The Inter-American Development Bank (IDB) produced a guide on regulations, frameworks, standards and good practices on cybersecurity in health systems.
“Protecting digital health – A guide to cybersecurity in the health sector”, is a document produced by IDB specialists Pablo Alzuri, Florencia Cabral, Santiago Nowersztern, and Pablo Libedinsky.
Digitization is one of the key axes for economic and social recovery, which the IDB proposes in its Vision 2025. In this sense, it is necessary to protect the digital space and understand the important role of cybersecurity in all digital transformation processes.
The guide explains that "cybersecurity in the health sector is particularly relevant due to the sensitivity of the information it handles." For example, solutions such as electronic medical records, medical devices or telemedicine.
In this sense, the IDB guide proposes a compilation and classification of global knowledge in terms of regulations, regulatory frameworks, standards, good practices, implementation guides, among other documents aimed at the implementation of cybersecurity.
The document proposes seven steps for the implementation of cybersecurity, taking into account the cybersecurity master plan as a management tool to meet the proposed objectives and goals:
- Include cybersecurity as a priority in the organization's strategic management.
- Define the organizational structure in cybersecurity.
- Define cybersecurity goals and objectives.
- Carry out a diagnosis of the situation with gap analysis or GAP.
- Develop a cybersecurity master plan.
- Execute the master plan.
- Evaluate the results and the remaining risk.
In addition, the IDB has developed iadb-tools.org, a cybersecurity self-assessment tool, for cellular breaches and to know recommendations for the preparation of the master plan. In this way, those responsible for organizations can evaluate their cybersecurity situation based on the best practices in the industry.
The document retrieves the most important tools within health ecosystems and classifies them into four groups: frameworks, controls, guides and regulatory framework. "It is always important to emphasize that the joint use of these tools will give consistency to the system as a whole, from regulation, implementation, execution, and control and monitoring," the authors explain.
The frameworks, include tools such as ISO/IEC 27001:2013, the NIST Cybersecurity Framework v1.1 software, among others. The controls contemplate the SANS – CIS Critical Security Controls, a publication on the best practices of computer security.
On the other hand, regulatory frameworks include GDPR and HIPAA, regulatory laws in the European Union and the United States respectively. And finally, the guides include documents such as documents from the United States National Institute of Standards and Technology (NIST), among other publications.
In this context, the authors conclude that "one of the main challenges organizations face is choosing which methodologies, standards and good practices to follow in terms of information security."
Check the complete guide in the following link: https://publications.iadb.org/publications/spanish/document/protegiendo-la-salud-digital-una-guia-de-ciberseguridad-en-el-sector-de-salud.pdf
