On May 3rd, the European Commission launched the European Health Data Space (EHDS), one of the central building blocks of a strong European Health Union.
The enouncement stated that the regulation aims to help the EU achieve a quantum leap forward in the way healthcare is provided to people across Europe. It will empower people to control and utilize their health data in their home country or in other Member States. It fosters a genuine single European Market for digital health services and products. And it offers a consistent, trustworthy, and efficient framework to use health data for research, innovation, policy-making and regulatory activities, while ensuring full compliance with the EU’s high data protection standards[1].
The main Vulnerabilities of the Health Sector
During my research, I have analyzed the main cyber vulnerabilities that the healthcare system inherently faces making this sector a relatively easy target for criminally motivated threat actors. Main reasons are Healthcare devises are IoT with low (if any) security measures; Healthcare organizations use many different medical devices with low standardization, many of which are quite easy to hack; Most of healthcare personnel are less aware of cyberthreats focusing on their life saving activities and many healthcare networks are connected to the internet with low segregation and security measures.
We may define three main risks resulting the treats presented above. (1) Risk to human life – A cyberattack (or even an unintentional cyber incident) may result to the loss of human life. For example: Hitting emergency devices such as inhaling machines, medicine dosing machines etc., may result to a severe health damage and even death. (2) Risks to Functional Continuity – A cyberattack may cause the disability of the healthcare system to function properly. Unfortunately, we have many examples. The Irish healthcare system was targeted. On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all its IT systems nationwide to be shut down. And (3) Risks to the Loss or Exposure of Privat Data – Exposure of sensitive private patient information that is stored and managed in healthcare systems of hospitals and clinics.
The Regulation Legal Foundation
The EHDS in enshrined in a proposal of Regulation[2], which is based on Articles 16 and 114 of the Treaty on the Functioning of the European Union (TFEU). Article 114 TFEU aims at improving the functioning of the internal market through measures for the approximation of national rules. Some Member States have taken legislative action to address the problems described above, by establishing national certification systems for Electronic Health Record systems (EHR systems), whereas others have not. This can lead to legislative fragmentation in the internal market and different rules and practices across the EU. It could also lead to costs for companies that would have to comply with different regimes. It is also based on Article 16 TFEU. The GDPR provides important safeguards in relation to rights of natural persons over their health data. Additionally, the scope of the right to portability under the GDPR renders it less effective in the health sector[3].
The Regulation Proposal
Asa result of the fear of loss of sensitive data, many have difficulties in exercising their rights related to digital health data. This is despite the GDPR regulation mechanism. GDPR also creates difficulties related to the use of health data for secondary use i.e., R&D as it creates considerable legal uncertainties. As a result, individuals cannot benefit from innovative treatments and policymakers cannot react effectively to a health crisis, due to barriers impeding access for researchers, innovators, regulators, and policy makers to necessary electronic health data.
The proposed Regulation aims to deal with these obstacles and standardize manufacturers of digital health products and providers of digital health services operating in one Member State face barriers and additional costs when entering another one.
The Regulation consists of 72 Articles, most of which deal with topics such as access to and transmission of personal electronic health data for primary use, cross-border infrastructure for primary use of electronic health data, general provisions for EHR systems, obligations of economic operators regarding EHR systems, conformity of the EHR system, market surveillance of EHR systems, provisions on interoperability, general conditions with regard to the secondary use of electronic health data (i.e. R&D), governance and mechanisms for the secondary use of electronic health data, data permit for the secondary use of electronic health data, cross-border access to electronic health data for secondary use, and European governance and coordination.
Do not forget that each Member State will appoint a Digital Health Authority to ensure that citizens’ rights are respected.
Conclusion
The proposed Regulation is a very important step towards a safer Healthcare sector and privacy of personal data. However, this should be the first step toward the implementations of security measures in this sector. I propose a few basic cybersecurity measures to start with.
Awareness – Invest in the awareness of users and personnel – The weakest link in any computer system are users. They are the first and last line of defense.
Protect endpoint devices — Laptop computers, handhelds, smartphones, portable storage media, are all creating vulnerabilities. Maintain best practice computer hygiene – There are many internet guides to best practice computer hygiene.
Control Physical Access – Physical access of unauthorized persons may result in the theft of end point devices, flash memory and DVD devices, that store data as well as IoT devices that have some storage capability too.
Segregate Networks – It is important to separate networks and minimize wireless routing as much as possible. so that sensitive information is isolated as much as possible from unauthorized eyes.
Build Crisis Management Capabilities – Sooner or later, the unexpected will happen. Not only a cyberattack but also fire, storm, earthquake, and other natural or man-made. So, do not forget to build, educate, train and exercise the crisis management team on a regular basis.
[1] (https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2711).
[2] https://ec.europa.eu/health/system/files/2022-05/com_2022-197_en.pdf
[3]https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_22_2711/IP_22_2711_EN.pdf).
