The Independent Public Voivodeship Integrated Hospital in Szczecin (SPWSZ) is the largest multidisciplinary hospital in the West Pomeranian Voivodeship. The facility is located in two parts of the city – on Arkońska Street and in Zdunowo – and provides assistance through specialist outpatient clinics and hospital departments, including emergency departments.
Facts and figures
Full name
Samodzielny Publiczny Wojewódzki Szpital Zespolony w Szczecinie
Industry
Hospital
Leader ERM
This implementation received the title of ERM Leader.
What did the client expect?
The Independent Public Voivodeship Integrated Hospital in Szczecin (SPWSZ) was looking for a partner to adapt the facility to the requirements of the Act on the National Cybersecurity System (KSC). For the hospital’s management, experience, references, and the ability to tailor the work to the hospital’s specific needs were crucial. They wanted a future partner who had documented projects in their portfolio related to the implementation of the KSC for other healthcare institutions. PBSG met these and other requirements, which led to the establishment of the partnership.
What did we do?
WE CONDUCTED AN AUDIT
The first stage included a baseline audit. The goal was to analyze and assess the actual state of security of the information systems used to provide critical services. We reviewed the documentation and the procedures in place, examining them for compliance with the National Cybersecurity System Act (KSC) as well as the related regulations and standards.
WE ASSESSED THE RISK
Next, we moved on to risk analysis and assessment. We identified and analyzed the systems necessary for the uninterrupted provision of the critical service. This allowed us to gain reliable knowledge about the nature and level of risk not only related to the system itself but also to the infrastructure through which the critical service is provided.
WE PREPARED THE DOCUMENTATION
After reviewing the hospital’s information system and resources to ensure compliance with the organizational and technical requirements for the key service operator, we prepared the required cybersecurity documentation. We focused on updating the existing documentation, organizing it, and refining the standards for new procedures.
WE CONDUCTED TRAINING SESSIONS
Ensuring the appropriate level of security is crucial, and a key factor is the awareness of individuals regarding risks. Therefore, we conducted training sessions. We made sure that participants not only gained knowledge about the national cyber security system but also acquired the necessary skills to ensure a security level that aligns with the developed documentation.
What were the results?
The project involved the comprehensive implementation of the requirements set by the Act on the National Cybersecurity System. It was necessary to verify whether the organization had the required organizational and technical capabilities to ensure the proper level of security for the information system used to provide the critical service. According to the references provided by the client, PBSG fulfilled this task excellently.
Thanks to experience from other projects, we were able to propose a schedule tailored to the unit’s way of working, thus planning the stages in a way that would not interfere with its day-to-day operations. This was crucial because SPWSZ in Szczecin is the largest multi-specialist hospital in the region, which requires not only ensuring its operational continuity but also its overall security.
We divided the project into logical steps, the result of which was the development of the necessary documentation and staff training. As a result, SPWSZ in Szczecin gained assurance that it meets the requirements of the National Cybersecurity System Act.
What did the client gain?
Compliance with the requirements and obligations arising from the provisions of the Act on the National Cybersecurity System.
The required documentation that defines responsibilities, procedures, and risks that may disrupt the provision of the critical service.
Increasing the level of staff awareness in the area of information security.
Improvement of the control process in the area of cybersecurity.
