A strengthened collective cyber and information security effort Strategy for cyber and information security in the healthcare sector 1
The healthcare sector is a critical sector in Denmark. Thousands of citizens come into contact with the healthcare service every day; and for many, the healthcare sector's ability to provide timely treatment and care is critical. Therefore it is important that the sector is able to ensure that the right treatment and care is available to citizens when needed. Today, the Danish health sector is characterised by increasing digitisation. Every day large volumes of health data are handled digitally across many treatment units. The sector is working towards increasing cooperation regarding treatment and care with the assistance of digital exchange of information so that the way through the healthcare service is as safe and seemless as possible for citizens. As a result, dependency on digital infrastructure and data exchange is growing. There are many advantages to digitisation. However, the many connected units and actors and the large volumes of sensitive personal data also make the healthcare sector vulnerable to cyber and information security incidents – such as potential cyber attacks. Hence it is necessary to enhance the sector's collective cyber and information security effort to secure the continued treatment and care of citizens and the protection of their sensitive personal data. The healthcare sector is made up of many different healthcare providers that are organised and run in different ways; from large regional hospitals, offering highly specialised treatment, and municipal units for monitoring and care to smaller medical practices, clinics, and pharmacies. Most of these actors are publicly run, but many smaller actors – such as general practitioners, specialists, physiotherapists, dentists, etc. – are private business owners. Moreover, the sector’s portfolio of IT systems involves a distinct complexity that is managed in different ways; from huge IT system landscapes in the regions, with thousands of users and supported by some of Denmark’s biggest IT departments, to small systems with few users in primary healthcare. In addition, there are challenges involving legacy systems and IoT devices with varying levels of security – which is also the case in other sectors that are critical to Danish society. Replacement is often impossible or not suitable, as critical treatment depends on the use of specifc equipment. Finally, the healthcare sector uses many suppliers of both IT systems and infrastructure. Security and stability are therefore signifcant factors when using external suppliers in the sector. This increases the need for collective basic requirements for controlling and monitoring the security of suppliers.