English

No clean bill of health for cyber security incidents in healthcare: time for a sanity check

Report this content

ENISA issues key recommendations on protecting eHealth services and infrastructures

The potential impact of an outage in the information systems of a hospital can be extreme. The loss of service or failure of a medical device due to remote hacking (e.g. via brute force and DoS attack) can be significant. Such cyber security incidents have greatly impacted health services delivery risking lives and limb of patients and exposing institutions and health care systems to reputation risk. Healthcare is moving up on the policy agenda and it is often treated by the EU Member States[1] as a critical infrastructure. ENISA has engaged more than fifteen MS and two EFTA countries in a study to identify the measures policy makers and the private sector should take to improve the security and resilience of eHealth systems. This study focuses on three broadly used, real cases, namely Electronic Health Records, national eHealth services (for example ePrescription) and Cloud Services supporting eHealth systems.

The Executive Director of ENISA, Udo Helmbrecht, commented on this report: “The complexity and interdependencies of eHealth systems have been steadily increasing. Ensuring the availability, integrity and confidentiality in eHealth is a challenging task for providers and beneficiaries. ENISA seeks co-operate with all stakeholders to enhance the security and privacy of all eHealth infrastructures and services.”

The report recommends, inter alia, that:

  • National cyber security authorities should identify critical eHealth assets and carry out risk assessments with a view to mitigate risks
  • Policy makers should introduce baseline cyber security guidelines for eHealth infrastructures and services
  • eHealth operators, along with public sector actors, should setup an information sharing mechanism to exchange good practices and expertise on threats and vulnerabilities.

These findings were validated by numerous experts from the public and private sectors in an open workshop[2] organised together with the European Commission on 30th of October 2015.

New technologies, such as cloud computing, smart devices and the Internet of Things, already provide the innovation drive eHealth needs. As cyber security challenges grow alongside services in 2016, ENISA will focus on the adoption of Cloud computing by healthcare providers and carry out an analysis regarding Smart Hospitals.

For full report

For technical information: Dimitra Liveri, NIS expert, Dimitra.liveri@enisa.europa.eu

[1] https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/Methodologies-for-identification-of-ciis

[2] https://www.enisa.europa.eu/activities/Resilience-and-CIIP/workshops-1/2015/ehealth-workshop

For interviews and press enquiries please contact press@enisa.europa.eu, Tel. +30 2814 409576

Tags:

EU healthcare Information security European Union ENISA online security cyber security European Commission cyber attacks Udo Helmbrecht Online Identity NIS ePrescription

Documents & Links