In an increasingly interconnected and constantly evolving healthcare environment, there are numerous cybersecurity challenges that hospitals must face to guarantee patients high-quality health services, avoid interruptions in supply, optimize the use of devices, and effectively manage cyber risks. These challenges require the use of cutting-edge technologies and real-time availability of diverse data and information.
Healthcare
Risk Management
Cyber Resilience

A Predictive, Proactive Approach to the Governance of Medical Devices

Stefano Scaramuzzino
Fabio Battelli
/
Nov 25, 2024

This is Part 1 of a two-part series written by Stefano Scaramuzzino of ASL Roma 1, Italy’s largest local health authority, and Fabio Batelli of Deloitte. Part 2 covers how ASL Roma 1’s HyperSOC is using predictive models to structure its cybersecurity program. 

In an increasingly interconnected and constantly evolving healthcare environment, there are numerous challenges that hospitals must face to guarantee patients high-quality health services, avoid interruptions in supply, optimize the use of devices, and effectively manage cyber risks. These challenges require the use of cutting-edge technologies and real-time availability of diverse data and information.

Cybersecurity within healthcare has therefore become an essential strategic priority, not only for data protection but also to ensure services’ continuity. Based on publicly available information, in Italy, the healthcare sector in 2023 was the fourth most affected by successful cyberattacks, suffering 9% of all incidents. There were 624 reported healthcare-related cyberattacks in 2023, a sharp rise from previous years, according to the Clusit Report, published by the Italian Association for Information Security.

Healthcare cybersecurity attacks, 2018-2023. Source: Clusit.

Therefore, the ability to prevent, detect, and quickly respond to cyberattacks has become crucial, making cybersecurity a priority. To ensure security within the sector, it is essential to promptly identify and manage vulnerabilities in electromedical devices and related IT systems, to ensure the confidentiality of sensitive patient data, protect their health, and guarantee business continuity. This is especially relevant because, considering the peculiarities of the healthcare sector, a cyberattack could have disastrous consequences on patients’ health and lives in the event of unavailability or malfunction of the electromedical devices necessary for diagnosis and diseases’ clinical treatment.

CIA Inside Healthcare Delivery Organizations

It’s also important to understand the main impacts on IT infrastructure that affect the healthcare sector:

  • Impacts on availability: Temporary halt to the provisioning of at least one service in most cases, with changes in distribution, including: 

    • blocking of at least two services;

    • blocking of all services except one; 

    • blocking of all IT services; 

  • Impacts on confidentiality: data exfiltration with and without encryption; 

  • Integrity impacts: Changes to data integrity.


EMEA Compliance Mandates for HDOs

To mitigate these risks, ensure the continuity of essential services, and minimize the exposed attack surface, it is essential that healthcare organizations comply with the relevant regulations, such as, but not limited to:

  • Regulation 2016/679 (General Data Protection Regulation: GDPR);  

  • Regulations 2017/745 and 2017/746 related to requirements definition for medical devices sold on the European market;

  • Directive (EU) 2022/2555 Network and Information Security (NIS2), which was replaced in Italy with Legislative Decree No. 138 of 04/09/2024; 

  • Law 90/2024 (Provisions on the strengthening of national cybersecurity and computer crimes);

  • 2022 European Regulation, adopted in 2024, aimed at defining cybersecurity requirements applicable to connected products (Cyber Resilience Act).

Compliance with these regulations allows organizations to avoid administrative penalties and reputational damage, to reduce the likelihood of business interruptions and to be legally involved in liability due to any damage caused by data security breaches. 

GDPR, NIS2 Directive, and Law 90/2024 require that organizations adopt advanced protection measures to prevent cyberattacks, ensure the continuity of services, and emphasize the importance of adopting innovative technologies to improve the cyber resilience of critical infrastructure. 

In addition, it is crucial for a healthcare company to protect its data from incidents such as, for example, data breach and data exfiltration, in compliance with GDPR and current regulatory obligations. These measures allow hospitals to safeguard sensitive data and patient safety and to preserve the reputation of the organization. In addition to the regulations directly applicable to healthcare organizations, with the aim of supporting the EU’s security by design principle, European authorities have over the years drawn up regulatory instruments that also involve medical device manufacturers. Compliance with these regulations is crucial to ensure high security standards within the European Union.

Visibility, Device Optimization Key Security Strategies

The evolution of increasingly sophisticated and pervasive cybersecurity threats, stringent and specific regulatory requirements, and the need to maximize the operational efficiency of electromedical devices aimed at providing a continuous and valuable service, introduce numerous challenges for security leaders operating in the healthcare sector. These challenges include:

  • The need to obtain horizontal visibility on the cyber risks of the entire organization infrastructure in order to effectively manage it;

  • The optimization of the use of medical devices aimed at making asset management more efficient.  

This translates to a need to gain complete visibility of available assets, both from the point of view of cybersecurity and from the point of view of medical device usage metrics. One way to obtain a unified and centralized view is the use of a data lake that allows CISOs to aggregate data from different heterogeneous sources, including medical devices, clinical applications and IT infrastructure, and thus allows integrated analysis aimed at optimal resource management and security improvement. This analysis is of fundamental importance in order to ensure compliance with the Decree-Law on waiting lists, which prescribes accurate and continuous monitoring to reduce waiting times and optimize the services offered. 

Knowing one's technological ecosystem is useful in order to improve operational efficiency and resource allocation and to prevent and respond to cyber threats. This is especially important in light of the digitization of the healthcare world which opens up new opportunities, but at the same time considerably expands the attack surface. This is done by virtue of the extensive use of medical devices that offer advanced features in terms of diagnosis, monitoring and treatment of patients, the dissemination of electronic registers for rapid access to health information of the and telemedicine that enables new perspectives for the management of healthcare processes. 

Furthermore, in the field of Italian healthcare, the evolution of the technological landscape clashes with ecosystems often characterized by the presence of obsolete systems that result in inefficiencies such as the lengthening of waiting lists and, consequently, the reduced timeliness of diagnoses. 

Predictive Possibilities for HDOs

In this context, the correlation between population demographics and the demand for health services, made possible by advanced data analysis within a data lake, can offer the possibility of predicting peaks in use and making the distribution and use of resources within health facilities more efficient. 

Gaining greater visibility is essential in order to optimize the management of multiple and varied assets, while strengthening the level of security and cyber resilience of heterogeneous environments. It is therefore necessary to carry out an environmental discovery activity to identify the sources from which to collect data which, in the face of analysis and processing, allow you to visualize relevant metrics and information.

This is a crucial issue within the healthcare sector, as confirmed by Gartner which, thanks to a survey conducted in 2024, made it possible to focus on the priorities of the CIOs who took part in the study. 

The "2025 CIO Agenda: Top Priorities and Technology Plans for Healthcare Providers" provides an overview of the subset of respondents working in healthcare. Based on the responses obtained, the third among the areas of greatest investment in terms of technological solutions in 2025 is reported "Data and analytics architecture and tools" with 43% of respondents indicating this area among the five most relevant.

In first and second place, respectively with 66% and 50% of the answers were "Cybersecurity tools, strategic risk management" and "Artificial intelligence applications, cognitive computing, Generative AI.” 

It is interesting to note that the project developed at ASL Roma 1, presented in part 2 of this series, concentrates on all three of these areas.

Healthcare
Risk Management
Cyber Resilience
Stefano Scaramuzzino
Technical Manager, Cybersecurity ASL Roma 1

Stefano Scaramuzzino is the cybersecurity team leader and network and information systems manager, for ASL Roma 1, Italy's largest local health authority.

Fabio Battelli
Partner, Cyber Risk Services

A partner at Deloitte Italy Cyber Risk Services, Battelli has 16 years consulting experience with a specific focus on ICT/Cybersecurity where he is well-recognized trusted advisor and subject matter expert in critical infrastructure protection (CIP).

Stay in the know Get the Nexus Connect Newsletter
You might also like… Read more
Latest on Nexus Podcast