18 July 2024

The Network and Information Systems (NIS2) Directive entered into force on 16 January 2023. It is an EU-wide legislative act which establishes cybersecurity risk management measures and reporting requirements for an expanded list of essential and important industries.

The NIS2 Directive replaces the 2016 NIS1 Directive. While the NIS1 Directive included certain elements of the healthcare sector, NIS2 extends this into a broader range of healthcare entities, which are now classified as an essential sector, subject to enhanced standards. 

The NIS1 Directive defined healthcare as ‘health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provisions of medicinal products and medical devices’. NIS2 has significantly extended the scope of the healthcare sector from the definition in NIS1 to now include:

  • manufacturers of medical devices;
  • manufacturers of in vitro diagnostic (IVD) medical devices;
  • manufacturers of basic pharmaceutical products;
  • providers engaged in research and development of medicinal products; and
  • medical devices considered critical during public health emergencies.

As mentioned above, the scope of NIS2 is significantly broader than its predecessor, NIS1. It considers the healthcare sector as ‘essential entities’ subject to a comprehensive oversight regime, involving both ex-post (measures based on actual activity) and ex-ante (measures based on anticipated activity) control measures regarding compliance with the Directive, along with severe penalties/sanctions for non-compliance.

In the eyes of the healthcare industry, NIS2 primarily aims to promote the following key objectives:

  • prevention of health service disruption; and
  • protection of patient data.

Prevention of health service cyber-attack disruptions

A successful cyber-attack on healthcare providers could result in downtime or failure of crucial systems, impacting the delivery of medical services. The healthcare sector has evolved into an industry where critical functions are outsourced to specialist third-party suppliers, creating a worrying level of dependency on third-party suppliers to provide essential services. Third-party risk is growing exponentially in line with these dependencies, as evident in our recent cyber security special report, where 78% of businesses that had experienced an attack in the past year reported that a supplier or third-party was targeted by a threat actor.

According to the 2023 Ponemon Healthcare Cybersecurity Report by Proofpoint, 64% of healthcare organisations suffered a supply chain attack in the past two years. Among this group, 77% said these attacks impacted patient care. The impacts of cyber-attacks on third-party suppliers are further demonstrated in the recent successful cyber-attack on a pathology partner based in the EU. This attack led to the suspension of surgeries and the cancellation of crucial operations across key NHS Trusts.   

NIS2 mandates the implementation of measures to reduce the likelihood and risk of such disruptions and ensures the continuity of essential healthcare services. These measures include third-party supplier security, regular testing and reviews of business continuity planning, staff training on cyber hygiene, and cyber incident response planning.

Protection of patient data

Patient data is hugely valuable to cyber criminals due to its volume and sensitivity, making the healthcare sector a frequent victim of targeted attacks. For instance, the Information Commissioner’s Office (ICO) reported 785 cyber-related data security incidents in the healthcare sector in 2023. A recent report by Rubrik Data Labs revealed that 20% of a typical healthcare organisation’s total sensitive data holdings are impacted every time there is a successful ransomware encryption event. The volume of sensitive healthcare data records also grew by more than 63% in 2023, far surpassing any other industry and exceeding the global average by more than five times.

The protection of patient data is critical, as breaches could lead to compromises in patient privacy, possibly resulting in patient harm and reputational damage to both the healthcare organisation and the patient. 

In addition to the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA), NIS2’s enhanced data security standards add an additional layer of cybersecurity. These standards include four overarching areas and 10 minimum measures, and they go further by introducing individual accountability for non-compliance, extending to responsible officers and the board.    

Recommendations

While NIS2 is not directly applicable to UK organisations, it does extend to UK organisations that supply services directly in the EU and those in the supply chain. As such, it is crucial for healthcare organisations to take the following steps.

  • Determine if your organisation falls within the scope of NIS2. Scope considerations should include whether services are provided across the EU. 
  • If your organisation is in scope, determine if you are designated as either an essential or important entity.
  • Review NIS2’s control areas and minimum requirements, perform a gap assessment to determine your readiness and form an implementation plan to achieve compliance.

For further information and support, please contact Stuart Leach, Clive Makombera or Suneel Gupta.