Aligned with the guidelines of the Cybersecurity Act and the existing guidance on cybersecurity for medical devices, ENTRUST envisions a Trust Management Architecture intended to dynamically and holistically manage the lifecycle of connected medical devices, strengthening trust and privacy in the entire medical ecosystem. Even from the proposal stage, ENTRUST has identified gaps and necessary revisions of the current guidance (e.g., absence of post-market conformity and certification, real-time surveillance and corrective mechanisms – see 1.2.2). Towards that ENTRUST will leverage a series of breakthrough solutions to enhance assurance without limiting the applicability of connected medical devices by enclosing to them cybersecurity features. The project will introduce a novel remote attestation mechanism to ensure the device’s correct operation at runtime regardless of its computational power; will be efficient enough to run in also resource-constrained real-time systems such as the medical devices. This will be accompanied by dynamic trust assessment models capable of identifying the Required Level of Trustworthiness (RTL) per device and function (service) that will then be verified through a new breed of efficient, attestation mechanisms (to be deployed and executed during runtime). This will also enable us to be aligned with the existing standards on defining appropriate Protection profiles per device (especially considering the heterogeneous types of medical devices provided by different vendors with different requirements) including Targets of Validation Properties to be attested during runtime. The motivation behind ENTRUST is to ensure end-to-end trust management of medical devices including formally verified trust models, risk assessment process, secure lifecycle procedures, security policies, technical recommendations, and the first-ever real-time Conformity Certificates to safeguard connected medical devices.

Hospitals and care centres are prime targets for cyber criminals, especially concerning data theft, denial-of-service and ransomware. This reflects the need of Healthcare Institutions for a Holistic Cyber Security vulnerability assessment toolkit, that will be able to proactively assess and mitigate cyber-security threats known or unknown, imposed by devices and services within a corporate ecosystem. SPHINX aims to introduce a Universal Cyber Security Toolkit, thus enhancing the cyber protection of Health IT Ecosystem and ensuring the patient data privacy and integrity. SPHINX toolkit will provide an automated zero-touch device and service verification toolkit that will be easily adapted or embedded on existing, medical, clinical or health available infrastructures, whereas a user/admin will be able to choose from a number of available security services through SPHINX cyber security toolkit. The SPHINX toolkit will enable service providers to specify complete services and sell or advertise these through a secure and easy to use interface. SPHINX Toolkit will be validated through pan-European demonstrations in three different scenarios. The operational properties of the proposed cyber-security ecosystem and overall solution will be validated and evaluated against performance, effectiveness and usability indicators at three different countries (Romania, Portugal and Greece). Hospitals, care centers and device manufacturers participating in the project’s pilots will deploy and evaluate the solution at business as usual and emergency situations across various use case scenarios.

The SECANT platform will enhance the capabilities of organisations’ stakeholders, implementing (a) collaborative threat intelligence collection, analysis and sharing; (b) innovative risk analysis specifically designed for interconnected nodes of an industrial ecosystem; (c) cutting-edge trust and accountability mechanisms for data protection and (d) security awareness training for more informed security choices. The proposed solution’s effectiveness and versatility will be validated in four realistic pilot use case scenarios applied in the healthcare ecosystem. Ultimately, SECANT will contribute decisively towards improving the readiness and resilience of the organisations against the crippling modern cyber-threats, increasing the privacy, data protection and accountability across the entire interconnected ICT ecosystem, and reducing the costs for security training in the European market.