This week, Hacking Healthcare™ catches up with the revision to the European Union’s Network and Information Security (NIS) Directive, NIS2. We review what NIS2 is, how Health-ISAC members may be affected, where NIS2 is in its implementation timeline, and what actions Health-ISAC members may wish to consider taking at this time.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
Text Version:
Welcome back to Hacking Healthcare™
The Health-ISAC Hobby Exercise 2023
Before we get to NIS2, the Health-ISAC is pleased to announce the 4th iteration of our Hobby Exercise on October 25th in Washington DC. The Hobby Exercise is an annual Healthcare and Public Health (HPH) event designed to engage the healthcare sector and strategic partners on significant security and resilience challenges. The overarching objective is to inform and provide opportunities for organizational continuous improvement while increasing healthcare sector resiliency.
Members wishing to know more or express an interest in participating should visit the following registration link: https://portal.h-isac.org/s/community-event?id=a1Y7V00000VJ560UAD
NIS 2 Implementation Update
Health-ISAC will be holding several NIS2 sessions and discussions at the upcoming European Union (EU) Summit in Dubrovnik, Croatia. If you’re interested in attending, please click here for more information on how to register.
It’s been a while since we checked up on the revision to the European Union’s Network and Information Security (NIS) Directive, and we thought it might be a good to review how NIS2 stands to impact the healthcare sector, where along the implementation path NIS2 is for the various EU member states, and what healthcare entities may wish to consider doing at this stage to prepare for it.
Let’s start with a quick recap of what NIS2 is. The original NIS was the “first piece of EU-wide cybersecurity legislation” and was designed to improve cybersecurity across the EU, however, it fell a bit short on scope and its implementation was uneven and inconsistent across member states.[i] NIS2 is more stringent in its implementation and more comprehensive in who it applies to and what it seeks to address. For the healthcare sector, NIS2 will:
- Include broader and more consistent coverage of healthcare entities across EU member-states;
- Strengthen and harmonize cybersecurity requirements, including “Management Body” oversight and accountability;
- Streamline incident-reporting obligations to minimize over-reporting and the burden placed on private sector entities, and;
- Improve information-sharing, cooperation, and cross-border crisis management of cyber incidents.
NIS2 also complements the larger EU digital/cyber strategy elements found in the Cyber Resilience Act (CRA), the Digital Services Act (DSA), the Digital Markets Act (DMA), and others. EU member states were given until October 17, 2024, to successfully transpose the measures outlined in the NIS2 text into their own national laws, and member states were instructed to begin applying those measures as of October 18, 2024.
So where are we currently in the transposition process and what might Health-ISAC members consider doing at this time?
Action & Analysis
**Available with Health-ISAC Membership**
Congress
Tuesday, September 5th
No relevant hearings
Wednesday, September 6th
No relevant meetings
Thursday, September 7th
No relevant meetings
International Hearings/Meetings
No relevant meetings
EU
[i] https://www.enisa.europa.eu/topics/nis-directive
[ii] https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
[iii] https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
[iv] https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
[v] https://eur-lex.europa.eu/eli/dir/2022/2555
Report Source(s)
Health-ISAC
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why