Insights into the ASCLEPIOS Awareness Courses


Introduction and background

Healthcare information is a key element in modern medical digital environments. Hospitals and clinics are relying more and more often on solutions such as remote backends or clouds to create virtual environments for their patients. In these environments, patients can authenticate, store and share personal information, which has a high degree of confidentiality. Ideally, these data will always remain confidential between the patients and their doctors.


Cyber-challenges for the healthcare domain

In light of the emerging cybersecurity and privacy risks associated with digital communication, there is a constant rise in new threats and vulnerabilities that cyber criminals can exploit to get access to this information. The motives for accessing the information are diverse. They could include ransom or blackmail, targeted attacks on a particular person or hospital, or simply maintaining a certain reputation in the online hacking community. No matter the reason behind a cybersecurity attack, the results are equally impacting. Personal information of a very confidential nature is at risk. Moreover, recent security and privacy incidents involving high profile cloud service providers demonstrate that even if the hospital or clinic relies on a service provider with good reputation, this still does not fully eliminate the risks associated with storing personal information in a remote environment.


Safeguarding against cyberthreats

The way to address and improve the protection of personal information against security and privacy concerns includes two high level approaches. On the one hand, there is the constant need to harden the infrastructure for sharing and storing data, against the increasingly sophisticated techniques of hacking. Secondly, there is the awareness dimension. With good awareness, a lot of security risks can be already minimized. For example, by acknowledging that cyber criminals make use of phishing techniques, patients can be much more careful regarding when, and to whom, they disclose their data.

With a focus on the second dimension, Secura is organising, as part of the ASCLEPIOS project, periodic workshops aimed at improving the public’s awareness against the security and privacy aspects of medical data. These courses have a diverse target group, including the domains highlighted in the table below.

Type of entity

Knowledge regarding the types of data generated

Knowledge regarding the technology behind generating/storing data

Knowledge regarding the sensitivity of data

Patients

Limited

Limited

Moderate

Hospitals and clinics personnel

Extensive

Limited

Moderate

Cloud service providers

Limited

Extensive

Limited

Third party service providers

Limited

Moderate

Moderate


The following awareness objectives have been defined, based on the target audiences.

Target group

Awareness objectives to be followed in the course

Patients

  • Increased awareness on types of data that do not have to be shared (according to the GDPR)
  • Increased awareness on the secure ways in which data can be shared
  • Increased awareness on identifying a secure sharing platform for hosting personal data
  • Increased awareness regarding third party entities that have access to shared data, as well as the type of data analytics conducted
  • Increased awareness on the external parties that will have access to the results of the conducted analytics

Hospitals and clinics personnel

  • Increased awareness on the types of data that need to be collected from the patients (according to the GDPR)
  • Increased awareness about secure handling of collected medical data (e.g., secure local storage, erasure after use, etc.)

Cloud service providers

  • Increased awareness on the types of cybersecurity risks that could impact the storage platform (the public cloud), as well as the security best practices that need to be deployed in order to minimize these risks

Third party service providers

  • Increased awareness about the types of patient data that can be collected (according to the GDPR)
  • Increased awareness about secure handling of collected medical data (e.g., secure local storage, erasure after use, etc.)

As it can be seen from the table, the content of these courses is a combination of technical and non- technical topics, with the details kept to a level that will simultaneously allow persons from different backgrounds to tune in and join the conversations.
In 2020, Secura organised two ASCLEPIOS awareness courses. The first course has been organised as a physical event, which took place in January 2020 in Amsterdam, The Netherlands. Due to the worldwide pandemic situation around the COVID-19 virus, the second event has been organised in the form of an online workshop in December 2020.
Useful insights were extracted from both of the organised editions, which are worth sharing in the rest of this article


Zooming into our 1st workshop, held on 16 January 2020, Amsterdam, The Netherlands

The physical workshop was designed to have a moderate audience, thus facilitating the interaction between attendees.

Figure 1 – Physical attendance during the workshop


The workshop was organised as a whole day event, including both expert speakers from Secura, as well as external speakers. The main focus of this first workshop was on highlighting some essential topics for the security and privacy of healthcare data (such as threat modeling, or GDPR compliance), while also introducing the technical vision and concepts promoted by ASCLEPIOS and highlighting the current state of the art development of the project’s implementation. During the interactive session of the workshop, the audience was split in groups to brainstorm on given scenarios and run some practical exercises. Examples of such exercises are threat modeling of a modern hospital infrastructure, as well as social engineering with the purpose of obtaining access to sensitive information.


What were the positive outcomes?

Based on the comments provided through the feedback forms at the end of the event, the attendees felt that the workshop achieved its goals, and the technical level of the talks was well calibrated to the background of the audience. Audience members came from a diverse set of domains, including academia, healthcare organisations and policy making.


Figure 2 – Feedback from the audience: event rating (top left), the background of the attendees (top right), the opinion on the technical depth of the talks (bottom)


What were the improvement points?

Based on the feedback of the attendees, the main request was for more practical information on the ASCLEPIOS infrastructure and demonstrators – a request we took into consideration when creating the agenda of our next events!

Besides this, the audience also massively indicated that the interactive sessions were the ones that were the most appreciated (Figure 3).

Figure 3 – Feedback from the audience regarding the preference for a specific talk during the workshop


Zoom into our 2nd Security Awareness Workshop, held as a virtual event on 3 December 2020

Due to the international travel restrictions linked to the Corona virus pandemic, the second edition of the ASCLEPIOS workshop was switched to a virtual event.

Some of the talks that enjoyed high popularity in the first workshop (e.g., GDPR or Threat Modeling in healthcare) were kept on the agenda, while on the other hand much more attention has been given to the ASCLEPIOS project itself and its practical demonstrators, as also requested during the 1st event. All the demonstrator partners within ASCLEPIOS have participated with talks presenting the status of their implementation, as well as the added value of their demonstrators. This time the sessions were recorded, thus allowing for further sharing of the material.


What were the positive outcomes?

Mostly due to the fact that the event was fully online, the audience was much higher than in the first edition. The workshop gathered more than 80 registrations, with backgrounds including academia, healthcare providers and medical devices manufacturers. Overall, the participants rated the event as well organised, and were satisfied with the contents and the technical level of the talks.

Figure 4 – Feedback from the audience: the background of the attendees (left) and general feedback on the workshop (right)


What were the improvement points?

While the online event missed the physical interaction of a typical face to face workshop, in general the outcome was positive. As improvement points, Secura has noted the remarks of some participants regarding a preference to slightly more technical presentations – still a minority compared with the general opinion. This is still an important remark, as Secura can consider for the future editions a slight separation between general talks, and more “technical in-depth” talks, which maybe can be attended by a subset of the audience.


Figure 5: The agendas of our first two Awareness Workshops

Secura is already planning the next edition of the workshop for May-June 2021, while another final workshop is considered for end of 2021. Stay tuned!