24 February 2020

The European Union Agency for Cybersecurity (“ENISA”) has published the Procurement Guidelines for Cybersecurity in Hospitals. The aim of the report is to provide hospital procurement officers and chief information security officers (“CISOs”) / chief information officers (“CIOs”) with a comprehensive set of tools and good practices that can be adapted to the hospitals’ procurement process in order to ensure that cybersecurity objectives are met.

The report focuses on three distinct phases containing the procurement lifecycle, to map good practices that are plan, source and manage.

In this sense, the hospitals are advised to adopt these good practices for cybersecurity in the procurement:

General practices

Plan phase

Source phase

Manage phase

. Involve the IT department in procurement

. Vulnerability management

. Develop a policy for hardware and software updates 

. Secure wireless communication

. Establish testing policies

. Establish Business Continuity plans

. Consider interoperability issues

. Allow auditing and logging

. Use encryption

. Conduct risk assessment 

. Plan requirements in advance 

. Identify threats

. Segregate network

. Establish eligibility criteria for suppliers

. Create dedicated RfP for cloud

. Require certification

. Conduct DPIA

. Address legacy systems

. Provide cybersecurity training

. Develop incident response plans

. Involve supplier in incident management

. Organise maintenance operations

. Secure remote Access

. Require patching

. Raise cybersecurity awareness

. Perform asset inventory and configuration management

. Dedicated access control mechanisms for medical device facilities

. Schedule penetration testing frequently or after a change in the architecture/ system



You can read the full text of the Guidelines here.  

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law