EUROPEAN COMMISSION

DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

CONSENSUS REVIEW REPORT

Grant agreement (GA) number: 826284

Project acronym: ProTego

Project title: Data-protection toolkit reducing risks in hospitals and

care center

Type of action: RIA

Start date of the project: 01/01/2019

Duration of the project: 36 (end date: 31/12/2021)

Name of primary coordinator contact and Luis Carrascal (GFI INFORMATICA)

organisation:

Period covered by the report: from 01/01/2019 to 30/06/2020 (M1-M18)

Periodic report/Reporting period number: Not yet available / 1st periodic review

Date of first submission of the periodic 28/8/20

report:

Expert: Rui Gomes, Albert Haro, Zoi Kolitsi

Project officer: Reza Razavi

Page 1
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

1. Overall assessment

1. Overall assessment [Pls. select only one option]

The project has achieved most of its objectives and milestones for the period, with relatively minor
deviations.

The project has achieved some of its objectives and milestones. However, corrective action will be
required. (RG: I agree this is the best option, since not all objectives were accomplished )

[The project achieved its objectives and milestones for the period]

The project has failed to achieve critical objectives and/or milestones and/or is severely delayed.

2. Significant results linked to dissemination, exploitation and impact potential

[Pls. select only one option]

The project is likely to provide results with significant immediate or potential impact in the next
reporting period (even if not all objectives mentioned in the Annex 1 GA were achieved).

Give the most significant exploitable results delivered by the project during the period under review, mentioning for
each: type and purpose of result; which group of stakeholders could exploit it; how it is made available for
stakeholders (dissemination channel, IPR issues); expected impact.

There is good progress in all technology WPs, some of which have already delivered results that have
become exploitable namely the parquet components of WP5 which have culminated into extensions of
FIHR (RG: FHIR), and therefore already exploitable by the eHealth community. Others hold
significant promise, such as the networking slicing which has delivered several publications and has
been brought to a close to deployment stage, again with a broad potential audience of stakeholders;
however it is unclear at this stage the means through which the project will make it available to these
stakeholders, beyond publications as there was no updated exploitation deliverable due at this stage.

The risk assessment tools (System Security Modeller and Security Information and Event Management)
and the cybersecurity mitigation tools (Continuous Authentication, Data Gateway, Access Control
Framework and Network Slicing) they are at an early stage of development. have demonstrated good
progress, especially in what concerns the inclusion of IoT and BYOD specific functionalities.
Exploitation actions to launch a spin off company to exploit SSM are appreciated. Noteworthy in
exploitation terms is the extension of the cyber security risk assessment knowledge base and the
usability enhancements in the SSM tool.

Educational materials for healthcare staff with some improvements could be exploited, also beyond the
project, to train health care workers and patients.

Page 2
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

Machine reasoning is an interesting research aspect but at a very early stage of definition.

Improvements in advanced encryption of medical data implemented in the ProTego project using the
standards developed within the Apache Parquet community have already demonstrated good exploitation
potential.

Four additional scientific publications have been published since the last review.

The impact of these components however is yet to be demonstrated, and it will depend very much on
the ability of the project to design and carry out a proper set of testing, verification and validation
activities that are well targeted to creating the needed evidence for acceptance by an audience far
beyond the two participating care providers.

3. General comments

[insert general comments]

Give your overall assessment of the project activities (based on the description of the action (DoA-Annex 1) and the
deliverables and reports submitted), and in particular on the following:
- results:

main scientific and/or technological achievements of the project

The consortium made informative presentations of the status of the project and provided sufficiently the
clarifications requested. Deliverables planned for the reporting period have been submitted to a generally
high quality with minor deviations in the time of delivery and they demonstrate solid expertise and
knowledge of the domains and technologies addressed:

- The updated description of business requirements, scenarios and use cases demonstrate a
comprehensive analysis of the scenarios for deploying the systems into healthcare provider
organizations, and for launching the two services currently connected to ProTego with inclusion of
aspects addressing IoT components and BYOD;

- The educational FW provides a sufficient overview of how the relevant objectives will be served

- The risk assessment tools have reached a good stage of maturity and integration with some lagging
however of the AI and knowledge base aspects of the work

- There is good progress reported in the risk mitigations tools

- The is good progress on the definition of the platform architecture, component resources and the
requirements as well as the integration work and the Integration Toolkit.

main innovation outputs (if applicable)

- WP4 and integration between SSM and SIEM with the development of automated
methods, to covered security issues discovery, in some way is advanced.

Page 3
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

contribution to the state of the art

The inclusion of IoT and BYOD models also goes beyond the state of the art in addressing cyber-
physical threats rather than conventional cyber-attacks.
The continuous authentication is an interesting research area however yet at initial stage, indeed this
technology could provide a certain level of security mobile devices using the analysis of behavioural
metrics.

scientific and/or technological quality of the results

Early testing and verification with validation partners and in initial results obtained from
experiments and reported through scientific publications covering the main innovation areas are
encouraging.

It is too early in the validation cycle however, to assess the technological quality of the resulting
innovations. The prototypes need to be evaluated and refined, and it is expected that once data is
available, from intermediate validation trials and accepted by the relevant scientific community
including through peer reviewed publications.

impact on technology and/or society

dissemination activities and results: publications, users involved, etc.

The progress of the activities and achievement of the objectives are satisfactory. Even with the
pandemic period struggle it turns out a good effort to accomplish the project KPIs with respect to
their target values on this period.

protection of the acquired intellectual property (patents applications, etc.)

RG: Not applied at this stage! Right!? Some doubts about the future related with IP. The SIEM is owned
by GFI, and ProteGo brings to life news capabilities to run-time threat detection and risk assessment tools
under SIEM. Since ProTego is able to create patent for the new SIEM features, It means that ProTego will
miss the entire working model patent.

progress of the activities:

main research / innovation (if applicable) / training (if applicable) / transfer of knowledge activities (if applicable)

achievement of the objectives, compliance with the work plan, any deviations (whether justified) and corrective actions
(whether acceptable).

With respect to the work plan the project has reached its main objectives for the period under
review; however, some deviations are observed and corrective action is proposed.
Delays in the pocket EHR development may impact the future work as a whole. A product

Page 4
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

development cycle can have an unpredictable latency time preventing goals and deadlines
established in the DoA. As a general observation, the consortium must ensure in the future that
the progression of project activities do not depend on the development of external applications not
defined in DoA.
o milestones for the period and submission and acceptance of deliverables (if applicable).
o take-up of the recommendations from the previous review or check (if applicable)

use of resources (are they in line with the DoA, do they represent good value for money?) (if applicable).

Some WPs have consumed resources at a lower level than expected, due the epidemic crisis or
because the main dissemination activities such as publication of scientific papers have not been
yet performed. These deviations are not considered as having a risk to the project.

4. Recommendations concerning the period covered by the report

[insert comments]

Give your recommendations on:

• the acceptance or rejection of resources, or on the necessity to provide further justifications on use of
resources
• work done and possible required corrective actions (e.g., resubmission of reports or deliverables)

The section on “metrics” in D2.2. will need some reconsiderations of the concepts and terminologies
used. As this is only a preliminary chapter included in this deliverable, this further reflection should be
reported in D2.3.

• dissemination and communication activities

• exploitation plans
• other, if applicable.

5. Recommendations concerning future work

[insert comments]

Give your recommendations (e.g., overall modifications, corrective actions at WP level, re-tuning of the objectives to
optimise the impact or to keep up with the state of the art, better use of resources, re-focusing, revision of the
dissemination and exploitation plan, update of data management plan, etc.) Where appropriate, indicate the timescale
for implementation. ]

CR01. For the project technical achievements to come to fruition, it will be important that testing,

Page 5
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

verification and validation are properly designed and that the ethical issues, especially related to profiling of
individuals, are properly addressed. There is an urgent need for the project to rethink its integrated
approach to assessment and evaluation, with a view to creating user confidence and acceptance of their
results, through transparently providing the evidence on: the accuracy of models and algorithms
(testing), verification of the functionality and flawless integration of the components, and user
acceptance (aspects such as usability, efficiency, effectiveness…) of the proposed solutions by the
different classes of users and stakeholders.

CR02. The metrics should be designed to validate the scientific, technical and legal issues of the scenarios
and to identify the level of maturity at which they should aim to be considered compliant with the collected
requirements and the expectations of clinical staff.

CR03. It is also imperative that the consortium can demonstrate that ethical aspects have been duly
considered and that data privacy safeguards have been properly considered and implemented
especially around the user profiling issues with clarifications of how personal data will be used and
under what conditions and permissions;

CR04. There are interesting elements of innovation in the approach e.g. of the architecture and
integration of system components which need to be also expressed in the consortium’s exploitation
and business modelling and business planning activities and IPR handling;

CR05. There is a challenge for the consortium to maximize its outreach beyond the narrow circle of the
two healthcare providers involved, by proper dissemination activities leveraging on several outputs
that can be made available to the wider hospital communities such as the tutorials. The relevant tasks
need be adapted to the new COVID-19 reality to ensure achievement of the goals set in the DoA and
the KPIs;

CR06. The two applications proposed (FoodCoach and Pocket EHR) suit the purpose foreseen in the
project; however, the IoT scenario should be further developed. For example, as defined in the DoA,
“Usage of IoT telemedicine devices for home care is one of the main use cases of ProTego, in which the
project cybersecurity toolkit will be validated”.

CR07. The initial description of the Educational framework in terms of approach and content is aligned
with the expectations of the DoA. It is however recommended that the educational material for health staff
includes references to Healthcare environment to increase the acceptance by the Healthcare community.
Additionally, specific cybersecurity risks of healthcare environment such as the ones related to medical
devices should be further addressed. While it is true that the materials proposed for patients could be based
in the materials for health staff it is worth to explore specific materials for this target;

CR08. There are important ethical issues to be considered in this project, including around the
PocketEHR use case and the continuous authentication, with a need to robustly analyse privacy
implications. The ethics committee must be set up and function systematically referencing well established
guidelines on setting up and functioning of such committees in guiding researchers.

Page 6
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

- Real life situation case studies should be further developed as the 4 cases identified would be
insufficient to demonstrate the aspects developed during the ProTego project and the capabilities
of protego toolkit.

- [anything more to be said besides CR06?]

- RG: The integration toolkit to be deployed as a platform to allow for the integration of all the
technical components within ProTego. Tasks on WP6 have been easily delayed mostly dependent
from other tasks and deliverables. The integration tasks are concluded only as soon data are fully
smooth integrated with APPs (already developed) and users test.

- Cross-organisational risk modelling should be further addressed as it was described in the DoA.

- RG: As described on DoA, Part B, pag. 29, the holistic approach of ProTego is founded on tools to
assess risks prior to deployment of new systems. In fact, they had mentioned an excellent approach
aligned with ISO 27005, and ISO 31000 (for holistic and non technical risk design). Unfortunately,
the model for Cybersecurity risk assessment tools are not covering a enough broad scope.
However, on this context, where the final product in mainly technical, and ISO 27005 is a great
appliance, we can bypass the comment.

- The risk modelling should include a more holistic view of risks to be aligned with the description
of the DoA (i.e “a complete framework for risk assessment and mitigation covering the full
lifecycle of systems and applications”) and looking at the risk assessment part if the project
doesn’t take the correct actions there is a risk of downsizing the scope of the impact. Cybersecurity
risk assessment tools are not covering a sufficient broad scope of risks as they are focussing
mainly in vulnerabilities risks at infrastructure level. Other risks such as for example application
vulnerabilities are not sufficiently addressed.
- RG: The same as described. We can bypass the comment.

2. Objectives and workplan

1. Is the progress reported in line with objectives and work plan as specified in the [Yes] [No]
[Partially] [Not
DoA? If there are significant deviations, please comment.
applicable]

Page 7
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

[insert comments to justify the answer]

Assess to what extent the objectives of the project for the period have been achieved. In particular, please indicate if the
project as a whole has been making satisfactory progress in relation to the DoA and comment on the interaction between the
work packages and the level of integration demonstrated.

For each work package (WP), assess the progress in relation to the DoA (including the achievement of deliverables and
milestones) and periodic report and comment on any deviation and/or delays, the reasons for them and corresponding
corrective action taken.

For MSCA, comment on: recruitment, training and career development, secondment, transfer of knowledge.

For innovation actions (IA), assess whether the pilots/case studies started to showcase innovative results as described in the
DoA.

The project as a whole has been making good progress in line with objectives and work plan without significant
deviations observed in the delivery of planned deliverables but with some lagging in picking up the AI aspects
related to the AI features of the risk assessment tools. Milestone 6 (integrated components ready for trials)
which is a significant milestone has not been reached at this stage of the project. Other delays of the project
have been duly justified.

Planned milestones for this period have been partly achieved. The metrics will need to be revisited to comprise
a complete array of indicators needed to carry out the evaluation objectives. The integrated system is still
missing integration of AI components; however, this may be acceptable as part of the phased approach.

The articulation of work between the work packages and the level of integration demonstrated is
satisfactory.

 Only a few items became unaligned with DoA, for instance the complete cybersecurity
framework covering the complete life cycle risks related with DoA, like ISMS that covers the
most security management chapters and ISO 31000 for end to end holistic risk assessment.
However, NIST is a satisfactory approach.

 RG: As described above, the similar situation, the consortium decided to use a different framework from
described on DoA. We can bypass the comment if you all prefer.

[Yes] [No]
2. Are the objectives of the project still scientifically and/or technologically relevant? [Partially] [Not
applicable]

Page 8
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

[insert comments to justify the answer]

Assess whether the project continues to be scientifically and/or technologically relevant.

Indicate whether the objectives are still relevant and provide scientific and/or technological breakthrough potential and
whether they are still achievable within the time and resources available to the project.

Assess also whether the approach and methodology, continue to be relevant (not applicable to MSCA).

The objectives remain scientifically and technologically relevant and generally RG:achievable, in particular
advanced Encryption and Network slicing isolation. An automated approach for risk identification and analysis
as proposed in the DoA, is scientifically relevant, however it is too early to assess if this objective will be fully
reached within the resources and the time life of the project, Likewise, machine reasoning in order to evaluate
in real time risk calculations and to propose countermeasures is a sound concept but is still to be further defined
by the project.

Notwithstanding the need to review the evaluation and assessment strategies, the scientific approaches remain
valid.

[Yes] [No]
3. Are the critical implementation risks and mitigation actions described in the DoA
[Partially] [Not
still relevant?
applicable]

[insert comments to justify the answer]

Risks have been well managed and they are mostly relevant, however the be performed in the next phase of the
project to address emerging implementation risks. The intermediate solution of using wannacry data as input
into SIEM for vulnerability detection has provided an intermediate solution; however, the potential of collecting
sufficient data in each organisation needs to be re-assessed and if not viable alternative solutions should be
sought.

The risk assessment looks a bit different from the approach from DoA. ISO 31000, as we know this
risk management guidelines, provides principles end to end and keeps a framework to any company
regardless of its size, beyond the technology. And the effectiveness of ProTego depends substantially
from local and good practices ecosystem that uses processes, technology but mostly people. Although
NIST and ISO 27005 reference models covers quite well the framework and risk assessments guiding
principles. [Note: are you referring to project risks?

 RG: You are right, makes no sense on this context. This should focus on project management risks. Delete
it please!

Page 9
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

 Project management must assure the profitable cycle approach to allow the body (RG: board) to
use a tool in PDCA (Plan, Do, Check, and Act) mode for assessment and risk mitigation over
time.
 RG: This in on product development context. Should focus on project management risks. Remove it please!

Assess how the identified risks in the project are managed, including the new risks identified in the reporting period, if any,
and the proposed mitigation measures.

[Yes] [No]
4. Have the pilots/case studies started to showcase innovative results as described in the [Partially]
DoA? [Not
applicable]

The Pilots started, but it is essential to further define the trials/tests/validation approaches and metrics and
reflect this in the relevant deliverables.

[Yes] [No]
5. Have the ethics deliverables due for the current period been adequately addressed [Partially]
and approved? [Not
applicable]

There have no deliverables due in the current period. The relevant report on progress has given rise to concerns
regarding the overall robustness of the approach to ethics.

[Yes] [No]
6. Have the comments and recommendations from previous project reviews been taken
[Partially] [Not
into account?
applicable]

[insert comments to justify the answer]

the consortium has demonstrated good response to the comments and has addressed them sufficiently. Partially.
One slide commented in the review report related to the actions taken into account for the recommendations
previous review report addresses them superficially.

RG: I was very impressed with the ability of comments and responses from members at the last meeting.

Page 10
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

However, it not means they have address them sufficiently.

3. Impact

[Yes] [No]
[Partially]
1. Does the work carried out contribute to the expected impacts detailed in the DoA?
[Not
applicable]

[insert comments to justify the answer]

the work is developing according to the DoA with minor deviations and as such it is contributing to the stated
impacts as expected. Although still not fully substantiated, impacts can already be foreseen at this
stage.

Through the AI components of the work new knowledge could emerge, if big RWD could be made available
through the SIEM, however this potential needs to be re-evaluated in the light of what and how much can in
practice be collected by the two health care providers.

Further impact is expected in the next stage where the risk mitigation “engine” process is likely to
make a difference.

[Albert your comment was more on timeline hence omitted from here]

2. Does the work carried out follow the plan detailed in the DoA to enhance innovation
capacity, create new markets opportunities, strengthen competitiveness and growth of
[Yes] [No]
companies, address issues related to climate change or the environment, address
[Partially]
industrial and/or societal needs at regional level or bring other important benefits for
[Not
society? Give information on the relevant innovation activities carried out (prototypes,
applicable]
testing activities, standards, clinical trials) and/or new product, service, reference
materials, process or method (to be) launched to the market, if any.

[insert comments to justify the answer]

There was no relevant deliverable due since the last ATR to allow for a proper evaluation of the exploitation
activities. Information provided in the presentation and the progress report is scarce; on the other hand, T8.4.
the description of which is empty in the progress plan and T8.5. will be critical for the success of the project.

Page 11
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

Second stage prototypes, integration and testing has been taking place as part of the second iteration which
does not still foresee the full functionality. There is good fluency on the relevant standards and also the
potential to contribute to standardization.

The work carried out by the University of Southampton, to launch a spin-off to promote the risk
assessment tool into a commercial offering is also highly relevant.

Advanced Encryption is producing innovative solutions that are being adopted by the market. Network
slicing isolation is a promising area of research. The number of publications is also a good indicator of
innovation impact and the consortium have published four and working on additional ones and counting the
ones of the pipeline the project could reach up to 14 in total.

[Yes] [No]
3. Does the work carried out contribute towards European policy objectives and [Partially]
strategies and have an impact on policy making? [Not
applicable]

[insert comments to justify the answer] The project does not directly address policy makers; however, the
project results will contribute to the development of the necessary infrastructural elements that will support
EU policy on cybersecurity, especially related to the GDPR and the NIS.

Assess whether the project results or activities have an impact on policies, (e.g. healthcare, transport, environment,
energy, migration, regional development, etc.) by supporting policy implementation, policy stakeholder engagement or
exploring new technological approaches for policy objectives. Assess whether it would be useful if the project presents
its findings to policy makers or includes policy makers in an advisory board.

[Yes] [No]
[Partially]
4. Does (or will) the work carried out have an impact on SMEs?
[Not
applicable]

[insert comments to justify the answer]

Yes, the SMEs are one of the important target groups that have been addressed appropriately in D3.2. The
project plans to disseminate through WP8 the know-how acquired and results achieved to specialized SMEs
providing relevant products and services and creating opportunities for Security and Privacy SMEs
specialists to offer security services or exploit and deliver ProTego, as soon it becomes a stable and

Page 12
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

an in-a-box product.

5. Have the beneficiaries reached gender balance at all levels of personnel assigned to the [Yes] [No]
action? If not, have the reasons been explained in the periodic report? [Partially]
[Not
applicable]

[insert comments to justify the answer]

As explained in the periodic report, the project has faced a relevant imbalance with respect to gender, in
which more than 2/3rd of the project team are men. The Consortium has claimed that being aware of this
issue, during the 2nd period they will analyse possible measures to fix this gender imbalance.

4. Implementation

[Yes] [No]
[Partially]
1. Has the project been efficiently and effectively managed?
[Not
applicable]

[insert comments to justify the answer]

Achievement of objectives are aligned with DoA and reveal proficiency and competence of the
management. Generally, the project is on time with deliverables and the deliverables themselves are of
high quality. The adopted phased approach is proving quite appropriate and useful in this respect. There is
evidence of good partner co-operation and cohesion as a group.

[Yes] [No]
2. Is the management of the project in line with the obligations of beneficiaries
[Partially]
(including ethics and security requirements, risk and innovation management, if
[Not
applicable)?
applicable]

[insert comments to justify the answer]

The management of the project has handled risks effectively at this stage; however, during the next phase of

Page 13
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

the project it is recommended to further analyse them to ensure reaching the objectives of the DoA. The
management is professional and experienced and the review meeting was well prepared and efficient.

Deliverables have been submitted on time or with minor delays and they indicate good sharing of the labour
in authoring and reviewing tasks. There is no evidence if and how the ethics Ethics and Quality guidelines
are actually being applied.

[Yes] [No]
[Partially]
3. Is the contribution of each beneficiary in line with the work committed in the DoA?
[Not
applicable]

[insert comments to justify the answer]

Notwithstanding small deviations and shifts of workload e.g. between OSR to FCSR, the contribution of
partners has been in line with the DoA

[Yes] [No]
4. Have the beneficiaries disseminated project results (foreground) in scientific
[Partially]
publications as planned in the DoA (including the deposition of publications in open
[Not
access repositories)? Do they include a reference to EU funding?
applicable]

[insert comments to justify the answer] There has been sufficient progress in the number of publications
since the last review Four scientific publications have been published and others are planned by the project.
They include the reference to EU funding. However, also due to COVID crisis and the cancellation of
conferences the proportion of non-peer-reviewed publications has increased.

[Yes] [No]
5. Have the beneficiaries disseminated and communicated project activities and results
[Partially]
by other means than scientific publications (social media, press-release, the project web
[Not
site, video/film, etc) as planned in the DoA? Do they include a reference to EU funding?
applicable]

[insert comments to justify the answer] Activities are listed in the Project Report but without sufficient
detail. The foreground project results of ProTego have not been adequately disseminated. There has
been no social media or video or film planned. The ProTego blog (https://protego-project.eu/blog/)
had its last related activity in May 29th current year.

Page 14
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

[Yes] [No]
6. Has the plan for the exploitation and dissemination of the results (if required) been [Partially]
updated and implemented as described in the DoA, in particular as regards intellectual
property rights? Is it appropriate? [Not
applicable]

[insert comments to justify the answer]

No data is collected from the hospital environment. A setup the ProTego SharePoint Collaborative
Working Environment, containing necessary tools to share all the project information. The
Consortium Agreement (CA) rules were respected, and actions were applied protection of
knowledge, collaboration with third parties and external contributors and their access rights.

There was no deliverable due to allow for a proper assessment but the general feeling is that the consortium
has been concentrating more on the technical aspects and less so on exploitation. The information in the
progress report is indicative of little to no activity in task 8.4. which – given the level of development of WP2
and WP6 should have been more active.

[Yes] [No]
7. Has the data management plan (DMP) (if required) been updated and implemented? [Partially]
Is it appropriate? [Not
applicable]

[insert comments to justify the answer] There has not been proper reporting on the relevant section of the
Progress report, sufficient to make an assessment.

5. Resources

1. Were the resources used as described in the DoA and were they necessary to achieve [Yes] [No]
its objectives? If there are deviations from planned budget, have they been satisfactorily [Partially]
explained? Have they been used in a manner consistent with the principle of sound [Not
financial management (in particular economy, efficiency and effectiveness)? applicable]

Page 15
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

The resources used are at this stage of the project overall aligned with the description of the DoA. There have
however, been several deviations which have been sufficiently explained and to a good detail and are
considered acceptable; the lagging in resource consumption for WP8 is commensurate with the low activity
in this WP in certain tasks. The 17 % deviation of IBM has not been explained or justified. There are no
resources allocated to WP9?

The consortium claims that none of these deviations would produce a negative impact in the performance of
the project, however it is essential to monitor budget consumption accurately during the rest of the project.
Underspending has been correctly justified.

Annex 1

Expert opinion on deliverables

Deliverable
Deliverable name Status Comments
number
Final description of business
requirements, scenarios and use This is a comprehensive report with useful and detailed analysis. It
D2.2. cases and initial metrics and Accepted contains a section on initial elaboration of Metrics which should
processes be revisited and the revised metrics should be reflected in D.2.3

Accepted
A well prepared document with appropriate scope and covering all
The approach and the content is
important audiences.
align with the expectations of the DoA. The
Educational material for health staff is of good
quality however it is recommended to include
references to Healthcare environment to increase the
acceptance by the Healthcare community.
Initial description of
Additionally, specific cybersecurity risks of
educational framework:
D3.2 healthcare environment such as the ones related to
Protocols and methodologies
for health staff and patients medical devices should be further addressed. While it
is true that the materials proposed for patients could
be based in the materials for health staff it is worth to
explore specific materials for this target. Educational
material for IT Staff and Educational material
external providers will be developed in the next
phase of the project.

D4.2. Description of intermediate Accepted

cybersecurity risk assessment A well prepared deliverable presenting transparently progress
tools since D4.1. and also synergies with other relevant projects which

Page 16
 EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

The integration of the

the team members participate in.
SSM and the SIEM in order to dynamically evaluate
risks applying machine reasoning is still at a very
high level description. Concrete examples and
further case scenarios would help to have a better
description of the work to be undertaken.

Accepted
The continuous authentication is an interesting
research area however yet at initial stage, indeed this
Description of the intermediate technology could provide a certain level of security
D5.2. cybersecurity risk mitigation Mobile devices using the analysis of behavioural
tools
metrics. It is recommended to analyse privacy
implications of these developments.

Accepted
The document is a good description of the integration
of different components, however not sufficient to
Intermediate prototype:
D6.2. Architecture, requirements and fulfil the milestone M6 (Integrated components ready
integrated toolkit for trials) as in particular the SSM has not been
integrated yet.

Annex 2

Expert opinion on milestones

Milestone
Milestone name Achieved Comments
number
[Yes]
[insert milestone
[insert milestone name] [No] [insert relevant remarks]
number]
[Partially]
First set of metrics and
processes and review of Some more consideration of the metrics will be necessary before
MS5 Partially
business requirements and use this MS is considered achieved
cases
There is still missing functionality in WP4 components for this
MS to be considered achieved. Deliverables D4.2 and D5.2.
Phase 2: Integrated components
submitted on June 30, 2020, place an emphasis on the
MS6 ready for trials Partially
technical integration of SSM and SIEM. However, trial
descriptions must be also concluded to enable fully use
case trials

Page 17
EUROPEAN COMMISSION
DG CONNECT
Communications Networks, Content and Technology
Directorate H - Digital Society, Trust & Cybersecurity
Unit H3 – eHealth, Well-being & Ageing

Page 18