Healthcare sector targeted with increasing intensity
Healthcare facilities have increasingly become the target of cyberattacks since 2019. The cyber attack on Fürth Hospital is a recent example, and the consequences of the attack were serious: around 100,000 patients are treated here, 42,000 of whom are inpatients. At times, no patients could be admitted due to the attack and operations had to be postponed.
However, the issue remains highly topical: the attack on the Soest hospital network caused system failures that made new admissions and planned operations impossible. The affected clinics have been temporarily deregistered from emergency care so that neighbouring hospitals have to take care of the emergencies. It is unclear when everyday hospital life will return to normal.
Investment bottleneck creates a vicious circle
The existing technology and defence mechanisms in medical facilities are often unable to keep up with the latest developments of cyber criminals. The reason for this is an enormous investment bottleneck in IT. More needs to be invested in the security of IT infrastructures, says Manuel Atug from AG Kritis.
Until that time comes, outdated IT systems will continue to lead to ransomware infections and the irreplaceability of medical infrastructures will in turn lead to a greater willingness to pay ransoms. After all, affected systems need to be usable again as quickly as possible. Unfortunately, it is precisely this willingness that attracts new attackers to attack healthcare facilities.
NIS2 forces hospitals and clinics to act
The aim of the EU NIS2 Directive (Network and Information Security) is to improve cybersecurity for operators of critical infrastructure (KRITIS), which also includes hospitals and other medical facilities.
The NIS2 Directive was proposed by the European Commission in December 2020, came into force at EU level on January 16, 2023 and provides for the obligations of the directive to be implemented by October 17, 2024.
What does NIS2 require?
In addition to requirements and deadlines for reporting security incidents, NIS2 imposes a number of obligations on affected companies and organisations, including registration with the competent authority in their own Member State, the disclosure of contact details and the reporting of significant security incidents, i.e. incidents that could lead to serious operational disruptions. However, the biggest change for businesses will be the additional security requirements imposed by NIS2. Furthermore, NIS2 requires various measures regarding crisis management, incident response, cryptography and other security-related areas.
Encrypting email communication is essential
In terms of email security, this means the use of cryptography and encryption in email communication to ensure the protection of critical data. However, the law implementing NIS2 in the EU is not yet much more specific. It has been available as a draft since spring 2023, so we still have to wait for more concrete details. Nevertheless, this shows that effective email encryption is an elementary part of fulfilling the NIS2 directive.
Penalties for non-compliance with NIS2
Hospitals, which belong to the high-criticality sectors, are subject to penalties for non-compliance with the NIS2 Directive up to a maximum amount of at least €10 million or 2% of the previous year’s global turnover, whichever is higher.
Increase cyber security, with NoSpamProxy.
Take important steps towards NIS2 compliance by securing your IT infrastructure and protecting your email communication. Try NoSpamProxy now for free!