A scorecard to help improve hospitals’ cybersecurity

Oriol Castaño, 28 years old and a member of the Health DPO Office at the TIC Salut Social Foundation, has recently completed a master’s degree in Cybersecurity Management at the UPC School with a final mark of 9.7.

Oriol is responsible for the security of information that directly or indirectly affects the protection of health data. He performs a joint task in parallel with the other members of the office dealing with the technical side and the application of the National Security Scheme and ISO 27001, among other cybersecurity standards.

He studies the cybersecurity standards, guides and procedures that affect the health sector, preparing guides and summarised reports for organisations affiliated with the DPO Office. The Guide to Pseudonymisation in Health and the tool to evaluate the cybersecurity of mobile applications are two examples. He is also in charge of managing the web platform to perform Data Protection Impact Assessments designed by the DPO Office with the collaboration of The Chain Partners and the Observatory of Bioethics and Law (OBD) at the University of Barcelona.

He told us the following about his new training milestone:

What was your postgraduate dissertation about?

My dissertation was on defining a Cybersecurity scorecard for hospitals.

The aim of a cybersecurity scorecard is mainly to improve hospital cybersecurity by developing a management tool to find out their cybersecurity status and so help managers take decisions in this area.

The cybersecurity scorecard provides a tool that generates security status reports with metrics and indicators that help answer questions such as: “How are we tackling new challenges in cybersecurity?”, “How do we manage security controls to achieve the highest level of security?”, “How do professionals and patients perceive the hospital’s cybersecurity?”, “How does security contribute to performing and guaranteeing the service provided to the patient?” and no less important: “Are citizens’ rights and freedoms being guaranteed?”.

To define this scorecard, I drew on the available standards in this area, such as the National Security Scheme, ISO 27001, NIST 800-55, the CISA handbook from the ISACA and other indicators from cybersecurity management companies, such as BitSight.

In summary, this tool is intended to help improve the cybersecurity of public hospitals by ensuring and improving the continuity and resilience of health care for citizens in the current political, economic, social and cultural context.

What motivated you to specialise in the field of cybersecurity?

The rapid digital transformation that most sectors are undergoing is clearly accompanied with the arrival of new challenges and threats that affect, to a greater extent, infrastructure that is not in a position to detect, prevent and provide an effective response. In the health care sector today, cybersecurity is a task that still needs to be tackled.

The lack of a cybersecurity culture, protective tools, implementation of information security management systems, as well as large-scale processing of special-category personal data makes organisations that offer such critical services that are fundamental to society particularly vulnerable.

During the Covid-19 pandemic, the health sector had to deal with cyberattacks of various kinds, mainly ransomware. Their main objective was to affect the availability of information systems and the data dependent on them. By taking advantage of the urgency, confidentiality and sensitivity of this data, cyber attackers demand a ransom to allow these information systems to be recovered.

What was the biggest challenge or difficulty you encountered when producing your dissertation?

A large part of the work involved studying and comparing the different cybersecurity standards. I specifically studied the sections on the generation of Status Reports, and management and compilation of indicators and/or metrics to produce Cybersecurity scorecards.

How was your experience at the DPO Office at the TIC Salut Social Foundation?

It was an excellent experience. On the one hand, I acquired very deep knowledge of data protection thanks to my colleagues’ knowledge and experience; and on the other hand, it allowed me to enter the world of cybersecurity.

Do there tend to be many health data security incidents?

Generally speaking, there are more than the system can handle as there is currently a clear lack of professionals working in cybersecurity. The same as in other sectors.

Are the conclusions of your dissertation applicable to your work and that of the Office?

The management tool that I propose and define in the dissertation goes beyond the scope of work of the Office of the Data Protection Officer. Since it is a cybersecurity management tool, the Cybersecurity Agency of Catalonia (ACC) has legal powers over it. However, we have published the dissertation openly so that any health organisation can make it their own, use it as a reference guide and adapt it to their needs and circumstances.

What are your future job prospects now?

I will continue to specialise in the field of cybersecurity and contribute all the knowledge I gained from the UPC School postgraduate course. I would like to thank all my colleagues at the DPO Office, the director of the TIC Salut Social Foundation and all my other colleagues at the foundation for their unconditional support and encouragement to keep progressing.