The risks include possible harm to patient safety or loss of personal health information and may not only be caused by malicious actions but also by human errors, system or third-party failures and natural phenomena.
Healthcare is amongst the five most cyber-attacked industries over the past 5 years, along with manufacturing, financial services, government, and transportation (1). Undeniably, there has been a considerable increase in cyberattacks in the healthcare sector, with significant material and reputational damage to the victims. These attacks can be driven by several motives: financial gain, theft of intellectual property, gaining of competitive advantage, or political motivation. Several reports of cyberattacks and risk assessments, both in the public and private sector, show that these attacks are not only more frequent but also more sophisticated and harmful.
As hospitals are increasingly becoming smarter and more integrated within healthcare ecosystems, they are also interconnected with ecosystems involving other sectors of the economy, such as other government sectors and financial services. This entails interconnecting numerous actors, critical assets, sensitive personal and financial information, resources and inevitably results in blurring boundaries between organisations and jurisdictions. Indicative of this interdependence is the fact that access to electronic medical records and health system data and to stolen medical data by an attacker might also be instrumental in opening bank accounts, procuring passports and even getting loans (2).
Hospitals still face the greatest risks, vulnerabilities and impacts in the case of cyber incidents. Broadly speaking, all healthcare organisations should understand and address the risks through well-defined and well-managed cybersecurity initiatives, delivering a holistic approach, combined into a single integrated framework and an overarching strategy involving the organisation’s processes, people and technology, to ensure an effective defence. Over the last decade, there has been an increased awareness concerning information security and cybersecurity. In Europe, the General Data Protection Regulation, the ‘NIS Directive’ (security of network and information systems) and the Cybersecurity Act (3) , reinforcing the role of ENISA (the EU Agency for Cybersecurity) in orienting the Member States, are the clear political expressions of a new paradigm of encouraging organisations operating inside the EU to rethink their information and IT management practices. A direct outcome of increased Member State co-operation in addressing the cybersecurity challenge in healthcare has been the publication of a growing volume of guidance, alongside the relevant standards, addressing governments and health and care providers.
This Data and Systems Security Guide (the Guide) is intended to support healthcare providers in designing and implementing information security systems that are capable of protecting the healthcare providers’ critical information infrastructure and information resources. This is pursued through supporting them to navigate the available guidance documents that are created collaboratively and maintained at international level. Such decisions are typically shared within the higher management executives in the hospitals responsible for procurement of equipment, ICT systems and related services. Thus, the Guide addresses Chief Executive Officers and Chief Information Security Officers. However, more management functions may be relevant in European hospitals and as such may also be addressed by this Guide.
1. Τop 5 industries at Risk of Cyber attacks
2. L. Coventry, and D. Branley, “Cybersecurity in healthcare: A narrative review of trends, threats and ways forward,” in Maturitas, 2018, 113:48-52
3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification