Healthcare cybersecurity in the EU and US: a technical, regulatory or political issue?

The meeting was kicked off with a keynote by Supervisory Special Agent Edward You (FBI). He presented the US perspective on current cybersecurity threats and countermeasures in healthcare and the wider bio-economy.

US: Beware of Chinese bearing genome sequencers

Perhaps not surprisingly, Special Agent You saw the most significant threat to information security and patient safety of US patients in the activities of Chinese companies. He even made the Cold War analogy explicit by calling the competitive race between Chinese and US companies the “Bio Space Race”, with data as its fuel.

In You’s words, with regard to genomics and other big data powered bio sciences, “Whoever generates the largest, most diverse dataset is really gonna own the day.” As early as 2015, 30 percent of the world’s genetic sequencing machines were located in China, and the proportion is increasing. Many healthcare providers in the US and internationally contribute to China’s dominant position on the market by sending samples to the BGI Group (formerly Beijing Genomics Institute), the incumbent on the whole genome sequencing market and provider of the popular NIFTY prenatal test.

Another important Chinese player is the WuXi conglomerate: one subsidiary invested in 23andMe, the personal genomic sequencing company, and another, the WuXi NextCode Sequencing Facility, was accredited by the American College of Pathologists, now accepting samples directly from US patients. However, the generation and analysis of genomic data seems to be a one-way street to Chinese corporations and governments, You reported. China’s state council order demands that foreign entities analyzing the material of Chinese citizens must cooperate with a Chinese company and must share all data and patents with their Chinese partners.

US institutions managing the risks and threats associated with the Chinese predominance in the bio-economy include the FBI and the National Academies of Sciences, Engineering and Medicine. While the former is concerned with cybersecurity and protection against economic espionage, the latter published a report named “Safeguarding the Bioeconomy” in 2020, focusing less on cybersecurity issues than on issues of the competitive fitness of the US economy and the contributions of the sciences.

EU: Directives and regulations

In the second keynote, Maria Papaphilippou, Cybersecurity Officer of ENISA, reported on the policy and regulatory frameworks of cybersecurity in healthcare in the EU. The European Union Agency for Cybersecurity (ENISA) counts the increasing frequency and differentiation of ransomware attacks, the increase in teleworking due to the pandemic and last but not least the enduring lack in skilled cybersecurity professionals among the most important threats to healthcare cybersecurity. 

In incident reporting and analysis, ENISA has identified systems failure as cause for 59% of incidents, human error and malicious intent for 19% each and natural phenomena as cause for only 2% of incidents. Data breaches and leaks, with 49%, are the most frequent type of incident in healthcare, followed by ransomware attacks with 26%, other malware with 7%, threats targeting e-mail with 4% and fraud with 2%.

As two of the most important regulations safeguarding cybersecurity in EU healthcare Maria Papaphilippou cited the NIS directive (in full: Directive […] concerning measures for a high common level of security of network and information systems across the Union) and the EU MDR (Medical Devices Regulation). NIS implementation is guided by the NIS Cooperation Group and its various working groups, one of which is dedicated exclusively to cybersecurity in healthcare (WS12).

However, while these regulations may serve as a good start and foundation of healthcare cybersecurity, Papaphilippou had to admit upon questions from the audience that ENISA does not currently pursue any collaboration with institutions outside of the EU, and that it does not concern itself with genomics and the associated threats to personal data at the moment.

Hospitals almost everywhere are “target rich and cyber poor”

After a couple of commercial entities had the chance to present their products and services at the event, the Cybersecurity in Healthcare Briefing concluded with a panel discussion of government officials from Germany (Jeffrey Fleischle, German Federal Ministry of Health), Austria (Robert Scharinger, Austrian Federal Ministry of Health) and Switzerland (Marc Henauer, National Cyber Security Center Switzerland), as well as Josh Corman of the US Cybersecurity and Infrastructure Security Agency (CISA).

Participants in general agreed that international collaboration is key to fighting cybercrime in healthcare. However, regulatory measures seem to be on the forefront of thinking for many EU member institutions. Jeffrey Fleischle started out by explaining how regulatory holes were closed by including smaller hospitals in critical infrastructure regulations. Corman suggested that maybe the patient safety aspect of cybersecurity was neglected in the past, concentrating on personal data security instead. Time and again, the discussion circled back to the lack of trained professionals in cybersecurity. Corman described many hospitals in the US and abroad as “target rich and cyber poor” or even living below the “infrastructure poverty line”. Even if sufficient funds were available, Scharinger added, the cybersecurity professionals that could be paid with those funds are extremely scarce at the moment.

20.10.2021

• healthcare politics (252)
• IT (873)
• laws & regulations (378)
• security (446)