Modern societies have become increasingly dependent upon critical (cyber) infrastructures, and this dependency is only becoming stronger as ICT progress. Healthcare ICT infrastructures are more evidently considered as critical information infrastructures, since healthcare service provision organisations, which depend upon such infrastructures, comprise one of the backbones of economic growth and wellbeing. In the centre of this ecosystem, the sensitive, personal information aggregated, stored, and processed by these organisations, constitutes one of their most critical assets. As compliance with the upcoming GDPR becomes one of the biggest challenges to organisations (including the healthcare organisations), maintaining the privacy of this information to the required level at all times, it is undoubtedly a critical factor this economic sector relies upon. Nevertheless, the progress of ICT and the dependency upon critical (cyber) infrastructures comes with a cost. And this cost, which is on the rise, whether we see it from a monetary perspective or from the impact on daily living, is associated with increasingly sophisticated, stealthy, targeted and multi-faceted cyber attacks targeting the very same cyber infrastructures our prosperity builds and relies upon. The very nature of healthcare service provision involves both physical infrastructure (including medical equipment, paper-based medical records, and more) and cyber infrastructure (including digital environments that support advanced data acquisition, management, integration, and other computing and information processing services), thus representing a holistic challenge to address the entire protection and minimisation of the risk of the healthcare, critical cyberphysical infrastructures.
Many healthcare service provision organisations, whether public or private, have started working towards the strategic initiatives including risk-based frameworks and cloud-based cybersecurity to better protect their information assets. As per the GSIS Survey 2018 by PwC12, such organisations (even though currently just a very small fraction) have assigned dedicated positions for Chief Information Security Officers in charge of security, invest in employee security awareness programs, conduct threat assessments, and embrace cybersecurity services such as threat intelligence tools for building attack detection capabilities. However, as stated at the ENISA report entitled “Methodologies for the identification of Critical Information Infrastructure assets and services”, currently a significant number of Member States present a low level of maturity and lack a structured approach regarding the identification of Critical Information Infrastructure in healthcare service provision and this can pose severe risks regarding the increasing dependency of the vital functions of the society on these organisations. Whilst the value of the cybercriminal economy as a whole is not precisely known, the losses are thought to represent billions of euros per year. The scale of the problem is itself a threat to law enforcement response capability – with more than 150,000 viruses and other types of malicious code in circulation and a million people victims of cybercrime every day . However, by completing the Digital Single Market, Europe could boost its GDP by almost €500 billion a year; an average of €1,000 per person. With regards to critical Healthcare ICT infrastructures in specific, there is a vast plethora of eHealth services or functions that can be supported, included yet not limited to telemedicine and mHealth, patient data management, e-prescription and more. However, the common denominator for all such services is the secure storage and exchange of information at regional, national, or international level, and among Hospital Information Systems, medical devices and mobile devices gathering health related information from sensors. For these connected technologies to take off, citizens need trust and confidence. Unfortunately, a 2012 Eurobarometer survey showed that the overwhelming majority of Europeans avoid disclosing personal information online because of security concerns. Across the EU, more than one in ten Internet users has already become victim of online fraud. Threat actors — in ever greater numbers and with increasing sophistication — see, in the growing promise of our tech-connected world, opportunities to steal or cause major disruption or destruction by exploiting vulnerabilities. Unfortunately, as technology’s benefits expand and evolve, so too will the threats. Countering those threats and ensuring the resilience of our cyberenabled systems will require flexibility and an ability to evolve as well.
CUREX comes to address this issue at its very core. It aims to deliver a novel, flexible and scalable situational awareness-oriented platform, addressing advanced cybersecurity threats, targeted at critical healthcare information infrastructures, safeguarding the privacy of patients, leveraging secure, authorised and fully auditable exchange of sensitive health data, and facilitating cyberthreat situational awareness uplifting, optimal defence strategy design and cyber-risk management and mitigation through recommendation of optimal security safeguards. The framework is targeting at the provision of a set of security and privacy assessment tools, decision support methods for proposing optimal risk mitigation safeguards, along with privacy preserving applications, thus delivering services to all actors and stakeholders involved in the value chain including: IT/Security Solution Architects; Information Security Experts, Chief Information (Security) Officers, Risk Managers, Decision Makers, Healthcare professionals, and of course reaching down to the information owners, the patients.