An innovative approach to information security in the healthcare sector

The closing conference of the "HEalth modELling" project ("HEEL"), which was managed by the Luxembourg Institute of Science and Technology (LIST) in partnership with GIE Smile and co-funded by ERDF and the Ministry of the Economy, was held on 10 December. The objective of the project was to improve the management of risks related to information security in the healthcare sector by means of developing a unique reference model.

The HEEL project took place in a specific context. Luxembourg had already been investing heavily in information security and risk management for several years, a field in which Luxembourg is strongly positioned to act as a reference. During the conference, François Thill, deputy executive advisor at the Ministry of the Economy, underlined the importance of not only reducing costs associated with information security for businesses and organisations, but also of making the implementation of risk management effective and less complex. Identifying common synergies, pooling efforts, and collaboration are some options for achieving this. It is in this same spirit that the different initiatives supported by the Ministry of the Economy are being conducted, and the HEEL project is fully in line with this strategy. Moreover, HEEL follows on from other projects that LIST has led during the past ten years in partnership with GIE Smile.

The project takes into account the greater integration of computerised systems in the field of healthcare in order to meet specific challenges within the sector (increases in costs and budget reductions, the increase in chronic diseases, and the accelerated development of medical technology). With the implementation of electronic patient files, the development of mobile medical devices, and the rise of social networks, the quantity of personal data circulating and associated risks are increasing significantly. At the same time, legislation on personal-data protection is being consolidated. During the conference, Alain Herrmann of the National Commission for Data Protection (CNPD) announced a forthcoming toughening of legislation on personal-data protection. Identifying, assessing, and managing risks associated with IT security is therefore becoming a crucial issue for all stakeholders in healthcare. Violaine Langlet, the legal officer in charge of personal-data protection at Agence eSanté, confirmed this at the conference.

The HEEL project was concerned with three subsectors in healthcare: analysis laboratories; radiology clinics; and emergency services. Workshops organised with representatives from these sectors, including Ketterthill, Les forges du Sud, and Robert Schuman Hospitals, allowed for risks to be modelled in terms of IT security. These models were then implemented in the MONARC tool, supplied by GIE Smile, and will shortly be accessible to those involved in these sectors for identifying, assessing, and dealing with their risks.

Thanks to the MONARC tool and the models developed upstream, stakeholders in these sectors will save valuable time in analysing and managing risks related to their operations. During the conference, Patrick Njiwoua, IT manager at Ketterthill, attested to the uses of the sectoral approach adopted for the project. The use of shared models in a shared platform increases the analytical and benchmarking capability of each of the stakeholders. The quality of analysis is also improved. Consequently, thanks to the HEEL project, analysis laboratories, radiology clinics, and emergency services would be able to have a shared framework, support, and method for successfully managing their risks.

This approach is, of course, applicable to the other healthcare subsectors. During the conference, new avenues for development were examined.

More info about the project