SAFECARE have provided a response to the public consultation on the Roadmap for the Critical Infrastructure Protection Directive. The feedback is as follows:
We note that the European Programme for Critical Infrastructure Protection (EPCIP) set out in 12 December 2006 that the focus area for identification and designation of European critical infrastructures (ECIs) was limited to the transport and energy sectors. The ‘Inception Impact Assessment’ (Ares(2020)3202859, dated 19/06/2020) nominates a number of CIP-relevant initiatives (p1, footnote 1) though these do not apply directly to the healthcare sector. At the same time, under the problems that the initiative aims to tackle, the lack of ‘sufficient comprehensiveness for coordination and response mechanisms’ explicitly lists “pandemics (as the Corona virus crisis)” as of “growing concern”. Similarly under ‘likely societal impacts’, this assessment lists “impact on public health […] due to better protected infrastructures.”
In terms of the options presented as being considered by the Commission, ‘Option 3 – New requirements for European critical infrastructures’ is defined as: “the approach would remain asset focused […] with the scope potentially expanded to include sectors beyond energy and transport.”
It is our recommendation that explicitly considering healthcare systems as ECIs is of upmost importance, moreover as healthcare structures are crucial when attacks on other critical systems (transport and energy) are made, suffering cascading effects. At this time of pandemic in particular, cross-border coordination of healthcare provision within the Union is highlighted; although more visible during this crisis, in fact cross-border coordination is an implicit part of the crisis preparedness between member states’ healthcare provision – during large-scale crises patient care is often split between different members states. It is also during crises like COVID-19 that the impacts of bad actors are brought to prominence.
The SAFECARE project, during the COVID-19 crisis, has been collecting reports of security incidents across the Union. While some of these are petty crimes (e.g. theft of PPE), whose detection and prevention are already a matter of course for national crime authorities, others are sophisticated attacks – we have collected evidence of spear-phishing attacks on health systems, and internationally there are a number of reports of serious and coordinated intrusions into systems concerning vaccine development.
The Commission Staff Working Document ‘Evaluation of Council Directive 2008/114 […]’ (SWD(2019) 310 final) indeed states (pp10-11) that “Member States associated CI with things like ‘vital societal functions’, ‘health’ […]”, and further that “CIP measures in 22 Member States have a wider sectoral scope than that of the Directive and consider sectors such as banking and finance, healthcare […]”.
It is worth mentioning that under the H2020 Work Programme Topic ‘CIP-01-2016-2017 – Prevention, detection, response and mitigation of the combination of physical and cyber threats to the critical infrastructure of Europe’, SAFECARE was funded alongside the project ‘FINSEC: Integrated Framework for Predictive and Collaborative Security of Financial Infrastructures’ project (grant agreement 786727), and these projects have coordinated in delivering an awareness event in Leuven on 18/09/2019, together with the project ‘SPHINX: A Universal Cyber Security Toolkit for Health-Care Industry’ (grant agreement 826183), and well as in publishing a book ‘Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures’ together with FINSEC and SPHINX and with the projects ‘RESISTO: RESIlience enhancement and risk control platform for communication infraSTructure.