Governments are doubling down on health cybersecurity

At the Agoria Health Tech summit, which I attended at the end of June, cybersecurity in health was an important topic, and rightfully so. According to the Cyber Incident Tracker for Health, there were 253 attacks against healthcare organisations in 32 countries in 2021. These incidents can affect lives, with 15% of these cases resulting in an impact on incoming patients. If you still believe that hacking is difficult or that they won’t target your small business, it’s time to revisit that opinion. The plethora of free tools makes it easy to get started and hackers are opportunistic - they hack whatever might bring them money. If you are a hacker, it’s also unlikely that you will be prosecuted for your acts. In the UK, the risk of being injured in a motorcycle accident is three times higher than being prosecuted for hacking. So, hackers do get away with it.

So, we have to increase our cybersecurity efforts. Then, the next question is: whose responsibility is this? The opinion that cybersecurity is something only for IT is quite outdated. Similar to safety in the aviation industry, cybersecurity is everyone’s responsibility and should be embedded in the company culture, in the processes, tools, and technical systems.

To increase the general security posture, governments are increasingly creating legislation that forces companies to take up their responsibilities. In 2016, the NIS directive was the first piece of EU-wide legislation concerning cybersecurity. Because of the difficulties in implementing this directive, the EU Commission started working on a proposal to replace the NIS directive to further strengthen cybersecurity throughout the EU. A provisional agreement was reached on 13 May 2022.

Next to addressing issues with the current directive, the expectation is that more entities will be considered critical and important from a cybersecurity perspective. Entities manufacturing medical devices or in-vitro medical devices will be considered important and in some cases even critical. That means that they will be under increased scrutiny and face more regulations. One of the consequences of these regulations will be that you’ll have more responsibility in checking that your suppliers adhere to these regulations as well.

A lot of the companies we talk to are focused on getting their unique medical innovation on the market. They’re focused on lab work, clinical trials, fine tuning algorithms, and getting their CE certification…. These new regulations might feel like an additional burden to them. However, it presents a particular opportunity. When you’re serious about cybersecurity in a data-sensitive environment like health tech, it’s a trust enabler. On the other hand, it does reinforce my belief that choosing the DIY method and trying to do it all yourself is a bad idea. Having partners that can handle a lot of the surrounding things can help you stay focused. Today, there’s the NIS2 directive, but surely tomorrow will bring something else.

If you are planning on building your digital medical application from scratch, all by yourself, it might be a good idea to consider building it with a medical Backend-as-a-Service like our own. Find our more here.

Sources



• https://www.law.kuleuven.be/citip/blog/the-nis2-proposal-which-regulatory-challenges-for-healthcare-cybersecurity/
• https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333