The EU Agency for Cybersecurity publishes a Cybersecurity Procurement Guide for Hospitals. Healthcare IT professionals have a new instrument in their toolbox.
The hospital is a vast ecosystem comprised of an entire network of devices, equipment and systems that often require connection to external systems, making monitoring and control a very hard task to do. This is due to the high sensitivity of medical data and the potential vulnerability the sector is faced with cybersecurity has to be applied every step of the way to ensure patient data privacy and the availability and resilience of healthcare services at the same time.
The ‘Procurement Guidelines for Cybersecurity in Hospitals’ published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment.
A cybersecurity procurement guide
This new report outlines good practices and recommendations for including cybersecurity as a provision in the procurement process in hospitals. Initially the report presents the set of hospital assets and the most prominent cybersecurity threats linked to them. After categorising the procurement process in three steps, namely ‘Plan, Source and Manage’, it identifies the cybersecurity requirements associated with each step. To make this even easier, the guide provides suggestions for evidence on how the requirements can be fulfilled by the provider.
Who can use the guide?
This guide provides an accessible overview and allows reutilisation by CIOs and CISOs of healthcare providers, medical device manufacturers, insurers and other healthcare related organisations, with the objective of becoming a useful reference. The visualisation of this information into a handy tool will be released in the coming months.