Securing Cloud Services for Health: New report by EU Agency for Cybersecurity helps healthcare organisations securely adopt cloud services and prepare for cybersecurity challenges
The European Union Agency for Cybersecurity (ENISA) published the Cloud Security for Healthcare Services report, which provides cybersecurity guidelines for healthcare organisations to help further digitalise with cloud services. Building on ENISA’s procurement guidelines for cybersecurity in hospitals, published early last year, this new report assesses the cybersecurity risks of cloud services and offers good practices for their secure integration into the European healthcare sector. The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.
The COVID-19 pandemic has underlined an increased need for efficient – and secure – digital healthcare services. Cloud solutions allow for the flexible and rapid deployment of the electronic storage of data and electronic communications such as telemedicine. However, the complexity of legal systems and new technologies, as well as concerns over the security of sensitive patient data have slowed the healthcare sector in adopting cloud services.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “A resilient health sector relies on secure digital solutions. The EU Agency for Cybersecurity provides healthcare organisations with guidance to address cybersecurity concerns related to cloud services and is preparing an EU Cloud Cybersecurity Certification scheme, both of which aim to do just that.”
The report addresses these concerns by providing security guidelines for three main areas in which cloud services are used by the healthcare sector, namely for:
Electronic Health Record (EHR), i.e. systems focusing on the collection, storage, management and transmission of health data, such as patient information and medical exam results;
Remote Care, i.e. the subset of telemedicine supporting remote patient-doctor consultation;
Medical Devices, i.e. cloud services supporting the operation of medical devices such as making medical device data available to different stakeholders or for device monitoring.
For each of these use cases, the report highlights the main factors to be considered when healthcare organisations conduct the relevant risk assessment – for example, in terms of risk to sensitive patient data or availability of a medical service. These guidelines, however, are only a first step for healthcare providers to adapt securely to the cloud. More support is needed, such as established industry standards on cloud security, specific direction from national and EU authorities, and further guidelines from Data Protection Authorities on transferring healthcare data to the cloud.
The report also proposes a set of security measures for healthcare organisations to implement when planning their move to cloud services, such as establishing processes for incident management, defining data encryption requirements, and ensuring data portability and interoperability. The measures are proposed taking into consideration the draft candidate EU Cybersecurity Certification Scheme on Cloud Services (EUCS) to ensure compatibility and requirements mapping. The Agency’s draft scheme is part of the larger cybersecurity certification framework aimed at enhancing trust in ICT products, services and processes across Europe. The draft scheme is open for public consultation until 7 February 2021.
The EU Agency for Cybersecurity will continue its work to strengthen the cybersecurity of Europe’s healthcare sector by publishing guidelines, promoting information sharing, collaborating with policy-makers and organising events such as the annual eHealth Conference, addressing the healthcare sector’s major cybersecurity challenges.
