CyberStandard

Cybersecurity: Cyber resiliency in healthcare

FOREWORD

The Digital Governance Standards Institute (DGSI) develops digital technology governance standards fit for global use. The Institute works with experts, as well as national and global partners and the public to develop national standards that reduce risk to Canadians and Canadian organizations adopting and using innovative digital technologies in today’s digital economy.

DGSI standards are developed in accordance with the Requirements & Guidance – Accreditation of Standards Development Organizations, 2019-06-13, established by the Standards Council of Canada (SCC).

Attention is drawn to the possibility that some of the elements of this Standard may be the subject of patent rights. DGSI shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of this Standard are included in the Introduction.

For further information about DGSI, please contact:

Digital Governance Standards Institute
500-1000 Innovation Dr.
Ottawa, ON K2K 3E7
www.dgc-cgn.org

A National Standard of Canada is a standard developed by a Standards Council of Canada (SCC) accredited Standards Development Organization in compliance with requirements and guidance set out by SCC. More information on National Standards of Canada can be found at www.scc.ca.

SCC is a Crown corporation within the portfolio of Innovation, Science and Economic Development (ISED) Canada. With the goal of enhancing Canada’s economic competitiveness and social well-being, SCC leads and facilitates the development and use of national and international standards. SCC also coordinates Canadian participation in standards development and identifies strategies to advance Canadian standardization efforts.

Accreditation services are provided by SCC to various customers, including product certifiers, testing laboratories, and standards development organizations. A list of SCC programs and accredited bodies is publicly available at www.scc.ca.

INTRODUCTION

This is the First Edition of CAN/DGSI 118:2023, Cybersecurity: Cyber resiliency in healthcare.

CAN/DGSI 118:2023 Cybersecurity: Cyber resiliency in healthcare was prepared by the Digital Governance Standards Institute Technical Committee 5 (TC 5) on cyber security, comprised of over 180 thought leaders and experts in cyber security and related subjects. This Standard was approved by a Technical Committee formed balloting group, comprised of 4 producers, 4 government / regulator / policymakers, 3 users, and 4 general interests.

All units of measurement expressed in this Standard are in SI units using the international system (SI).

This Standard is subject to technical committee review beginning no later than one year from the date of publication. The completion of the review may result in a new edition, revision, reaffirmation or withdrawal of the Standard.

The intended primary application of this Standard is stated in its scope. It is important to note that it remains the responsibility of the user of the Standard to judge its suitability for a particular application.

This Standard is intended to be used for conformity assessment.

The Digital Governance Standards Institute gratefully acknowledges and thanks HealthCareCAN for its vision, support and collaboration to co-develop CAN/DGSI 118, Cybersecurity: Cyber resiliency in healthcare. HealthCareCAN is the national voice of action for health organizations and hospitals across Canada. They advocate in support of health research and innovation; to enhance access to high-quality health services for Canadians; and empower health professionals through best-in-class learning programs. www.healthcarecan.ca

The Digital Governance Standards Institute acknowledges the financial support of Public Safety Canada.

ICS 03.100.01; 35.030

CONTEXT

Canadian healthcare organizations are often the targets of cyber attacks including, but not limited to, business email compromise, social engineering attack, ransomware attacks, and data exfiltration. Outcomes of such cyber attacks include system outages, operational impacts, delays, and increased patient care wait times, redirection of urgent care or critical patients to other facilities, privacy breaches, data loss, data integrity issues, etc. Healthcare organizations lack resources to implement fulsome cybersecurity framework and innovative technological solutions to prevent cyber attack. Recognizing the need for baseline cybersecurity controls that should be established at each healthcare organization, this standard outlines the most impactful cybersecurity controls.

Further contextual details and sample case examples related to cybersecurity breaches at healthcare organizations can be found in Annex A.

Considerations for Virtual Care (virtual visits, remote patient monitoring, patient apps)

Virtual Visits

Virtual visits are clinical encounters between patients and care providers occurring remotely using various forms of electronic communication, such as radio, audio videoconferencing, secure messaging, or file exchange with the aim of securely facilitating and maximizing the quality efficiency and effectiveness of patient care. A virtual visit may be synchronous (occurring in real-time) or asynchronous which involves intermittent communication between the clinician and patient. Unlike meeting physically in the clinical or hospital setting, each of these new technologies can introduce challenges for ensuring the privacy and security of patient information.

Remote Patient Monitoring

Remote Patient Monitoring (RPM) involves the application of technology to enable the monitoring and reporting of a patient’s health data in the patient’s home or other non-clinical settings. The benefits of these programs include improved patient quality-of-life and better outcomes.

The processes and technologies (i.e., devices and applications) that are prescribed may be owned by the healthcare organization or may be third-party solutions that enable the collection and/or transmission of health information collected in non-clinical, patient-controlled settings to a central point for consolidation. The consolidation point is designated or controlled by the healthcare organization.

In some cases, RPM devices may be considered ’medical devices’. Regulatory agencies in Canada and the U.S. have issued guidance based on medical device definitions, the intended purpose of products and the risks associated with the potential for the device or system to cause harm. In Canada information is available from Health Canada on a dedicated website for guidance documents for medical devices while the United States of America Food and Drug Administration (FDA) issued the “Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff” on September 25, 2013.

The remote patient monitoring devices and applications mentioned above present a unique set of challenges. Healthcare organizations are also encouraged to include mobile application-related considerations when evaluating RPM applications that run on mobile devices.

Considerations for Health Tech (cloud, IOT, legacy) and operational technology (OT)

Cybersecurity risks to medical devices are continually evolving, therefore, it is not possible to completely mitigate all risks at the time of installation. Healthcare organizations manage cybersecurity risks associated with medical devices by implementing a separate or parallel risk management program to protect, monitor and respond to vulnerabilities identified in medical devices. Medical devices include considerations around Internet of Things (IOT) devices (e.g., an Xray machine), and wearable devices which may connect via Ethernet, Bluetooth, Wi-Fi and other protocols.

As healthcare organizations adopt interconnected Operational Technology (OT) with its IT to IOT to support physical operations of its environment, appropriate OT security is required to protect the data being collected by OT as well as to ensure availability and reliability of the technology. The cyber resiliency strategies covered in this standard applies to both IT and OT. Considerations should also be given to the necessity of securing artificial intelligence (AI) and machine-learning solutions within OT environments.