What is specific to healthcare?

It's important to position cybersecurity into the global contraints that the healthcare sector has to meet

Safety versus cybersecurity

Patient safety, and more generally medical relevance, is understandably the key decision criteria for medical teams. However, as systems become more complex and cyber threats more common, healthcare information systems which contain many legacy solutions and protocols (ex: DICOM) from many different vendors, especially as expensive equipment tend to be amortized over a long period.

The path towards a safer digital healthcare is not straightforward and requires a feasible approach to change and investment.

The ethical requirements related to healthcare and cybersecurity are covered in the book, The Ethics of Cybersecurity, Springer, 2020 (and especially chapter 7, by Karsten Weber and Nadine Kleine).

Source : Cybersecurity in health – disentangling value tensions

When privacy meets security and compliance

The priority is to be able to serve patients, therefore data integrity and availability for hospital practitioners is considered more important than confidentiality (which is generally assessed after the fact, through traceability).

Still, since health records may contain very sensitive information, privacy remains an important topic. However, it's not always simple to manage together with security recommendations. As an example, many security processes are based on logs, which may be an issue for privacy. A fairly comprehensive review of how privacy and security may be applied to the healthcare sector is the NODIRT framework.

Innovations in the healthcare sector

With M. Bayad, we published 2 peer reviewed conference papers (CIFEPME) on the specificity of innovation in the healthcare sector. Both papers are in French, but we include the summary in English.‌

• Transition to a Sustainable Health System: A Story of an Institutional Entrepreneur

  • Health systems are severely constrained by demographic changes, budget limitations, or even global pandemics. Responding to these new challenges requires innovative approaches, but their dissemination at the institutional level remains complex. The abundant literature on institutional entrepreneurship (initiated by DiMaggio in 1988) demonstrates the ability of some entrepreneurs to generate these changes. However, the literature has paid very little attention to the actions implemented by these institutional entrepreneurs to achieve this. This article aims to respond to this theoretical gap through an exploratory approach, in-depth analysis and over the course of the career of Jos de Blok, founder of the Buurtzorg network of home care Buurtzorg. The systematic classification of the semantic units that constitute its discursive universe makes it possible to propose an integrating model of the institutional entrepreneur (IE), and to know more about "who becomes an institutional entrepreneur? "," Why does he become an institutional entrepreneur? "And" how does he do it? "

• Innovation and healthcare: where are the entrepreneurs?

  • Health systems in developed countries are severely constrained by demographic evolutions and budgetary constraints. Innovation is often presented as the solution to meet these new challenges. Nevertheless, the current system shows its inability to integrate these changes without creating resistance from caregivers and from the patients themselves. As an alternative to the centralized management of those new challenges, we present an approach in which entrepreneurship makes it possible to restore meaning and concretize initiatives to improve care. The case of the ‘Buurtzorg’ home nursing network is analysed through the mediation of the Deleuzian concepts of creation-resistance, modulation of control and rhizome. This approach opens up new perspectives, both for the implementation of innovations in the health sector through entrepreneurial action, but also for the development of entrepreneurial approaches and theories specific to the health sector. To the question asked by Cutler in 2011, ‘where are the healthcare entrepreneurs?’, we show that the figure of the entrepreneur is essential for better care in the future.

Those articles show that innovations can't be handled the same way in the healthcare sector and elsewhere.

What issues are specific to the healthcare sector?

During our interviews, 2 specific issues appeared quickly with regards to cyber security:

• The need to have common governance for the teams in charge of cybersecurity (CISO), the teams in charge of biomedical equipment (biomedical engineers) as well as for the technical teams in charge of the technical management of buildings (including the physical access). Thus there are many protocols used within health organisations, so interoperability between systems is important.

• The fact that the CE marking of medical devices is perceived as an obstacle to the cybersecurity of biomedical equipment by some CISOs. The new EU medical device regulation 2017/745 and an updated machine directive will help relax that constraint, as it includes security requirements which need to be dealt with before May 2022, similarly to what the FDA decided already. They even had to issue a statement to dispell the myths that patching a medical device is not possible. A potential research avenue is a way to formally verify the functional characteristics and the cyber profile of medical devices, as was done for instance by project Zarf. This may require new toolchains, as tools based on C for embedded systems have limitations, but industrial companies are concerned when putting such tools in place, especially for equipment that need to be supported for a long time.

However, the overall budget for IT within an hospital is limited (on average, 1.8% according to French public's observatory DGOS), which limits what is possible.