The healthcare sector is undergoing digitalization and adopts new technologies to improve patient care, offer new services for remote patients and reach operational excellence. The integration of new technologies in the complex healthcare IT infrastructure creates new challenges regarding data protection and cybersecurity.

On the one hand, the COVID-19 pandemic has been a driver for increased cyber-attacks on healthcare organizations including phishing attacks that aim to collect user credentials as well as ransomware attacks that seek to encrypt the data of hospitals.

On the other hand, the pandemic has helped to stress the need for remote healthcare services. Cloud platforms have provided the elasticity and fast access required for the deployment of these services. Organizations subsequently deployed cloud solutions to cover ERP systems along with health information systems like electronic health records, data analytics, medical devices and telemedicine.

To help IT professionals in healthcare security to establish and maintain cloud security while selecting and deploying appropriate technical and organizational measures, ENISA issued a study that aims to provide cloud security practices for the healthcare sector.

Legislative background

According to the European Union NIS Directive, hospitals are defined as Operators of Essential Services (OES), while cloud providers are Digital Service Providers (DSP). Therefore, both hospitals and cloud vendors must comply with the NIS Directive security requirements when contracting with cloud services.

At the same time, the GDPR defines medical data as a “special category” of personal data, which is sensitive by nature and imposes a higher standard of protection for their processing. Healthcare organizations as data controllers that are processing medical data must implement appropriate technical and administration measures to ensure the security of systems, services and data. Further, cloud providers are considered data processors under GDPR as they are acting on behalf of the data controllers; hence, they have (Read more...)