The European Commission response to the need for security and privacy-by-design, is not only the set-up regulatory measures (GDPR, MDR, EU Directive 2016/1148), but also the funding, through the Horizon 2020 programme, of research and innovation projects to develop solutions that are effective and usable in the healthcare context. DEFeND, PANACEA, PAPAYA, CUREX and SPHINX are some of them.
All healthcare actors need to comply with the EU regulatory framework:
The DEFeND project provides an innovative data privacy governance platform which supports healthcare organizations towards GDPR compliance using advanced modelling languages and methodologies for privacy-by-design and data protection management. Specific innovations of the project include:
The PANACEA project has developed, with three European Healthcare Centres, a people-centric toolkit of nine tools, to assess and improve the cybersecurity readiness of healthcare socio-technical systems (ICT, networked medical devices, staff) and of medical device/system lifecycles. It includes software-based innovative tools:
The CUREX project provides GDPR compliant tools and applications targeted towards healthcare professionals and individuals, offering a secure and private-by-design environment to access and exchange data. The CUREX solution analyses information coming from the monitoring infrastructure to compute cybersecurity and privacy risk scores associated to the data exchange in a Health domain. CUREX has five discrete areas: (i) Asset and Vulnerability Discovery, whose goal is to discover the system’s assets and any information related to their associated vulnerabilities; (ii) Threat Intelligence, aiming at detecting real time abnormal behaviours on users, and devices, as well as anomalies in the data in order to identify new and unknown threats; (iii) Risk Management, aiming at producing risk scores and optimal safeguards towards a cyber strategy of the healthcare organisation; (iv) Trust Enhancing, which will make use of decentralized platform based on blockchain technology to store and share private and sensitive data; and (v) Application and Visualisation, to display the platform dashboard in a synthetized way. Each area includes one or more of the following tools.
SPHINX introduces a Universal Cyber Security Toolkit, thus enhancing the cyber protection of Health IT Ecosystem and ensuring the patient data privacy and integrity. It also provides an automated zero-touch device and service verification toolkit that will be easily adapted or embedded on existing, medical, clinical or health available infrastructures. The Toolkit’s capabilities include vulnerability assessment of Health IT Ecosystems in near real-time response, as well as evaluation and verification of new medical devices and provision of the SPHINX Certification.
DEFeND makes significant contributions in increasing trust and confidence in the digital single market, through the provision of a platform to support data privacy protection and the development of services that respect citizen privacy. As a result, organisations using the platform will demonstrate the measures they take, which in turn will improve transparency. DEFeND will also increase the use of privacy-by-design principles in ICT systems and services at different levels. At the (service/system) planning level, it provides tools and methods from the security and privacy requirements area that support elicitation, modelling and analysis of privacy concerns from the early stages of the service/system development process. At the operational level, it provides analysis techniques and tools that implement privacy-by-design specifications. Apart from the practical contributions, the project also makes significant contributions to the PbD state-of-the-art by extending work in the PbD methodologies to operate within the context of the GDPR.
The impacts of PANACEA include:
The main business impacts of PAPAYA are as follows:
Healthcare ICT infrastructures need to be flexible enough in order to adapt to the everchanging cyber threat environment and increase their cyber threat detection capabilities, thus targeting for more efficient and more effective response capabilities, and safeguarding information integrity, data protection and privacy, lowering the potential negative impact cyber threats have on the citizens’ fundamental rights. CUREX comes to address this issue, delivering a novel, flexible and scalable situational awareness-oriented platform, addressing advanced cybersecurity threats, targeted at critical healthcare information infrastructures, safeguarding the privacy of patients, leveraging secure, authorised and fully auditable exchange of sensitive health data, and facilitating cyberthreat situational awareness uplifting, optimal defence strategy design and cyber-risk management and mitigation through recommendation of optimal security safeguards. The framework is targeting at the provision of a set of security and privacy assessment tools, decision support methods for proposing optimal risk mitigation safeguards, along with privacy preserving applications, thus delivering services to all actors and stakeholders involved in the value chain including: IT/Security Solution Architects; Information Security Experts, Chief Information (Security) Officers, Risk Managers, Decision Makers, Healthcare professionals, and of course reaching down to the information owners, the patients.
SPHINX project envisages to contribute to the expected impacts set out in the H2020 work programme ‘Toolkit for assessing and reducing cyber risks in hospitals and care centres to protect privacy/data/infrastructures’. In this context, the project outcomes are going to:
On the event of the adoption of the draft regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, the AI4HealthSec project kicked off a process to provide its opinion.