The number of cyber-attacks around the world exploded in 2020: exploiting the Covid-19 pandemic as an opportunity for cybercriminals to take advantage of the shift in focus towards smart working and hospital staff transferred to the frontline.
The NIS Directive and Cybersecurity in eHealth
The European Commission's EU Network and Information Security directive (NIS Directive: EU 2016/1148) is one of the policy measures for the implementation of the European Cybersecurity Strategy.
Its goal is to enhance cybersecurity across the EU, requiring every Member State to adopt national legislation that follows or "transposes" the directive by May 2018, albeit with some level of flexibility around national circumstances, such as existing organisational structures or alignment with existing national legislation.
The NIS Directive has three parts:
- National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
- Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
- National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online market places, cloud and online search engines)
The European Agency for Cybersecurity, ENISA) supports the implementation of the NIS Directive for eHealth, as known as, digital health, alongside other support mechanisms.
Here we share ENISA recommendations and guidance for the healthcare sector in Europe.
- Recommendations for Hospitals
- Establish effective enterprise governance for cyber security.
- Implement state-of-the-art security measures.
- Provide specific IT security requirements for IoT components in the hospital.
- Invest in NIS products over IoT components.
- Establish an information security sharing mechanism.
- Conduct risk assessment and vulnerability assessment.
- Perform pen testing and auditing.
- Support multi-stakeholder communication platforms (ISACs) and information sharing alternatives.
- Invest in cyber security for IoT components.
- Recommendations for manufacturers of IoT devices
- Incorporate security into existing quality assurance systems.
- Involve third parties in testing activities.
- Consider applying medical device regulation to critical infrastructure components.
- Support the adaptation of information security standards to healthcare.
- Involve the healthcare organisation (HCO) throughout the entire device lifecycle.
- Recommendations for policy makers
- Promote collaboration on cyber security across Europe.
- Develop awareness raising on IoT threats and risks.
- Establish a governance model for cybersecurity.
- Integrate (trade-off risk/investment) security in business processes.
- Define security requirements to ensure “security for safety”.
- Consider engaging in a public private partners for better cooperation.
PANACEA Research perspectives: PANACEA is working with hospitals and operators of essential services to develop a comprehensive toolkit covering both technological and human facets of cybersecurity in healthcare. ENISA and its recommendations are of high interest to PANACEA as it assesses its position both within the policy context and marketplace for innovative and secure products and services.
Lookout Watch entry date: 09.06.2019