See All Nexus 2024 Sessions
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
In an increasingly interconnected and constantly evolving healthcare environment, there are numerous cybersecurity challenges that hospitals must face to guarantee patients high-quality health services, avoid interruptions in supply, optimize the use of devices, and effectively manage cyber risks. These challenges require the use of cutting-edge technologies and real-time availability of diverse data and information.
Healthcare
Risk Management
Cyber Resilience

A Predictive, Proactive Approach to the Governance of Medical Devices

Stefano Scaramuzzino
Fabio Battelli
/
Nov 25, 2024

This is Part 1 of a two-part series written by Stefano Scaramuzzino of ASL Roma 1, Italy’s largest local health authority, and Fabio Batelli of Deloitte. Part 2 will cover how ASL Roma 1’s HyperSOC is using predictive models to structure its cybersecurity program. 

In an increasingly interconnected and constantly evolving healthcare environment, there are numerous challenges that hospitals must face to guarantee patients high-quality health services, avoid interruptions in supply, optimize the use of devices, and effectively manage cyber risks. These challenges require the use of cutting-edge technologies and real-time availability of diverse data and information.

Cybersecurity within healthcare has therefore become an essential strategic priority, not only for data protection but also to ensure services’ continuity. Based on publicly available information, in Italy, the healthcare sector in 2023 was the fourth most affected by successful cyberattacks, suffering 9% of all incidents. There were 624 reported healthcare-related cyberattacks in 2023, a sharp rise from previous years, according to the Clusit Report, published by the Italian Association for Information Security.

Healthcare cybersecurity attacks, 2018-2023. Source: Clusit.

Therefore, the ability to prevent, detect, and quickly respond to cyberattacks has become crucial, making cybersecurity a priority. To ensure security within the sector, it is essential to promptly identify and manage vulnerabilities in electromedical devices and related IT systems, to ensure the confidentiality of sensitive patient data, protect their health, and guarantee business continuity. This is especially relevant because, considering the peculiarities of the healthcare sector, a cyberattack could have disastrous consequences on patients’ health and lives in the event of unavailability or malfunction of the electromedical devices necessary for diagnosis and diseases’ clinical treatment.

CIA Inside Healthcare Delivery Organizations

It’s also important to understand the main impacts on IT infrastructure that affect the healthcare sector:

  • Impacts on availability: Temporary halt to the provisioning of at least one service in most cases, with changes in distribution, including: 

    • blocking of at least two services;

    • blocking of all services except one; 

    • blocking of all IT services; 

  • Impacts on confidentiality: data exfiltration with and without encryption; 

  • Integrity impacts: Changes to data integrity.

EMEA Compliance Mandates for HDOs

To mitigate these risks, ensure the continuity of essential services, and minimize the exposed attack surface, it is essential that healthcare organizations comply with the relevant regulations, such as, but not limited to:

  • Regulation 2016/679 (General Data Protection Regulation: GDPR);  

  • Regulations 2017/745 and 2017/746 related to requirements definition for medical devices sold on the European market;

  • Directive (EU) 2022/2555 Network and Information Security (NIS2), which was replaced in Italy with Legislative Decree No. 138 of 04/09/2024; 

  • Law 90/2024 (Provisions on the strengthening of national cybersecurity and computer crimes);

  • 2022 European Regulation, adopted in 2024, aimed at defining cybersecurity requirements applicable to connected products (Cyber Resilience Act).

Compliance with these regulations allows organizations to avoid administrative penalties and reputational damage, to reduce the likelihood of business interruptions and to be legally involved in liability due to any damage caused by data security breaches. 

GDPR, NIS2 Directive, and Law 90/2024 require that organizations adopt advanced protection measures to prevent cyberattacks, ensure the continuity of services, and emphasize the importance of adopting innovative technologies to improve the cyber resilience of critical infrastructure. 

In addition, it is crucial for a healthcare company to protect its data from incidents such as, for example, data breach and data exfiltration, in compliance with GDPR and current regulatory obligations. These measures allow hospitals to safeguard sensitive data and patient safety and to preserve the reputation of the organization. In addition to the regulations directly applicable to healthcare organizations, with the aim of supporting the EU’s security by design principle, European authorities have over the years drawn up regulatory instruments that also involve medical device manufacturers. Compliance with these regulations is crucial to ensure high security standards within the European Union.

Visibility, Device Optimization Key Security Strategies

The evolution of increasingly sophisticated and pervasive cybersecurity threats, stringent and specific regulatory requirements, and the need to maximize the operational efficiency of electromedical devices aimed at providing a continuous and valuable service, introduce numerous challenges for security leaders operating in the healthcare sector. These challenges include:

  • The need to obtain horizontal visibility on the cyber risks of the entire organization infrastructure in order to effectively manage it;

  • The optimization of the use of medical devices aimed at making asset management more efficient.  

This translates to a need to gain complete visibility of available assets, both from the point of view of cybersecurity and from the point of view of medical device usage metrics. One way to obtain a unified and centralized view is the use of a data lake that allows CISOs to aggregate data from different heterogeneous sources, including medical devices, clinical applications and IT infrastructure, and thus allows integrated analysis aimed at optimal resource management and security improvement. This analysis is of fundamental importance in order to ensure compliance with the Decree-Law on waiting lists, which prescribes accurate and continuous monitoring to reduce waiting times and optimize the services offered. 

Knowing one's technological ecosystem is useful in order to improve operational efficiency and resource allocation and to prevent and respond to cyber threats. This is especially important in light of the digitization of the healthcare world which opens up new opportunities, but at the same time considerably expands the attack surface. This is done by virtue of the extensive use of medical devices that offer advanced features in terms of diagnosis, monitoring and treatment of patients, the dissemination of electronic registers for rapid access to health information of the and telemedicine that enables new perspectives for the management of healthcare processes. 

Furthermore, in the field of Italian healthcare, the evolution of the technological landscape clashes with ecosystems often characterized by the presence of obsolete systems that result in inefficiencies such as the lengthening of waiting lists and, consequently, the reduced timeliness of diagnoses. 

Predictive Possibilities for HDOs

In this context, the correlation between population demographics and the demand for health services, made possible by advanced data analysis within a data lake, can offer the possibility of predicting peaks in use and making the distribution and use of resources within health facilities more efficient. 

Gaining greater visibility is essential in order to optimize the management of multiple and varied assets, while strengthening the level of security and cyber resilience of heterogeneous environments. It is therefore necessary to carry out an environmental discovery activity to identify the sources from which to collect data which, in the face of analysis and processing, allow you to visualize relevant metrics and information.

This is a crucial issue within the healthcare sector, as confirmed by Gartner which, thanks to a survey conducted in 2024, made it possible to focus on the priorities of the CIOs who took part in the study. 

The "2025 CIO Agenda: Top Priorities and Technology Plans for Healthcare Providers" provides an overview of the subset of respondents working in healthcare. Based on the responses obtained, the third among the areas of greatest investment in terms of technological solutions in 2025 is reported "Data and analytics architecture and tools" with 43% of respondents indicating this area among the five most relevant.

In first and second place, respectively with 66% and 50% of the answers were "Cybersecurity tools, strategic risk management" and "Artificial intelligence applications, cognitive computing, Generative AI.” 

It is interesting to note that the project developed at ASL Roma 1, presented in part 2 of this series, concentrates on all three of these areas.

Healthcare
Risk Management
Cyber Resilience
Stefano Scaramuzzino
Technical Manager, Cybersecurity ASL Roma 1

Stefano Scaramuzzino is the cybersecurity team leader and network and information systems manager, for ASL Roma 1, Italy's largest local health authority.

Fabio Battelli
Partner, Cyber Risk Services

A partner at Deloitte Italy Cyber Risk Services, Battelli has 16 years consulting experience with a specific focus on ICT/Cybersecurity where he is well-recognized trusted advisor and subject matter expert in critical infrastructure protection (CIP).

Stay in the know Get the Nexus Connect Newsletter
Share
LinkedIn Twitter Facebook Email
Featured Articles
Considerations for Medical Device Vulnerability Remediation Technical Debt in OT Environments: How It's Different and Why it Matters The Purdue Model's Risky Blindspot
Featured Videos
Browse by Topics
Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust
You might also like… Read more
Enterprise CISOs must consider disinformation and misinformation campaigns targeting their companies and industries as part of their threat model. Organizations must also develop disinformation response plans, similar to incident response actions.
Operational Resilience
Cyber Resilience
Risk Management

CISOs Urged to Prepare for Evolving Disinformation Tactics

George V. Hulme
Securing connectivity in operational technology (OT) environments is crucial for the safety of critical infrastructure and maintaining the uninterrupted service it provides. Leaving unnecessary open ports, protocols, and services exposed, along with directly connected devices to the internet, such as programmable logic controllers (PLCs) and human machine interfaces (HMIs), greatly increases the risks of cyberattacks.
Industrial
Operational Technology
Risk Management

Explaining the Importance of Secure Connectivity in OT

Dan Ricci
nexus_secure-by-design-labonty.jpg
Operational Technology
Cyber Resilience

Secure by Design in Manufacturing is Not an Empty Concept

Jim LaBonty
The HHS Office for Civil Rights proposes substantial rule changes to the long-standing Health Insurance Portability and Accountability Act (HIPAA) Security Rule. While details on the proposed rule changes remain unclear, HHS plans to issue a Notice of Proposed Rulemaking (NPRM) by the end of the year. These changes are believed to be the most substantial changes since the HIPAA Security rule went into effect in 2003
Healthcare
Ransomware

Significant Changes to HIPAA Security Rule on the Way

George V. Hulme
nexus_sec.jpg
Risk Management

Court Ruling on SEC v. SolarWinds Good News for CISOs—For Now

Cristin Flynn Goodwin
accuray-s34fezwt6ee-unsplash.jpg
Healthcare

How Under-Resourced Healthcare Providers Can Up Their Cybersecurity Game

George V. Hulme
nexus_med-dev-classification.jpg
Healthcare
Vulnerability Management
Risk Management

Better Medical Device Classification for Enhanced Risk Management

Manan Kakkar
Sam Templeton
nexus_red-lines-rogers-deterrence.jpg
Cyber Resilience
Healthcare
Industrial
Risk Management

Deterrence in Cyberspace Proving to be a Difficult Exercise

ADM. Michael S. Rogers, USN (Ret.)
nexus_devops-geo.jpg
Operational Technology

Does DevOps have a place in OT/ICS Development?

George V. Hulme
nexus_cranes-hulme.jpg
Cyber Resilience
Risk Management
Industrial

US Government Expands Tech Restrictions to Safeguard Critical Infrastructure

George V. Hulme
nexus_sign.jpg
Cyber Resilience
Healthcare
Industrial
Operational Technology
Risk Management

CPS Security Leaders Convene on One Goal: Protect Mission-Critical Infrastructure

Upa Campbell
nexus_eu-flag-hulme-update.jpg
Risk Management

NIS2 Directive Must Be More Than a Compliance Exercise

George V. Hulme
Latest on Nexus Podcast
See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
In this episode of the Nexus Podcast. Runsafe Security CEO and cofounder Joe Saunders examines the motivations of these adversaries, the targeting of memory-based vulnerabilities in embedded systems prevalent in OT and healthcare, and how initiatives such as secure-by-design/default/demand can make a dent in ensuring the resilience of critical infrastructure.
Cyber Resilience
Industrial
Healthcare

Nexus Podcast: Joe Saunders on Advanced Attacks Against Critical Infrastructure
nexus_grant1.jpg
Industrial
Healthcare
Ransomware
Cyber Resilience
Operational Resilience
Operational Technology

Nexus Podcast: Grant Geyer on the Business Impact of Disruptions from Cyberattacks
In this episode of the Nexus Podcast, Alethe Denis, a senior security consultant at Bishop Fox, joins to discuss the ongoing effectiveness of open-source intelligence analysis and social engineering tactics as a precursor to larger intrusions against critical infrastructure.
Cyber Resilience
Healthcare
Industrial
Risk Management

Nexus Podcast: Alethe Denis on Social Engineering, Red-Teaming