Leave a ReplyWant to join the discussion?
Feel free to contribute!
Cybersecurity public-private partnerships (PPPs) for the health sector are considered essential to tackle new challenges and risks of information and communications technologies (ICTs) across the healthcare industry. Given the fact that the private sector plays a substantial role in the provision of healthcare — either as a direct provider of medical services, or as a supplier of medical equipment, governments should take the private sector as a crucial partner in their national cybersecurity endeavours. Hence, partnering with the private sector is vital for attainment of national cybersecurity goals in the healthcare sector and critical infrastructure (CI) in general.
Amid the COVID-19 pandemic, forging partnerships with the private sector has proven more critical than ever before. CI protection is now at the forefront of current political debates and there are many efforts underway to better secure sectors considered as CI; including the communications, chemicals, transportation, energy, and financial services sectors.
Cybersecurity PPPs have been accentuated as the backbone of national cybersecurity strategies (NCS). For instance, the International Telecommunications Union (ITU) refers to the PPPs to be a ‘cornerstone’ of NCS of effectively protecting national CI. However, despite the fact that governments acknowledge cybersecurity PPPs to be of utmost importance and crucial to better secure CI in their NCS, partnerships in reality end up in a lot of vagueness.
For almost two decades, the USA has been working on the establishment of PPPs. The aim was to coordinate security planning and information sharing within and across all 16 CI sectors, including healthcare.
Former US President Barack Obama pioneered PPPs when he took office in 2009. He said his administration would pursue a ‘new comprehensive approach’ in the pursuit of combating cyber threats in a speech:
The Federal government cannot succeed in the many facets of securing cyberspace if it works in isolation. The public and private sectors’ interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Government and industry leaders—both nationally and internationally—need to delineate roles and responsibilities, integrate capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cybersecurity and reap the full benefits of the digital revolution.
The USA’s model is a great example that portrays how the PPPs might work in practice. To illustrate, the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience serves as the umbrella framework for a partnership approach between the government and the private sector. In a nutshell, NIPP develops mechanisms for collaboration and establishes requirements for partnership between business industry, operators, and government agencies.
Even more significant in the US model which should be especially acknowledged is that PPPs are sector specific. This implies that the PPPs can be centered on a diverse risk landscape within the given sector. Accordingly, the bedrock of every CI sector´s specific goals is the so-called Sector-Specific Plan and is focused on the unique operating conditions.
In addition, each one of the 16 CI sectors has its own institutions:
An instance of such a PPP in the healthcare sector is the Healthcare and Public Health Sector-Specific Plan. The plan defines goals and takes into consideration the uniqueness of the healthcare sector and its threat landscape.
The model of PPP of the healthcare sector in the USA consists of a Government Coordinating Council made of government partners and a Sector Coordinating Council made of private sector partners. Both councils collaborate through joint working groups. The Cybersecurity Working Group addresses emergent cyber threats to health information and IT systems.
Typically, EU member states recognise the need of public-private engagement in the critical infrastructure protection (CIP) and put emphasis on developing cooperation with business entities in their respective NCS.
There are two formal structures that aim to enhance the cooperation in the national cybersecurity endeavours in the EU – PPPs and Information Sharing and Analysis Centres (ISACs).
ISACs are trusted entities or non-profit organisations that foster information sharing between public and private entities. ISACs in the EU were established following the US model of sectoral ISACs which have proven to be effective in the overall improvement of cybersecurity. In comparison to the PPPs, ISACs are more formal in their nature.
With regard to PPPs, according to the European Union Agency for Cybersecurity (ENISA), today there are more than 15 member states that have established an official PPP. Unlike in the US model, these partnerships are developed to carry on specific projects; such as a national cyber security exercise or a cybersecurity awareness campaign (European Cybersecurity Month) or research and development. Nevertheless, ENISA raises the weakness of these partnerships and points to the need for a clear framework specifying the roles of the public and private sectors, their relationships and the areas for cooperation.
Current EU legislation in the field of cybersecurity (e.g. the NIS Directive (NIS) and Cybersecurity Act) encourages MS to create sectoral ISACs and PPPs.
On the EU level, only three ISACs exist that are sector-specific – the financial/banking sector, the energy sector, and the aviation sector. The European Cyber Security Organisation (ECSO) suggests creating a single pan-European ISAC that should be led by public healthcare organisations. Healthcare ISAC would clearly improve the overall cooperation of private and public entities under the umbrella of PPP.
National and institutional cybersecurity goals in the healthcare sector can’t be achieved without partnerships with the private sector. Yet, partnerships can bring many obstacles and challenges, mostly associated with lack of trust and transparency that leads to poor information sharing which can be described as a vicious circle.
We recommend the policy action points below to develop an effective cybersecurity PPP in the healthcare sector:
On a separate note, another important aspect that should be taken into consideration when developing a PPPs is the supply chain. Various healthcare solutions (hardware and software) are a product of layers of components by multiple suppliers (and suppliers of suppliers) across the world. Often, even the manufacturers of end-products for the health sector don’t really know what’s in the final product; let alone the health sector itself as a user. Many of those components within are created by open source community, startups, etc, and are vulnerable – exploiting one such vulnerability compromises the entire supply chain and the final product. Thus it is important to involve these various communities of producers of pieces of code or IoT hardware which end up in final products in the health industry.
Want to learn more about cybersecurity, digital diplomacy, and internet governance? Visit Diplo’s courses page for all our available courses and to enrol: https://www.diplomacy.edu/courses/
Everyone should be aware of the basic aspects of cybersecurity.
Such awareness helps a person to prevent any major data breach which could cost a lot. A person should follow different types of technology-related blogs to learn more in this regard or should take suggestions from an experienced professional.
The biggest advantage is that the best in IT security cyber security solutions can provide comprehensive digital protection to your business. This will allow your employees to surf the internet as and when they need, and ensure that they aren’t at risk from potential threats.