In recent years, many pervasive systems for healthcare have been proposed, discussed and sometimes realised. Pervasive healthcare is highly multifaceted, with many applications focusing on interoperability with the legacy hospital assets, the "traditional hospital", the security and privacy of sensitive information and the usability of end users. The notion of smart hospitals is introduced when Internet of Things (IoT) components are supporting core functions of a hospital. Collaboration among various stakeholders, numerous interconnected assets and high flexibility requirements do not only lead to complexity and dynamics but also to blurred organisational boundaries. Due to the great number of significant assets at stake (patient life, sensitive personal information and financial resources) information security is a key issue for smart hospitals. Threats to smart hospitals are, however, not limited to malicious actions in terms of their root cause. Human errors and system failures as well as third-party failures also play an important role. The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices. With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant. Relevant technical measures include network segmentation, asset and configuration management, and network monitoring and intrusion detection. However, manufacturers of information systems and devices used in smart hospitals have to take certain measures too. Among them are, for instance, building security into products from the outset, adopting secure coding practices and extensive testing. Based on the analysis of documents and empirical data, and the detailed examination of attack scenarios found to be particularly relevant for smart hospitals, the study proposes key recommendations primarily for hospital executives. Namely hospitals should: - Establish effective enterprise governance for cyber security - Implement state-of-the-art security measures - Provide specific IT security requirements for IoT components in the hospital - Invest in NIS products - Establish an information security sharing mechanism - Conduct risk assessment and vulnerability assessment - Perform penetration testing and auditing - Support multi-stakeholder communication platforms (ISACs) The study also makes recommendations for industry representatives in order to enhance the level of information security in smart hospitals. Namely industry players should: - Incorporate security into existing quality assurance systems - Involve third parties (healthcare organisations) in testing activities - Consider applying medical device regulation to critical infrastructure components - Support the adaptation of information security standards to healthcare
