Will the NIS2 directive on cybersecurity be enough?
Photo: Anete Lusina/Pexels
The European Council and Parliament reached an agreement on the directive known as Network Information Security directive (NIS2) earlier this month. Formal approval is expected over the next few weeks, with the French presidency “optimistic” that a final draft will be ready before its term ends, according to an EU source.
The new cybersecurity directive will cover the healthcare sector more broadly than the previous act. It includes medical device manufacturers and acknowledges the “increasing security threats that arose during the COVID-19 pandemic.” In the provisionally-agreed text, organisations that do not comply may be fined up to two per cent of annual revenue, or up to €10 million.
Greater collaboration means greater risk
But researchers have already expressed concerns about the directive’s potential to overlap with other pieces of legislation, such as governing medical devices and requirements on serious-incident reporting. This could create uncertainty, legal scholars say. Further, there are broader tensions affecting the EU’s cybersecurity policy. Some experts pointed out that responsibilities are awkwardly split between member states and the EU; others worry that that cyber concerns are not sufficiently integrated with policy development.
Robert Krimmer is professor of e-Governance at the University of Tartu in Estonia, where his research focuses on digital transformation, cross-border services and developing a digital society. He says that when it comes to cybersecurity a coordinated approach across boundaries is vital, particularly when citizens are involved.
“This directive can help,” he told Healthcare IT News. “But really [this is] where the collaboration between member states needs to be strengthened.”
“We see now that you’re able to take your prescription from Finland to Croatia, to Estonia and vice versa,” he said “—the more those services are actually taking place when it involves citizens, the more we need this active collaboration,” he said.
The European Health Data Space and other digitisation programmes will all increase risk, Krimmer added. “It’s logical. The more you make a European service, the more you make a European platform, the more you can be attacked.”
Lessons learned in Estonia
As a leader in digital systems, Estonia has learned key lessons about cyber-attacks, sometimes the hard way. In 2007, the state suffered a denial-of-service attack which crippled e-services, including health. “Nothing worked anymore,” Krimmer recalls. “You could not access your Gmail, you could not access any public website; you could not access any eHealth.”
The experience—along with a glitch in eID cards in 2017—was instrumental in uncovering ways out of a crisis. Today governmental departments collaborate, supported by the state IT agency, which acts as a knowledge hub for security. “They also organise exercises, which are really key, so that players in the moment of crisis know how to communicate, how to collaborate—and really also forget the institutional boundaries a bit and solve the problem at hand,” Krimmer said.
And with many digital EU projects in their infancy, cybersecurity is often overlooked. “I would say at the moment the EU is so much focused on actually making it happen that cybersecurity clearly comes second.”
The NIS2 directive is “a clear starting point because it’s the first EU-wide legislation on cybersecurity,” Krimmer said. But cybersecurity need to be in the mainstream. “Clearly cybersecurity can only work when every actor realises that they have their share in making security work”—and the understanding, he said, that, “if I click on the wrong link I might bring my whole organisation down.”
Find out more about how healthcare organisations can protect information systems against cyber-threats at the 2022 HIMSS European Health Conference & Exhibition (14-16 June 2022).