EU Report Calls for More Health-Specific Incident ResponseENISA: As Cyberattacks on Health Sector Grow, Expertise Is Needed
Cyberattacks on the European Union's healthcare sector grew by nearly 50% in 2020, over 2019, and continue to pose serious threats to patient safety, as well as to the entire health supply chain, says a new European Union Agency for Cybersecurity report assessing computer security incident response among EU members.
To help address those challenges, the ENISA report, among several recommendations, calls for the development of more dedicated, healthcare-sector specific computer security incident response teams, or CSIRTs, in the EU.
Currently, more generalized national CSIRTs are the entities in charge of incident response in the EU health sector, ENISA notes.
Although dedicated health sector CSIRTs are still the exception in EU member states, some sector-specific incident response team cooperation is developing, including collaborative efforts involving information sharing, the report notes.
Still, "the lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector."
The 2016 NIS Directive called for EU members to implement measures "for a high common level of security of network and information systems" for critical sectors across the EU.
"An attack directed at a critical infrastructure, such as a hospital, can lead to physical damages and put the lives of patients at risk," ENISA writes.
"Therefore, there is a need for solid incident response capabilities in the health sector, in particular healthcare settings, including hospitals and private clinics," ENISA writes.
The healthcare sector faces threats along its entire supply chain, "with potentially disastrous societal consequences for a multiplicity of stakeholders - citizens, public authorities, regulators, professional associations, large industries, small and medium enterprises - which become even more vulnerable in the context of the COVID-19 pandemic," ENISA writes.
Overall, in 2020, ENISA received a total of 742 reports about cybersecurity incidents of significant impact from critical sectors, including healthcare, which experienced an increase of 47% of such incidents in 2020 compared to the previous year, the report notes.
Among some of the specific security challenges facing EU's healthcare sector is the reliance on legacy systems and devices, ENISA notes.
"Because the pace of updates quickly outruns the pace of IT technology evolution when healthcare equipment usually has a lifetime of 15 years on average, vulnerabilities tend to accumulate with the obsolescence of the IT layer through the life cycle of hardware and digital devices," the report says.
Another challenge for healthcare sector entities is the complexity of systems "due to the increased number of connected devices leading to an extension of the potential attack surface," ENISA writes.
ENISA recommends that EU members:
- Enhance and facilitate the creation of healthcare sector CISRTs by allowing easy access to funding and by promoting capacity-building activities;
- Capitalize on the expertise of the health CSIRTs for helping the EU's more general Operators of Essential Services to develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels and public-private partnerships;
- Empower healthcare sector CSIRTs to develop information-sharing activities using threat intelligence, exchange of good practices and lessons learned.
Some experts say the cybersecurity and incident response-related challenges facing healthcare sector entities in the EU are not much different from what healthcare sector entities in the U.S. and elsewhere globally are facing.
"Cyberattacks respect no borders," says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center in the U.S.
"Our European counterparts are struggling with the same issues we're dealing with in the U.S. - complex information security issues, lack of experienced resources and insufficient investments in cybersecurity technology and talent," he says.
The Health-ISAC is working closely with European CERTs and specific country-level Health CERTs to promote information sharing and collaboration globally to help all its members be more resilient against cyberthreats, Weiss says.
In October, Health-ISAC held its second annual European Summit in the Netherlands, he notes.
Weiss says, "Thankfully, we continue to see high energy and willingness to share and collaborate amongst healthcare sector organizations," including discussions about current trends in healthcare security, third-party risk, ransomware and innovative ways to maintain resilience.
"The good news is, across the health sector globally, we see that the National Institute of Standards and Technology has had fairly reasonable success driving adoption of the NIST Cybersecurity Framework outside the U.S.," he says.
To help EU members overall better respond to cyberattacks, especially those involving ransomware, across all sectors, the European Commission in June proposed creating a new Joint Cyber Unit (see: EU Proposes Joint Cybersecurity Unit).
Under the proposal, the EU would create a rapid response team to mitigate threats from hackers and establish national and cross-border monitoring and detection capabilities.
The new unit also would work with member nations' law enforcement and cyber agencies, security firms, diplomats and military services to coordinate cybersecurity operations and threat intelligence sharing, the European Commission says.
The commission plans to assess the organizational aspects of the proposed unit and identify EU operational capabilities by Dec. 31.