Introduction and background
Healthcare information is a key element in modern medical digital environments. Hospitals and clinics are relying more and more often on solutions such as remote backends or clouds to create virtual environments for their patients. In these environments, patients can authenticate, store and share personal information, which has a high degree of confidentiality. Ideally, these data will always remain confidential between the patients and their doctors.
Cyber-challenges for the healthcare domain
In light of the emerging cybersecurity and privacy risks associated with digital communication, there is a constant rise in new threats and vulnerabilities that cyber criminals can exploit to get access to this information. The motives for accessing the information are diverse. They could include ransom or blackmail, targeted attacks on a particular person or hospital, or simply maintaining a certain reputation in the online hacking community. No matter the reason behind a cybersecurity attack, the results are equally impacting. Personal information of a very confidential nature is at risk. Moreover, recent security and privacy incidents involving high profile cloud service providers demonstrate that even if the hospital or clinic relies on a service provider with good reputation, this still does not fully eliminate the risks associated with storing personal information in a remote environment.
Safeguarding against cyberthreats
With a focus on the second dimension, Secura is organising, as part of the ASCLEPIOS project, periodic workshops aimed at improving the public’s awareness against the security and privacy aspects of medical data. These courses have a diverse target group, including the domains highlighted in the table below.
Type of entity | Knowledge regarding the types of data generated | Knowledge regarding the technology behind generating/storing data | Knowledge regarding the sensitivity of data |
Patients | Limited | Limited | Moderate |
Hospitals and clinics personnel | Extensive | Limited | Moderate |
Cloud service providers | Limited | Extensive | Limited |
Third party service providers | Limited | Moderate | Moderate |
The following awareness objectives have been defined, based on the target audiences.
Target group | Awareness objectives to be followed in the course |
Patients |
|
Hospitals and clinics personnel |
|
Cloud service providers |
|
Third party service providers |
|
As it can be seen from the table, the content of these courses is a combination of technical and non- technical topics, with the details kept to a level that will simultaneously allow persons from different backgrounds to tune in and join the conversations.
Zooming into our 1st workshop, held on 16 January 2020, Amsterdam, The Netherlands
The physical workshop was designed to have a moderate audience, thus facilitating the interaction between attendees.
Figure 1 – Physical attendance during the workshop
The workshop was organised as a whole day event, including both expert speakers from Secura, as well as external speakers. The main focus of this first workshop was on highlighting some essential topics for the security and privacy of healthcare data (such as threat modeling, or GDPR compliance), while also introducing the technical vision and concepts promoted by ASCLEPIOS and highlighting the current state of the art development of the project’s implementation. During the interactive session of the workshop, the audience was split in groups to brainstorm on given scenarios and run some practical exercises. Examples of such exercises are threat modeling of a modern hospital infrastructure, as well as social engineering with the purpose of obtaining access to sensitive information.
What were the positive outcomes?
Based on the comments provided through the feedback forms at the end of the event, the attendees felt that the workshop achieved its goals, and the technical level of the talks was well calibrated to the background of the audience. Audience members came from a diverse set of domains, including academia, healthcare organisations and policy making.
Figure 2 – Feedback from the audience: event rating (top left), the background of the attendees (top right), the opinion on the technical depth of the talks (bottom)
What were the improvement points?
Besides this, the audience also massively indicated that the interactive sessions were the ones that were the most appreciated (Figure 3).
Figure 3 – Feedback from the audience regarding the preference for a specific talk during the workshop
Zoom into our 2nd Security Awareness Workshop, held as a virtual event on 3 December 2020
Some of the talks that enjoyed high popularity in the first workshop (e.g., GDPR or Threat Modeling in healthcare) were kept on the agenda, while on the other hand much more attention has been given to the ASCLEPIOS project itself and its practical demonstrators, as also requested during the 1st event. All the demonstrator partners within ASCLEPIOS have participated with talks presenting the status of their implementation, as well as the added value of their demonstrators. This time the sessions were recorded, thus allowing for further sharing of the material.
What were the positive outcomes?
Mostly due to the fact that the event was fully online, the audience was much higher than in the first edition. The workshop gathered more than 80 registrations, with backgrounds including academia, healthcare providers and medical devices manufacturers. Overall, the participants rated the event as well organised, and were satisfied with the contents and the technical level of the talks.
Figure 4 – Feedback from the audience: the background of the attendees (left) and general feedback on the workshop (right)
What were the improvement points?
While the online event missed the physical interaction of a typical face to face workshop, in general the outcome was positive. As improvement points, Secura has noted the remarks of some participants regarding a preference to slightly more technical presentations – still a minority compared with the general opinion. This is still an important remark, as Secura can consider for the future editions a slight separation between general talks, and more “technical in-depth” talks, which maybe can be attended by a subset of the audience.
Figure 5: The agendas of our first two Awareness Workshops
Secura is already planning the next edition of the workshop for May-June 2021, while another final workshop is considered for end of 2021. Stay tuned!