The 5 keys of an Operator’s Security Plan for a health service

(This post has been prepared by Juan Carlos Muria & Samuel Segarra.)

Regarding the protection of critical infrastructures and essential services, as reflected in the European NIS Directive, in Spain there is a National Strategy that includes the health sector as a critical infrastructure.
In this SAW post, we explain the key success factors for approaching the preparation of the Sector Strategic Plan to render it compliant with Spanish regulation, although there are many points in common with protecting critical infrastructure in other countries, according to our experience.

And finally it arrived: The Sector Strategic Plan (PES) for the health sector was published at the end of October, and now comes the time, for elected operators, to draft the Operator’s Security Plan (OSP) in less than six months, not forgetting that then there will only be four months to detail the Specific Protection Plans for each of the critical infrastructures, and finally the Operational Support Plans (PAO).

This is the minimum required by the National Center for the Protection of Critical Infrastructures, in response to meetings held and emails exchanged with different operators.

The structure of these plans is defined by the (CNPIC) itself, so we have preferred to focus on the things that a healthcare operator should take into account, and since we are on a blog and the content should be short and concrete, we have decided to highlight the 5 most important things, which should not be missing in a OSP.
Shall we start?

The first thing is that the health sector is very broad, and the CNPIC itself identifies 4 subsectors: Healthcare, Public health, Medicines and health products, and Animal health.

The second is that, as we have been saying for some time, the protection of health infrastructures has a very direct impact on patient safety. Therefore, in addition to the fact that the impact of the risks we have to evaluate is very attractive for attackers, in order to identify threats well and quantify their impact and probability, in-depth knowledge of the health sector is necessary.

  1. We must identify infrastructure and technology. Technology is increasingly present in the diagnosis, treatment and monitoring of patients and therefore the impact of their unavailability is great, so our OSP should focus not only on infrastructures (physical security) but also on technology (information security and operational security).
  2. Healthcare workers are already hyperconnected.Health infrastructures are not an isolated element, they exchange data and processes with insurance companies, private health, manufacturers of health technology, telemedicine, collaboration among hospitals, between hospitals and universities, pharmacy networks, Social Security, Finance, social services, devices implanted in patients, etc. This increases the attack surface and the contagion vectors, so it is important to complement the risk analysis with this process vision.
  3. No plan is static. But a OSP in a health operator is even less so. The impact of digital transformation on healthcare is only at the beginning, there is still a long way to go, and at the same time healthcare is a VUCA (volatile, uncertain, complex and ambiguous) environment, so our OSP must be prepared for all the pieces to fit together. As you know, we must revise it every two years, but in the next 2 years many things will happen that may force us to revise it ahead of time… And yes, surely also in the next 2 ;-).
  4. The role of the CSR (Security and Liaison Officer) and the Security Delegate. We must bear in mind that CSR represents the critical operator, not a specific critical infrastructure. What does this mean? That it will be the interlocutor before the Secretary of State of Security to deal with issues relating to the security of the different infrastructures of the operator and the plans themselves that are developed. It will also be the contact point for channeling any informative (and operational) needs that may arise. On the other hand, the Security Delegate will constitute the operational link and the information channel with the competent authorities, however, in this case its scope of action is limited to a particular critical infrastructure. Naturally, there must be fluid communication and coordination between both figures at all times in order for security management to be carried out effectively.
  5. Culture eats strategy for breakfast. Peter Drucker already said it, and that does not mean that security strategy is not important, but if there is a lack of security culture (awareness), the strategy can be compromised by the lack of awareness of the users. In the same way, the objective of the OSP and the PPE is not to remain in a drawer, so it is essential that those involved (not only the CSR or the Security Delegate) are familiar with the methods and systems that are established to guarantee adequate levels of protection for this type of infrastructure.

Yes, it is true, there are other important things, such as the risk analysis methodology you are going to use, the identification of essential services, the estimation of the impact that each threat could have, etc., but in this Security Art Work entry we wanted to highlight the most noteworthy aspects, which we often underestimate when caring for our critical infrastructures and which, in the case of health, are especially important.

Now that you’ve come the end, which one is most important to you of them all?

Related links

See also in: