How do you ensure the security of medical data?
FEops is a Ghent-based scale-up active worldwide in the cardiovascular sector and generates more than 95% of its revenue abroad. The company has regulatory approval for the European, Australian, Canadian and US markets. This Ghent University spin-off is mainly active in the digital procedures that precede heart operations in the form of computer simulations. Thus, FEops supports cardiologists in planning their operations. In this preparatory phase, it uses CT images that it exchanges with the doctors. FEops then constructs a virtual model of the heart based on these images and simulates the operation in advance. It predicts certain parameters, such as the risks of complications and how the implant will behave in the patient.
We constantly exchange medical data via a cloud application. From this perspective, cybersecurity is becoming increasingly crucial for FEops
“Thanks to our support, the doctor can personally perform a virtual assessment of the operation and determine which implant will work best in the given circumstances,” explains CTO Peter Mortier. Another activity of the Ghent scale-up is advising companies that develop cardiovascular implants. In both cases, the cyber security of the exchanged digital files is critical, a fact that FEops has been working on more intensively in recent years.
Cybersecurity also increasingly crucial in the medical world
“We constantly exchange medical data via a cloud application. From this perspective, cybersecurity is becoming increasingly crucial for FEops,” says Peter Mortier. There is also pressure from regulators to meet increasingly stringent security standards. Some time ago, FEops was looking for a partner to help it comply with HIPAA, the American legislation on the protection of personal data in the medical sector and – with a few differences – the counterpart of the European GDPR. FEops entrusted this assignment to EY, which had submitted a solid and attractive proposal.
Peter Mortier, CTO FEops
Work in progress
EY advised FEops to follow a cybersecurity improvement program that it offers through its partnership with Flanders Innovation & Entrepreneurship (VLAIO). “It’s a fact that cybersecurity is a process that must be continuously monitored and refined. At the kick-off, EY collected information about the existing cyber situation through a series of interviews. After an interim report, EY conducted penetration tests with specialists (ethical hackers) who attempted to penetrate the FEops network. EY then produced a report with a detailed list of the aspects that could be improved”, says Peter Mortier. And he continues: “It was quite refreshing and instructive for us to receive an overview of our cybersecurity maturity from an external partner.”
After this Erik Aerts, EY Belgium Cybersecurity and Privacy Manager, advised on the implementation and follow-up of the actions in the report, to further integrate cybersecurity into business operations. This involved creating a risk register with associated ISMS manual and control measures based on ISO 27002:2022, further clarifying the technical shortcomings to help mitigate, and optimizing incident management whereby a procedure was drawn up to ensure the continuity of activities.
It was quite refreshing and instructive for us to receive an overview of our cybersecurity maturity from an external partner.
Erik Aerts: “EY prompted FEops to work on the ‘I’m compliant with cybersecurity’ quality mark, which can facilitate international collaborations. Moreover, FEops is currently implementing further actions recommended in the reports, so that it can now call itself GDPR and HIPAA compliant. This implementation was done based on a gap analysis conducted by EY. It looked at what FEops already had done and still needed to do in order to be HIPAA compliant.” Although HIPAA compliance was initially the goal of the cybersecurity improvement program, the scope was broadened to include preparation for ISO 27001 certification. The result: FEops now has a broader and clearer view of its information security management.
Taking information security to the next level
Thanks to EY’s cybersecurity improvement program and the recommendations, FEops is currently following the ISO 27001 framework to complete certification in 2023. Since hospitals are also raising the bar in the field of cybersecurity, certification can give FEops the necessary extra credibility and leverage.
EY prompted FEops to work on the ‘I’m compliant with cybersecurity’ quality mark, which can facilitate international collaborations.
Erik Aerts agrees: “Because FEops is committed to information security, trust and resilience contribute to a strong competitive advantage in the market.” At the same time, he remains cautious: “FEops must of course remain alert and increase cybersecurity awareness among its stakeholders. The improvement program brought to light a few technical as well as organizational issues (e.g., how it develops its cybersecurity policy in its business operations). It remains important that FEops continuously evaluates the overview.”
Interested in the changes we have made here,
contact us to find out more.