European Union Agency for Cybersecurity (“ENISA”) has published a Report on Computer Security Incident Response Teams Capabilities in Healthcare Sector (“Report”) focusing on sectoral Computer Security Incident Response Teams’ (“CSIRT”) capabilities, status, and development within the health sector since the implementation of the Directive on Security of Network and Information Systems (“NIS Directive”). The Report aims to provide insight to existing incident response (“IR”) trends to make practical suggestions on IR capability development in the healthcare sector.

In recent years, it has been noted that technologies generate the endless potential for the economy and society with digitalization, while also introducing many additional challenges. The Internet of Things, Artificial Intelligence, big data, and cyber threats are increasing from year to year due to the widespread use of cloud computing and the popularity of emerging technologies such as connected devices, which provide knowledge of the various for an organization to be breached.

The Report assessed the need for strong Incident Response Capabilities (IRC) in the healthcare industry, particularly in healthcare settings such as hospitals and private clinics, while noting that an attack on critical infrastructures, such as a hospitals, can cause physical damage and endanger patients' lives. The Report noted that this industry faces threats throughout the entire supply chain, with potentially dire societal consequences for many stakeholders who have become even more vulnerable during the COVID-19 pandemic.

Based on these reasons, the Report draws attention to the necessity for companies, governments, and citizens to think and act about cybersecurity, and to confront such threats, and states that it should strengthen the coordination between the Member States and public and private organizations must rely on IR capabilities and CSIRTs.

The first key finding is that the national CSIRT is the primary body in charge of incident response in the health sector and that health sector CSIRTs remain an exception among the EU member states. However, a trend in the growth of industry wide CSIRT collaborations that involve, but are not limited to, knowledge sharing has been identified.

According to the conclusions reached based on the assessments in the Report, explanations on the structuring of the incident response order at the national level were provided. In this sense, the national/government CSIRT in each EU member state provides IR services to various industries, including healthcare. This is especially true in nations that use a centralized incident response model and do not intend to build unique sectoral CSIRT capabilities, as IR is often managed by the operators of essential services and monitored by the national CSIRT or the government CSIRT. However, for three EU member states, namely Luxembourg, France, and the Netherlands, private sector CSIRTs coordinate incident response at the national level, which is controlled by the national CSIRT.

Another finding specified in the Report is that the development of sector-specific IR capacities in the health sector appears to be the consequence of the national CSIRT's shortage of sector-specific expertise, as well as lessons gained from previous events and the application of the NIS Directive.

As per the Report, the main factors facilitating the development of sectoral CSIRTs are given as the dissemination of threat intelligence, exchange of good practice and lessons learned, the establishment of sector-specific regulations clarifying the security requirements and responsibilities, the establishment of the cooperation agreement between national and sectoral actors, and the establishment of public-private partnerships.

The third finding is that, in addition to the broad services given by national CSIRTs, health sector CSIRTs tend to offer services more specialized to sector characteristics and needs.

According to the evaluations in the Report, in comparison to national CSIRTs, the health sectoral CSIRT provide the following benefits:

(i) Specialized services to handle sector-specific threats, vulnerabilities, and incidents;

(ii) Specific knowledge and expertise on medical devices, medical IT systems, as well as threats and incidents related to the health sector;

(iii) Providing sectoral expertise to the national CSIRT;

(iv) Assisting nonregulated operators in the health sector on incident response;

(v) Coordination for multi-site compromised systems in the health sector; and

(vi) Vulnerability coordination with vendors of sector-specific systems/devices.

In addition, it was pointed out in the Report that incident response in the health sector aims to respond to threats or attacks against CSIRT systems, that is, to prevent incidents and reduce their negative effects when they occur. Also, it is evaluated that sectoral CSIRTs can be an important player to improve the existing coordinated IRC to counter threats.

An additional finding in the Report is that the major resources and mechanisms in place to promote the growth of constituents' IRC in the health sector include shared frameworks for incident classification and threat modeling, training and education efforts, and a network of incident response actors.

As per the Report's final findings, the primary causes driving CSIRTs' IR development include sector-specific explanations on the security requirements and duties of the organizations, as well as the exchange of IR-related information. Furthermore, when it comes to incident response, the Report discovers that the main challenges faced by health CSIRTs are a lack of security culture among operators of essential services, the fact that management and security of operators of essential services IT infrastructure is frequently subcontracted, and a lack of founded cooperation tools and channels with operators of essential services incident response teams.

Finally, the Report makes recommendations based on the above-mentioned findings. Accordingly, the first recommendation is to enhance and facilitate the formation of health sector CISRTs by making funds more accessible and encouraging capacity-building initiatives. The other recommendation is that the utilize the knowledge of health CSIRTs to assist operators of essential services in developing their incident response capabilities through the establishment of sector-specific rules, cooperation agreements, communication channels with operators of essential services, public-private partnerships. Finally, it is recommended that healthcare CSIRTs be empowered to develop knowledge-sharing activities based on threat intelligence, good practice exchange, and lessons learned, among other things.

Simge Kılıç, Esra Temur