Cybersecurity and Data Protection Laws: EU Healthcare Businesses
Businesses operating in the European Union are subject to the strictest data protection regulation in the world, the General Data Protection Regulation (GDPR).
Unlike the United States, the EU doesn’t have an industry-specific cybersecurity law for the healthcare sector. However, healthcare organizations are subject to a new cybersecurity law for businesses in essential industries, known as the Network and Information Security (NIS) Directive.
Moreover, manufacturers and authorized users of medical devices are subject to the Medical Device Regulation (MDR) and/or In Vitro Diagnostic Medical Device Regulation (IVDR), which include several cybersecurity requirements.
Keep reading for full details on each of these laws.
General Data Protection Regulation (GDPR)
The GDPR is the world’s best-known regulation on privacy and data protection, but it’s worth recapping exactly who and what it covers.
Implemented in 2018, the GDPR affects any business established in the EU, offering goods or services to anyone in the EU, or collecting/storing/transferring/using personal information about European citizens. It covers all 27 EU member states, as well as the United Kingdom (which has retained the GDPR in its domestic law despite leaving the EU), and European Free Trade Association (EFTA) states Iceland, Liechtenstein, and Norway.
The EU doesn’t recognize U.S. data protection laws. Therefore, U.S.-based businesses must get certified under the EU-U.S. Privacy Shield Framework in order to be able to transfer personal data from the European Union to the United States (or the Swiss-U.S. Privacy Shield Framework in order to transfer data from Switzerland, which is not a member of the EU or EFTA).
Chapter 3 of the GDRP outlines the data privacy rights that people are guaranteed under EU law. Businesses that fail to comply with these rules may suffer financial penalties. Among other things, your business must:
- Explain how you process data “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
- Communicate specific information to the user at the moment you collect their personal data.
- Uphold the right of users to know the source of their personal data, the purpose of processing, and the length of time the data will be held, among other rights.
- Uphold the “right to be forgotten”, under which users have the right to request that you delete any information about them that you hold.
- Store your users’ personal data in a format that allows them to easily share the data with third parties. Moreover, if a user asks you to send their data to a third party, you must do it, even if the party is a competitor of your business.
- Uphold the right of your users to have you stop processing their data unless you can show a “legitimate basis” for using their data.
Network and Information Security (NIS) Directive
The EU Network and Information Security Directive was implemented in 2018 and was the first EU-wide regulation to focus on cybersecurity. Under the NIS Directive, businesses identified by EU member states as operators of essential services – including healthcare providers – will be required to take appropriate cybersecurity measures and to notify relevant national authorities of serious incidents. The UK has implemented its own version of the NIS Directive in domestic law despite leaving the European Union, just like it did with the GDPR.
The European Commission is currently examining a revised directive, known as the NIS 2 Directive or NIS 2.0. This would see the introduction of a size cap, meaning that all medium and large companies operating in the healthcare sector or other sectors covered by the law would be included in the scope. At the same time, it would leave some flexibility for member states to identify smaller entities with a high-security risk profile. It is also proposing a rule that would require businesses to address cybersecurity risks in supply chains and supplier relationships.
Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR)
The MDR and the closely related IVDR were passed in 2017 and implemented gradually, coming into full force in 2021. These laws imposed various obligations on manufacturers, authorized representatives, importers, and distributors of medical devices and in-vitro diagnostic devices in the European Union.
Cybersecurity-related requirements include:
- Manufacturers must identify and analyze the known and foreseeable hazards associated with each device, estimate and evaluate the risks associated with the intended use and reasonably foreseeable misuse, and eliminate or control the aforementioned risks.
- For devices that incorporate software, the software must be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including information security, verification, and validation.
- Devices must be designed and manufactured in such a way as to protect, as far as possible, against unauthorized access that could hamper the device from functioning as intended.
- Manufacturers must set out minimum requirements concerning hardware, IT networks characteristics, and IT security measures, including protection against unauthorized access, necessary to run the software as intended.
Bottom line
Cleaning up a data breach can be a drain on resources for any business, and doubly so for healthcare organizations. Fortunately, you can reduce the odds of becoming the victim of a data breach and improve your ability to respond to a breach by hiring the services of a managed Security Operation Center (SOC) provider. Features of a well managed SOC platform including threat hunting, digital forensic tools, and incident response.