to enable patients to measure heart rates or insulin level at home while
the data is directly available to healthcare professionals for treating or scheduling an appointment.
Diagnostic cameras that support healthcare professionals during the diagnosis also belong to this
category.
Medication assistance16 supports patients following their medication through real-time monitoring. It is
Medication monitoring
a further remote healthcare technology application17 together with telemedicine and medical devices.
Supply chain Supply Chain Management guarantees the timely availability of safe medical devices for use in the
management healthcare processes. This includes equipment, implants, disposables and medical software.
12
Davenport and Kalakota, 2019
13
Junaid Ahmad, Vinai, Bilal, 2015 and Sadhasivam, Balamurugan, and Pandi, 2018
14
Agliari et al., 2020
15
Leng et al. 2015
16
Ventsislav and Rosen, 2016
17
Cavoukian et al., 2010
15
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
3. CYBERSECURITY
CONSIDERATIONS IN CLOUD
FOR HEALTHCARE
Lack of trust of Cloud solutions: Overall, it has become evident that stakeholders in
the healthcare sector (patients, physicians, medical staff, and healthcare organisation
management) indicated a lack of trust of Cloud solutions. For example, patients'
concern for their medical data being stored at the facilities Cloud service provider is
often reduced due to the pre-existing relationship of trust between patient and doctor
and due to the higher valuation of the patient’s health over data protection and
cybersecurity. In the case of medical staff, they tend to be less aware of cybersecurity
and data protection. Therefore, it is a challenge to raise awareness for security-related
topics and train in new authentication or identification technology. Also, human
resources do nοt need to necessarily understand security and technologies- however
they should be aware of the offerings of the Cloud providers in terms of that expertise.
Without training and education, the occurrence of human errors and social engineering
attacks is more likely.
16
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Data deletion: It is extremely important to be able to erase data after retention time
has expired, but also upon data subject’s request without undue delay. The data
subjects can substantiate their requests with one of the grounds foreseen in GDPR,
such as when the data is no longer necessary for the initial purpose or when the data
subject withdraws consent. Cloud providers have partially addressed the issue of
identifying storage areas of chunks of information (data tagging). However, effective
deletion of data is still a technical challenge.
Data portability: This challenge goes hand in hand with vendor lock-in, the most
common risk regarding Cloud Computing. Data portability refers to the transfer of one’s
18
https://www.enisa.europa.eu/publications/big-data-protection
17
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
data from one provider to another without loss upon their request. For healthcare
certain standards are in place (like HL7) to ensure interoperability and thus portability.
Encryption: One of the most important and at the same time difficult measures to
implement is encryption. It is important to ensure secrecy and integrity but it has to be
applied in all the different channels of data transfer and storage. Encryption measures
need to be implemented at both client and server level but also in the channel that
connects them. Responsibility then resides in both the Cloud customer and the Cloud
provider and has huge implications from a technical and legal perspective. At the same
time, few CSPs share the encryption keys with their customer leaving full control to the
provider.
19
https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services
18
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
20
Cloud Security Alliance, 2020
19
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
21
OWASP, 2016
20
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
4. USE CASES
In this section, three use cases of Cloud services for healthcare are shown, including a
reference Cloud architecture, factors to be considered during risk assessment, and risk
mitigation measures.
Paper-based documents containing patient data are increasingly replaced with EHR in many
countries, allowing health information to be shared in an easy-to-use and standardised way
between different stakeholders such as healthcare professionals and patients. Solutions in this
area often involve the use of Cloud computing resources or partially Cloud-based components.
Patients can access and manage their EHR through a patient portal, which is usually integrated
into Cloud solutions22.
22
This is an exemplar case as not every EHR deployment uses governmental Clouds provided by the respective ministry. It
is very common to see regional EHR deployments operated on public or private Clouds by public or private EHR providers.
An EHR is typically sourced as SaaS and not at IaaS level but for the sake of completeness in this report, the specific
service model is selected for the EHR.
21
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
OVERVIEW
Service Model IaaS Deployment model Governmental Cloud
Recipients of the Data Doctors and nurses, administration and accounting department, public health system, patients
Factor Description
Within the scope of the specific processing operation, the impact from loss of confidentiality is considerable
Confidentiality given the nature of sensitive information included in the EHR. Data subjects could be expected to encounter
significant adverse effects from unauthorised disclosure of their health data.
The impact in case of loss of integrity should be considered particularly if the EHR includes important patient
data that may be used to influence medical decisions. Data subjects may encounter significant or even
Integrity
irreversible consequences from unauthorised alteration of health data (signals and statistics), which could
even make it difficult for them to receive appropriate treatment.
Depending on the nature of data included in the EHR and the context of their use, loss of availability may also
Availability be of significant impact. Inability to access the patient’s EHR may hinder timely and accurate treatment of the
data subjects, even putting their lives at risk.
22
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Threat Description
Natural Typically, in such use cases the servers are located in data centres enforcing a suitable level of physical
phenomena security requirements, which tends to reduce the respective risk likelihood. Such data centres usually obtain
certificates that show that they are protected against fire, water, or earthquakes and the existence of such
certificates should be factored in the risk likelihood assessment.
Supply chain As the infrastructure is outsourced to Cloud providers the likelihood of this risk tends to be reduced. The failure
failure of power supply or other Cloud service disruptions is less likely because the providers are specialised in
maintaining their services. However, even big Cloud platforms are not entirely immune to outages of their Cloud
infrastructure.
Human error An undefined number of employees may be performing personal data processing, and there is no clear policy
regarding granular access to health records. This should be considered as a factor that increases risk
likelihood. Human actors' common mistakes in this use case are the usage of default or weak passwords, lack
of access control to sensitive data, non-compliance with security policies, or the possibility of human error.
However, the obligations of all parties involved in the process should be clearly defined, and awareness-raising
seminars should be organised periodically.
Malicious Many parties such as healthcare organisations, patients, and public health officials are strongly interconnected in
actions this Cloud system, which is difficult to isolate from malicious actors completely. Malicious attackers may also be
internal actors who might have direct or indirect access to the Cloud services. Potential attacks in this area might
involve social engineering (e.g., phishing), theft, espionage, malware (e.g., ransomware), or denial of service
attacks. A database containing electronic health records of almost every citizen in a specific country stored
centrally may be an attractive target for malicious attackers. On the other hand, Cloud service providers can
bundle the knowledge of internal and external security experts, which allows them to enforce security measures
more efficiently than proprietary data centres. These factors and especially the operational context of the
healthcare organisation and the Cloud service provider should be assessed when determining the risk likelihood.
System Software might have errors that cause the service to fail and become unavailable. The EHR is a very central
failures solution to share patient information and is even legally regulated and requires security certification in most
countries, reducing the occurrence probability. The government infrastructure typically also supports relevant
governmental services that require a stable availability of the services. It can therefore be assumed, that the
probability of system failures, especially hardware is usually relatively low. However, statistics on system
failures or SLAs from the Cloud service provider can provide a more accurate source of data to feed into the
risk assessment study.
23
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
OVERVIEW
Service Model SaaS Deployment model Public Cloud
The healthcare organisation uses a telemedicine (including audio and video) application for its
doctor-patient consultation. The communication service is offered as a web and mobile
Healthcare organisation
application. The healthcare professionals connect over the internet using a client to access the
Cloud service. Patients connect over the internet using either their computer or mobile phone.
Contact Information (last and first name, nickname), video recordings, transcriptions of
Personal data processed
recordings
24
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Factor Description
Within the scope of the specific processing operation, the impact from loss of confidentiality can be
considerable as the primary focus of such use cases involves the direct exchange of patient data. Data
Confidentiality
subjects may therefore encounter significant adverse effects from unauthorised disclosure of their health
data.
The impact of the loss of integrity will depend on the nature of the telemedicine/remote care application. For
non-critical consultation applications the impact may not be as significant, but depending on the context,
Integrity alteration of medical data could have high-impact consequences. Data subjects may encounter significant or
even irreversible consequences from unauthorised alteration of health data (signals and statistics), which
could even make it difficult for them to receive appropriate treatment.
Assessing the impact of loss of availability heavily depends on the context of the telemedicine/remote care
application. This may range from low in the case of standard consultations for which alternative methods of
Availability
communication can be used to very high in the case of emergency interventions of medical staff using the
telemedicine platform.
Threat Description
Natural Typically, in such use cases, the servers are located in data centres enforcing a suitable level of physical
phenomena security requirements, which tends to reduce the respective risk likelihood. Such data centres usually obtain
certificates that show that they are protected against fire, water, or earthquakes and the existence of such
certificates should be factored into the risk likelihood assessment.
Supply chain As the infrastructure is outsourced to Cloud providers the likelihood of this risk tends to be reduced. The
failure failure of power supply or other Cloud service disruptions is less likely because the providers are
specialised in maintaining their services. However, even big Cloud platforms are not entirely immune to
outages of their Cloud infrastructure.
Human error (Video)Conferencing tools are considered standard IT equipment which makes it more likely that users are
familiar with this technology and the relevant interfaces. Especially during the pandemic situation, the
adoption of and familiarisation with videoconferencing solutions has increased significantly. Still, the risk
may be higher when medical staff are less familiar with or un-trained in the use of such tools.
Malicious During the pandemic, many stakeholders have switched to remote conferencing and telemedicine, which in
actions turn has led to such solutions becoming more attractive targets. Healthcare organisations also extended the
use of teleconsultation. Potential attacks in this area might involve social engineering (e.g. phishing), theft,
espionage, malware (e.g. ransomware), or denial of service attacks.
System Videoconferencing technology has been developed and improved for a long time, resulting in well-
failures established software solutions. Nevertheless, software failure might still happen with low likelihood since
Cloud has enough redundancy.
25
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
In this use case, we consider a medical device manufacturer that produces a device to measure
certain patient data (e.g. a pacemaker measuring heartbeat). The device itself is not able to
communicate over the internet. However, it can transfer measurements via Bluetooth to
smartphones with an appropriate app from the device manufacturer. The app can then transfer
the aggregated measurements for a month to a Cloud file storage provider and share this
information with the treating doctor.
OVERVIEW
Service Model PaaS Deployment model Private Cloud
The healthcare organisation offers its patients a medical device (e.g. pacemaker) that is
Healthcare organisation connected to their mobile device. Healthcare professionals can access the measured data over
the internet using their clients.
The medical device manufacturer offers a Cloud service for patient measurements (e.g.
measuring heartbeats) to healthcare organisations. The medical device manufacturer provides
Medical device manufacturer the application and the device and ensures the connection to the Cloud service provider through
APIs for data transfer. It uses PaaS to securely develop and deploy the software, including
sending emails with individualised links containing the uploaded aggregated measurements.
The Cloud service provider provides the application platform, including application interfaces
Cloud service provider and the underlying Cloud infrastructure that includes network, servers, operating systems, and
storage.
26
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Factor Description
Loss of confidentiality for similar use cases may cause data subjects to encounter significant adverse effects
from unauthorised disclosure of their health data. Within the scope of the specific processing operation, the
impact from loss of confidentiality is not necessarily considered critical since the disclosure of
Confidentiality measurements such as heartbeats is usually not as severe as disclosing other health data. However if the
data is exchanged in its entirety through unsecure means (i.e. email) poses a risk in itself. In a broader
context, the impact of loss of confidentiality for use cases involving medical devices depends on the nature
of the data involved in the operation.
In the case of loss of integrity, data subjects may encounter significant or even irreversible consequences
from unauthorized alteration of health data. For instance, doctors may prescribe inappropriate medication.
This impact is heavily influenced by the overall treatment process; for instance, a doctor might notice
Integrity sudden deviations from regular measurements and doctors usually explain treatment procedures or
changes in medication via personal conversations, which might reveal the alteration of data. In the case of
more automated processes or even processes where the device can even act based on the data, the impact
of loss of integrity may be significantly higher.
The impact of loss of availability may range from moderate to critical depending on the frequency by which
the measurements need to be made available to medical staff or even the nature of the measurements (e.g.
Availability
when an anomaly in measurements may indicate a life threatening circumstance). The lack of data may
affect the patient’s health because unavailability affects intervention options.
27
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Threat Description
Natural Typically, in such use cases the servers are located in data centres enforcing a suitable level of physical
phenomena security requirements, which tends to reduce the respective risk likelihood. Such data centres usually obtain
certificates that show that they are protected against fire, water, or earthquakes and the existence of such
certificates should be factored into the risk likelihood assessment.
Supply chain As the infrastructure is outsourced to Cloud providers, the likelihood of this risk rends to be reduced. The
failure failure of power supply or other Cloud service disruptions is less likely because the providers are specialised
in maintaining their services. However, even big Cloud platforms are not entirely immune to outages of their
Cloud infrastructure.
Human error The medical devices need to be configured and require patches. The lack of patches or adequate
configuration, procedures, or processing errors may leave the device vulnerable to cyberattacks.
Malicious The system handles patients' private information, which might be interesting for malicious actors. Malicious
actions attackers may also be internal actors who might have direct or indirect access to the Cloud services. Potential
attacks in this area might involve theft, espionage, malware (e.g., ransomware), or denial of service attacks.
On the other hand, Cloud service providers can have access to the knowledge of internal and external
security experts, which allows them to enforce security measures more efficiently than proprietary data
centres. These factors and especially the operational context of the healthcare organisation and the Cloud
service provider should be assessed when determining the risk likelihood.
System Medical devices undergo an extensive certification process that should impact occurrence probability
failures positively. The software to access the health data may be subjected to failures, but security requirements are
relatively high to ensure patient safety. Network and IT hardware failure may occur and depends heavily on
the location. However, there is very low probability for system failures due to the multi tenancy and
redundancy the Cloud services offer.
28
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
5. CLOUD SECURITY
MEASURES
This section provides a set of guidelines for ensuring cybersecurity and data protection for the
healthcare sector’s Cloud customers procuring and eventually providing Cloud-based
healthcare services. The security measures are based on common frameworks for Cloud
security such as BSI C5 and ANSSI Cloud recommendations, but also the ongoing work on
Cloud certification. This section contains the security measures with corresponding references
to the good practices of ENISA’s procurement guide and the use cases.
The last item relates to how each security measure eventually satisfies a potential data
protection requirement and shows how through this measure acceptable implementation of the
requirement is met. Some use cases require stronger data protection measures due to the
criticality of the data and the evaluated risk. These enhancement considerations are attached to
the Cloud security measures where applicable.
Involve necessary stakeholders such as risk, legal, compliance, or IT department in the procurement process. Requirements
solicitation should entail regulatory compliance.
Investigate and identify requirements such as:
local legislation and pan-area legislation for cloud security, cybersecurity and data protection
internal requirements such as information security policies
legal requirements which apply to a specific healthcare product, for instance, countries enforce specific security and
data protection requirements for electronic health records.
security and data protection requirements of the governmental Cloud service provider.
Check and assess legal requirements for data protection, cybersecurity, and Cloud security. Reconcile legal requirements with
the security controls of the Cloud service provider. In this case, it would be essential for the health care organisation to tag and
assign data based on sensitivity levels, and ensuring that is provided to the CSPs so they can assign higher or lower levels of
controls depending on the data.
Request evidence from the Cloud provider such as certification from third-party auditors to ensure the Cloud provider's adherence
to recognised standards.
Ensure that responsibilities for ensuring compliance between the Cloud customer and Cloud service provider are identified and
understood.
Address security and privacy requirements in the service level agreement between the Cloud customer and the Cloud service
provider. Require proof from the CSP for ensuring compliance with the requirements.
29
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Cloud Customer x x x
Responsibility
Cloud Service Provider
Conduct a risk assessment according to national guidelines or following a well-known methodology (find some here23) to identify
cybersecurity and data protection threats and risks for new Cloud services and evaluate the impact on the overall IT security risk
Conduct a data protection impact assessment when procuring Cloud services (ENISA tool for evaluating the risk of personal data
processing operation24)
Ensure alignment with the healthcare organisation’s risk appetite by identifying and implementing controls to mitigate identified
risks to the organisation’s risk acceptance level, by refraining from procuring the Cloud service or choosing another provider.
Monitor the risk landscape continuously to be able to identify emerging risk or to enforce further controls.
Cloud Customer x x x
Responsibility
Cloud Service Provider
23
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/business-process-
integration/the-enisa-rm-ra-framework
24
https://www.enisa.europa.eu/risk-level-tool/risk
30
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
SM-03 Establish processes for security and data protection incident management
Ensure that an incident response plan defines the actions to be taken after a security incident has occurred at the Cloud service
provider. The Cloud service provider should have a process for handling security incidents according to European or national
legislation.
Identify the responsibilities of Cloud customers and Cloud service providers in the case of a security or data protection incident.
Ensure that internal measures, processes, and roles are in place and aligned with the Cloud service provider’s security
provisions.
Test security incident processes in collaboration with the Cloud service provider and verify how a security incident can be
reported to the Cloud service provider.
Request reports from the Cloud service provider for detected security incidents and the status monitoring of reported security
incidents by the Cloud service provider.
Ensure SLA contains at least performance indicators of defined availability and capacity of the Cloud service, response and
reaction times of the Cloud service provider’s service organisation, notification of predefined maintenance or other planned
downtime, and occurred security incidents either by default or on request.
Cloud Customer x x
Responsibility
Cloud Service Provider x x x
Ensure the Cloud provider notifies planned downtime several days in advance.
Define processes for business continuity and identify the Cloud service provider’s and Cloud customer’s responsibility in the event
of a service disruption. Ensure the Cloud service provider has an effective business continuity management plan (based on best
practices or national guidelines).
Test the business continuity process and ensure that key roles are familiar with their tasks.
Define and document procedures and responsibilities for critical operations that can damage assets stored in the Cloud
computing environment.
Examples of the critical operations are:
installation, changes, and deletion of virtualised devices such as servers, networks, and storage;
termination procedures for Cloud service usage;
backup and restoration.
Ensure monitoring of these operations by a supervisor.
Disaster recovery and data restore
31
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Identify disaster recovery and data restore requirements of the healthcare organisation. Assess whether the Cloud service needs
provision from two separate locations that give each other redundancy.
Ensure disaster recovery and restore processes of the Cloud service provider are aligned with these identified requirements.
Identify the emergency contact of the Cloud service provider.
Request a test protocol from the Cloud service provider that shows successful disaster recovery and data restore process testing.
Backup
Ensure adequate backup (i.e., offsite backup or a multi-Cloud approach) to ensure business continuity in case of Cloud service
provider failure or data loss.
If the event backup is part of the Cloud service, define or identify backup requirements following information security policies and
legal requirements (to ensure compliance).
Request information on the Cloud service provider's backup capabilities and verify that these meet backup requirements.
Implement backup capabilities if the Cloud provider does not provide them, or the requirements are not met.
Cloud Customer x x x
Responsibility
Cloud Service Provider x
The Cloud customer's asset stored on the Cloud service provider's premises should be removed, and returned if necessary,
promptly upon termination of the contractual agreement or if data retention period is met. Proper permanent deletion of data upon
customer’s or data subjects is the full responsibility of the Cloud provider.
Data deletion
Ensure data is deleted according to recognised standards or techniques, meaning permanently and irretrievably deleted, and
taking into account backup and log data.
Termination
Request a description of the termination process, disposal and return of Cloud customer’s asset and reuse of resources from the
Cloud service provider.
Ensure the description contains a list of all the assets and documents the schedule for the termination of service, which should
occur promptly.
Cloud Customer
Responsibility
Cloud Service Provider x x x
25
https://www.enisa.europa.eu/publications/privacy-and-security-in-personal-data-clouds
32
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Define or identify requirements for event logging (for instance, audit trails for patient to control access to their EHR, retention of
logs) and verify if the Cloud service provider meets those requirements.
Determine and evaluate the adequacy of the Cloud service providers logging capabilities for privileged operations. Ensure
privileged operations delegated to the Cloud service provider are logged, and the Cloud service provider provides corresponding
log reports on request. Request documentation from the Cloud service provider of service monitoring capabilities and ensure the
monitoring data is consistent with event logs and SLA terms.
Ensure that the Cloud service provider meets the agreed capacity requirements through continuous monitoring. Monitor and
forecast the use of Cloud services to promptly communicate changes in capacity to the Cloud service provider and ensure quick
adjustment.
Implement additional logging capabilities to close the gap between the Cloud service provider's logging capabilities and the Cloud
customer’s requirements.
Ensure data retention for log data follows legal requirements. Ensure log data is also deleted in the case of termination or change
of provider.
Auditing the Cloud provider is a rather cumbersome task for the healthcare organisation to take over; auditing takes place at
specific intervals to ensure compliance and certification maintenance.
Cloud Customer x x x
Responsibility
Cloud Service Provider
Identify the scope of responsibility for technical vulnerability management and patch management. Determine and set up
processes for vulnerability management and patch management in scope.
Request specifications of the cloud service provider’s vulnerability and patch management practices that affect the Cloud service.
The Cloud service provider should give evidence of regularly performed technical assessments such as penetration tests or
vulnerability scans either by default or at the Cloud customers request. Conduct or request security testing in the event the cloud
service provider cannot provide evidence, or the application has not been tested.
Cloud Customer x x
Responsibility
Cloud Service Provider x x x
33
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Include information and assets stored in a Cloud environment in the asset inventory. Indicate where the data is stored, i.e. Cloud
services. Asset changes should be monitored and recorded.
Classify information and data that will be stored or stored in a Cloud environment to meet security requirements.
Align change management process between the Cloud service provider and healthcare organisation. Ensure any change made
by the Cloud service provider is taken into account in the internal change management process.
Identify the data protection levels for data confidentiality, integrity, and availability.
Reference to Good Practice Procurement GP 28. Perform asset inventory and configuration management
Cloud Customer x x x
Responsibility
Cloud Service Provider
SM-09 Enable data encryption for data at rest and data in transit
Ensure data in the Cloud service provider’s location is encrypted during the whole data life cycle (creation, storing, using, sharing,
archiving, deleting).
Review the Cloud provider’s encryption practices to ensure they meet the required encryption level, are compatible with other
cryptographic protection, and meet regulatory requirements.
Ensure data transfer from and to the Cloud service for all incoming and outgoing connections is encrypted.
(note for the author: Encryption in transit is always a shared responsibility- the Cloud customer needs to take the appropriate
measures to ensure that encryption will function properly (i.e. provider or patient using outdated browsers with known
vulnerabilities in encryption protocols will result into breaking the encryption measures applied by the CSP).
Reference to Good Practice Procurement GP 10. Encrypt sensitive personal data at rest and in transit
Cloud Customer x x x
Responsibility
Cloud Service Provider x x x
34
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Define security requirements for key management and ensure procedures for key management are implemented.
Identify cryptographic keys for each Cloud service and manage them according to defined requirements and procedures.
In the event the cloud service provider offers key management functionality, request documentation from the Cloud service
provider on the type of keys used, specifications of key management covering procedures for each stage of the key lifecycle such
as generating, changing/updating, string, retiring, retrieving and destroying.
Ensure keys are stored on certified devices (for example, hardware security modules), which ensure the level of protection for the
key material.
Ensure segregation of duties is in place for the key management and is enforced by technical or organisational means.
Ensure a process for recovering encryption keys is in place.
Evaluate an encryption approach (provider- or client-managed key or hold- your-own-key) based on the risk analysis for your data
and business. Where possible, use a client server-managed key.
Reference to Good Practice Procurement GP 10. Encrypt sensitive personal data at rest and in transit
Cloud Customer x x
Responsibility
Cloud Service Provider x x x
Ensure all data is provided in industry-standard format upon request from the Cloud service provider.
Make sure the Cloud service provider uses standardised and secure network protocols for the import and export of the data to
and from the Cloud service.
Interoperability
The Cloud service provider should use open and published API to support interoperability between components and applications.
Ensure the Cloud service provider uses an industry-recognised virtualisation platform and standard virtualisation formats to
support interoperability.
Cloud Customer x x x
Responsibility
Cloud Service Provider
35
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Identify all devices such as laptops, mobile devices, medical devices, etc. (endpoints) of your personnel connecting to the Cloud
service.
Ensure that the identified assets are included in the asset inventory.
Define a security baseline for hardening the endpoints according to internal information policies and ensure device configuration
meets the requirements during the whole lifecycle. For example, this could be achieved using a device management solution or
regular assessments of the client’s current state.
Implement technical controls to meet security requirements.
Use tools for facilitating endpoint security offered by the Cloud service provider.
Reference to Good Practice Procurement GP 28. Perform asset inventory and configuration management
Cloud Customer x x x
Responsibility
Cloud Service Provider
Ensure access policies specify security requirements for user access to data, application interfaces, systems, and the network or
network components for each Cloud service.
Ensure that access to the Cloud services is secured by strong authentication controls such as multi-factor authentication.
Ensure a process for restoring authentication data is in place.
Determine whether access to the Cloud service, Cloud service functions, and Cloud customer data can be restricted following the
internal access policy.
Cloud Customer x x x
Responsibility
Cloud Service Provider
36
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Establish a regular target group-oriented awareness and training programme for all internal (employees) and external actors (Cloud
service providers), which deal with sensitive data such as electronic health records or medical diagnosis. Educate medical staff on
what sort of security benefits CSPs provide in terms of risk reduction, protection of patients health data, etc. Realising that there
are core benefits to outsourcing security where trust and security are intrinsic to the business. More general cybersecurity
awareness around social engineering attacks and good cyber hygiene for medical staff/health care professionals (e.g not always
using the same login and passwords or requiring two factor authentication by default) would all help alleviate common human error.
The target group consists of supervising managers, operational staff, IT personnel, and users such as medical practitioners, nurses,
and patients. Take special care of customers/patients security that is being provided around their data for their peace of mind.
Cover Cloud-related procedures and standards, risks and risk management, risks affecting the system and network environment
when using Cloud services, and legal/regulatory aspects. Best practices and documented guidelines are also recommended to
support the final goal.
Cloud Customer x x x
Responsibility
Cloud Service Provider
Ensure traffic between untrusted and trusted connections of network environments and virtual instances is restricted and
monitored. This configuration should be reviewed on an annual basis. Implement security measures according to risks identified
including the additional function required: Intrusion Protection System, anti DDoS solutions, WAF, CASB, ATP, Threat
intelligence.
Request information on the security perimeter from the Cloud service provider. Ensure that all allowed services, protocols, ports,
and compensating controls are documented.
Cloud Customer x
Responsibility
Cloud Service Provider x x x
37
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Ensure the Cloud service provider applies appropriate segmentation for data, applications (physical and virtual), infrastructure,
and network between different tenants to restrict one tenant's access to another tenant's resources.
Request evidence from the Cloud service provider of established policies and procedures, isolation of critical assets, and/or
sensitive data.
Make sure to securely configure the provided Cloud infrastructure functionality in order to achieve the required segmentation.
Cloud Customer
Responsibility
Cloud Service Provider x x x
Ensure that the Cloud service provider provides physical security controls to protect data centres and prevent unauthorized
physical access. Controls include physical authentication mechanisms or electronic monitoring and alarm systems.
Ensure that the Cloud service provider restricts its support staff's access to physical resources according to the need-to-know or
least privileged principles.
The Cloud service customer should request certifications that prove that the Cloud service provider's infrastructure is hosted in a
secure data centre.
Cloud Customer
Responsibility
Cloud Service Provider x x x
38
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
6. CONCLUSION
For a number of years healthcare organisations have been contemplating moving part of their
ICT infrastructure and services to the Cloud. Over this period, a number of healthcare-specific
solutions have been developed using a variety of service models and deployment models fit for
purpose. The on-going pandemic has further highlighted the importance of certain healthcare
services that could benefit significantly from a move to the Cloud. The potential improvements in
availability, scalability and reliability of services such as telemedicine, wider deployment and use
of EHR and medical devices for remote patient care come on top of the cybersecurity, economic
and efficiency benefits Cloud services can bring to healthcare organisations.
Yet, the level of adoption of Cloud services in healthcare remains low and generally limited to
administrative processes. A number of factors contribute to this, including lack of trust in Cloud
services, lack of expertise, compliance requirements, particularly in relation to data protection,
and more.
This report aims to help healthcare organisations in taking the next step towards further
adoption of Cloud services. Built around three standard use cases of Cloud services in a
healthcare context, this report highlights the main factors to be considered from a cybersecurity
and data protection standpoint when assessing the relevant risks. The factors can be used in
any risk assessment methodology that the healthcare organisations are currently using.
Moreover, the report proposes a set of security measures for healthcare organisations to
implement when planning their move to Cloud services. These measures cover both
cybersecurity and data protection aspects and are linked to the procurement guidelines for
healthcare organisations previously published by ENISA.
While this report is a step towards supporting healthcare organisations in taking the next step
towards Cloud services it is not enough on its own. Healthcare organisations would require
additional support, such as specific guidance from national and EU authorities, industry
standards on Cloud security, especially in a healthcare context, clear guidelines from Data
Protection Authorities on moving healthcare data to the Cloud and collaboration with Cloud
service providers and medical device manufacturers to develop suitable Cloud solutions.
39
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
7. REFERENCES
AbuKhousa, E., Mohamed, N., and Al-Jaroodi, J., e-Health Cloud: Opportunities and
Challenges, Future Internet, Vol. 4, 2012, pp. 621-645, doi: 10.3390/fi4030621
Agliari, E., Barra, A., Barra, O. A., Fachechi, A., Franceschi Vento, L. & Moretti M., Detecting
cardiac pathologies via machine learning on heart-rate variability time series and related
markers, Sci Rep 10, 8845, 2020, https://doi.org/10.1038/s41598-020-64083-4
Cloud Security Alliance, Top Threats to Cloud Computing – The Egregious 11, 2020.
Cavoukian, A., Fisher, A., Killen, S. et al., Remote home health care technologies: how to
ensure privacy? Build it in: Privacy by Design, Identity in the Information Societey IDIS, Vol.
3, 2020, pp. 363–378, https://doi.org/10.1007/s12394-010-0054-y
Davenport, T., and Kalakota, R., The potential for artificial intelligence in healthcare, Future
Healthcare Journal Vol. 6 No 2, 2019, pp. 94-98. doi: 10.7861/futurehosp.6-2-94
ENISA, Cloud Computing – Benefits, risks and recommendations for information security, 2012.
ENISA, Good Practice Guide for securely deploying Governmental Clouds, 2013.
Junaid Ahmad, B., Vinai, G., & Bilal, M., Cloud Computing with Machine Learning Could Help
Us in the Early Diagnosis of Breast Cancer, 2015 Second International Conference on
Advances in Computing and Communication Engineering, Dehradun, 2015, pp. 644-648,
doi: 10.1109/ICACCE.2015.62
Leng, S., Tan, R.S., Chai, K.T.C. et al., The electronic stethoscope, BioMed Eng OnLine, Vol.
14, No 66, 2015, https://doi.org/10.1186/s12938-015-0056-y
NIST, The NIST Definition of Cloud Computing, Information Technology Laboratory National
Institute of Standards and Technology, Gaithersburg, 2011.
40
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Sadhasivam, N., Balamurugan, R., and Pandi, M., Cancer Diagnosis Epigenomics Scientific
Workflow Scheduling in the Cloud Computing Environment Using an Improved PSO
Algorithm, Asian Pacific Journal of Cancer Prevention: APJCP, Vol. 19, No 1, 2018, pp. 243-
246, doi:10.22034/APJCP.2018.19.1.243
Vacca, J. R., Security in the private Cloud, Taylor & Francis Group LLC, Boca Raton, 2017.
Ventsislav, V. and Rosen, I., Cloud-Based System for Real Time Medication Monitoring. In
Proceedings of the 17th International Conference on Computer Systems and Technologies
2016 (CompSysTech '16), Association for Computing Machinery, New York , USA, 2016, pp.
151–158, doi : https://doi.org/10.1145/2983468.2983491
World Economic Forum, Understanding Systemic Cyber Risk, 2016, pp. 13.
41
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
A ANNEX:
GENERAL PRACTICES
The tables presented below contain only the healthcare specific standards and guidelines. For a
complete cybersecurity standards overview, you can reference to the ENISA Procurement
Guide26 of 2020.
STANDARD
Name - Description Dimension (country)
ISA/IEC 62443 - A series of standards including technical reports to secure Industrial Automation Medical Devices (Health),
and Control Systems (IACS). Cybersecurity
NEN-7510 (NL) - This standard provides guidelines and principles for determining, setting and Cybersecurity
enforcing measures that an organisation in the healthcare sector must take to protect the (Netherlands)
information provision.
NEN-7512 - Health informatics - Information security in healthcare - Requirements for trusted Cybersecurity,
exchange of health information (NL) (Netherlands)
It applies to electronic communication in healthcare, between healthcare providers and healthcare
institutions and with patients and clients, healthcare insurers, and other parties involved in
healthcare.
NEN-7513 - Health informatics - Recording actions on electronic patient health records (NL) Cybersecurity
(Netherlands)
Hébergeurs de Données de Santé (HDS) - The Hébergeurs de Données de Santé (HDS) Cloud Security (France)
certification is required for entities such as Cloud service providers that host the personal health
data governed by French laws and collected for delivering preventive, diagnostic, and other health
services.
ANSSI SecNumCloud The ANSSI SecNumCloud is the French pendant to the Criteria Cloud Security
Catalogue C5, defining a baseline security level for Cloud computing. It
is used by professional Cloud service providers, auditors, and Cloud
customers. The criteria catalog was a collaboration work of Germany
and France.
Criteria Catalogue C5 – The Cloud computing compliance criteria catalog (C5) defines a baseline Cloud Security
Federal Office for security level for Cloud computing. It is used by professional Cloud
Information Security in service providers, auditors, and Cloud customers.
Germany (BSI)
Cloud Security Alliance The CSA Cloud control matrix is a framework to ensure information Cloud Security
(CSA) – Cloud Controls security for Cloud computing providing 133 controls structured along 16
Matrix domains covering all key aspects of Cloud technology. It can be used as
a tool to assess Cloud service providers and provides guidance.
Cybersecurity Maturity The CMMC is a certification and compliance process developed by the Cybersecurity
Model Certification Department of Defence. The certification aims at assessing the maturity
(CMMC) level of fulfilling information security standards and best practices.
26
https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services
42
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
Health Information Trust HITRUST is a framework guiding the implementation of HIPPA Privacy / Cybersecurity
Alliance (HITRUST) requirements for healthcare providers. The HITRUST certification is a
way to show compliance with HIPPA requirements to third parties.
Principles and Practices The principles and practices for medical device of the international Cybersecurity Medical
for Medical Device medical device forum (IMDRF) cybersecurity have been designed to Devices
Cybersecurity27 provide concrete recommendations to all responsible stakeholders on
the general principles and best practices for medical device
cybersecurity.
Guías CCN-STIC de The CCN-STICH are instructions, guidelines, and recommendations of Cybersecurity (Spain)
Seguridad28 the Centro Criptológico Nacional, aiming at improving the maturity level
of the organisation’s information security.
CCN-STIC-823 The CCN-STICH-823 covers instructions, guidelines, and Cloud Security (Spain)
Seguridad en etornos recommendations of the Centro Criptológico Nacional, focusing on Cloud
Cloud29 services.
TRAFICOM guidelines The Finnish transport and communication agency and national Cybersecurity (Finland)
cybersecurity centre provide guidelines on information security.
Digital security: The Finnish Ministry of finance provides guidelines for information Cybersecurity (Finland)
Guidance of services security.
and security30
National Cybersecurity The Centro national de Cibersegurança provides a national Cybersecurity (Portugal)
Framework31 cybersecurity framework.
Security The Portuguese Ministry of health provides recommendations for Cybersecurity (Portugal)
Recommendations of ensuring cybersecurity.
Ministry of Health32
Official eHealth DSI The electronic health digital service infrastructure (eHDSI) describes a Cybersecurity
provider guidelines and solution to support implementing EU-wide projects for the healthcare
policies33 sector, focusing on cross-border healthcare data exchange. The digital
service infrastructure (DSI) supports interoperable services across the
EU.
27
http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf
28
https://www.ccn-cert.cni.es/guias.html
29
https://www.ccn-cert.cni.es/series-ccn-stic/800-guia-esquema-nacional-de-seguridad/541-ccn-stic-823-seguridad-en-
entornos-cloud.html
30
https://vm.fi/en/information-security-and-cybersecurity
31
https://www.cncs.gov.pt/en/
32
https://www.dgs.pt/directorate-general-of-health/structure-and-legal-framework.aspx
33
https://ec.europa.eu/cefdigital/wiki/display/EHOPERATIONS/eHDSI+STARTING+TOOLKIT
43
CLOUD SECURITY FOR HEALTHCARE SERVICES
January 2021
B ANNEX:
MAPPING OF SECURITY
MEASURES
44
XX-00-00-000-XX-X
ABOUT ENIS A
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through
knowledge sharing, capacity building and awareness raising, the Agency works together
with its key stakeholders to strengthen trust in the connected economy, to boost resilience
of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally
secure. More information about ENISA and its work can be found at www.enisa.europa.eu.
ISBN: 978-92-9204-405-3
DOI: 10.2824/454966