Skip to main content

Health-ISAC Hacking Healthcare 12-16-2024

This week, Health-ISAC®‘s Hacking Healthcare® examines an ENISA led report on the state of EU cybersecurity. We detail why this report was developed, some of the report’s high-level recommendations, and what it said about the health sector. We then analyze which recommendations might be helpful in guiding EU policy efforts as we head into the new year.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version:

TLP WHITE Hacking Healthcare 12.16.2024
Size : 193 kB Format : PDF

 

Text Version:

Welcome back to Hacking Healthcare®.

ENISA Reports on the State of EU Cybersecurity 

A Provision within the European Union’s (EU) NIS2 Directive instructed the European Union Agency for Cybersecurity (ENISA) to collaborate with the Commission and the NIS Cooperation Group to develop a report on the state of cybersecurity in the EU. Last week, ENISA published the first edition of this report that included an overview of the healthcare sector, EU-wide cybersecurity capabilities, issue areas needing additional attention, and policy recommendations.[i]

Let’s explore what the new report has to say about healthcare in the EU and investigate what policy recommendations may impact the sector.

What is this report?

Article 18 of the NIS2 Directive requires that ENISA work in collaboration with the aforementioned entities to publish a report on the state of cybersecurity in the EU on a biennial basis. The content of the report is to include:[ii]

  • (a) a Union-level cybersecurity risk assessment, taking account of the cyber threat landscape;
  • (b) an assessment of the development of cybersecurity capabilities in the public and private sectors across the Union;
  • (c) an assessment of the general level of cybersecurity awareness and cyber hygiene among citizens and entities, including small and medium-sized enterprises
  • (d) an aggregated assessment of the outcome of the peer reviews referred to in Article 19; and
  • (e) an aggregated assessment of the level of maturity of cybersecurity capabilities and resources across the Union, including those at sector level, as well as the extent to which the Member States’ national cybersecurity strategies are aligned.

Additionally, ENISA is to develop policy recommendations “with a view to addressing shortcomings and increasing the level of cybersecurity across the Union.”[iii] 

The 71-page first edition was published on December 3 and acknowledges that the drafting took place while NIS2 was still being transposed.

 

High-level takeaways

Some of the report’s high-level takeaways include identifying:

  • That the “maturity of the cybersecurity policy framework” is quite developed and that it may be best to prioritize helping entities to fully understand and implement existing legal and regulatory mechanisms.  
  • The need for a revised “EU Blueprint for coordinated response to large-scale cyber incidents.”
  • The need for further strengthening of the cybersecurity workforce and developing a common approach to cybersecurity training across the EU.
  • The need to address supply chain security across the EU through increasing EU-wide coordinated risk assessments and an EU horizontal policy framework for supply chain security.
  • The need to “[enhance] the understanding of sectorial specificities and needs, improving the level of cybersecurity maturity of sectors covered by the NIS2 Directive and using the future Cybersecurity Emergency Mechanism to be established under the CSOA for sectorial preparedness and resilience with a focus on weak or sensitive sectors and risks identified through EU-wide risk assessments.”

That last bullet may be among the most impactful to the healthcare sector, as we will explore in the analysis section. 

What does the report say about healthcare?

Perhaps the most interesting takeaways for the healthcare sector comes from the report’s second section, Cybersecurity Capabilities at the Union Level. This section includes an attempt to map out the criticality and cybersecurity maturity of critical sectors. 

While acknowledging that no methodology would perfectly capture the nuances of each sector, the results are interesting since the authors note that this assessment could be used to help guide EU Member States in determining where to focus resources.

Criticality was assessed by looking at each sector’s dependency on information and communications technology (ICT) products, criticality of a quick response to sector impacts, the economic impact of harm to the sector, and the health and safety impact of harm to the sector. 

Maturity was assessed by looking at the frameworks and policies that exist, the risk management and good practices that exist, the level of information sharing within the sector, a sector’s operational preparedness, and the security of ICT products in the sector. 

The result can be found on page 27 where the health sector falls on the lower end of both maturity and criticality. It is nestled among Rail and Gas and is notably assessed as less mature and critical than Aviation, Electricity, Finance, and Telecoms. The report describes the health sector as being challenged to secure legacy systems and operational technology, and the environment generally. In particular, the report notes that “the health sector’s performance in ensuring the security of the ICT products and processes it uses is rather inadequate due to a huge variety of health entities, devices and products.”[iv]

 

Action & Analysis
**Included with Health-ISAC Membership**

 

[i]https://www.enisa.europa.eu/sites/default/files/2024-11/2024%20Report%20on%20the%20State%20of%20the%20Cybersecurity%20in%20the%20Union.pdf

[ii] https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[iii] https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[iv]https://www.enisa.europa.eu/sites/default/files/2024-11/2024%20Report%20on%20the%20State%20of%20the%20Cybersecurity%20in%20the%20Union.pdf

[v]https://www.enisa.europa.eu/sites/default/files/2024-11/2024%20Report%20on%20the%20State%20of%20the%20Cybersecurity%20in%20the%20Union.pdf

[vi]https://www.digitaleurope.org/news/digitaleuropes-reaction-to-the-virkkunen-and-sejourne-hearings-an-act-is-not-the-answer-to-everything/

[vii]https://www.enisa.europa.eu/sites/default/files/2024-11/2024%20Report%20on%20the%20State%20of%20the%20Cybersecurity%20in%20the%20Union.pdf

[viii]https://commission.europa.eu/document/download/e6cd4328-673c-4e7a-8683-f63ffb2cf648_en?filename=Political%20Guidelines%202024-2029_EN.pdf

 

This site is registered on Toolset.com as a development site.