The rapid rise in the use of digital technologies in the healthcare sector is not lost to cyber criminals. In USA, in particular, cyber threat groups have alarmingly shown a growing interest in healthcare industry, with medical records of more than 40 million Americans being breached in 2014 leading to losses of nearly $12 billion (calculated by the Ponemon Institute). Incidents such as the “hacktivism” cyberattack on Boston Children’s Hospital (April 2014) and the breach of 4.5 million health records at Community Health Systems ‒ the second largest hospital chain in the country (August 2014) give an indicative image of the booming business. At the other side of the Atlantic, according to a report performed by the UK Office of Cyber Security and Information Assurance, the cost for IP theft within UK pharma and biotech sector is estimated at 1.8 billion at an annual basis. For this reason, cyber security measures are particularly important for IP-rich business sectors, such as the pharmaceutical and biotechnology sectors, which invest heavily in research and development projects and rely on them to create market advantage in a fiercely competitive global industry.
After intensive work, on 7th of December, 2015, the European institutions reached an agreement over the European Commission’s Proposal on the Network and Information Security Directive (NIS), the first attempt of the European legislator to regulate cyber security at European Union wide level.
Specifically, the Directive imposes security and reporting obligations to entities in critical sectors such as transport, energy, health and finance so that they ensure that the digital infrastructure they use in order to provide their services are secure enough to withstand cyberattacks.
However, operators of essential services, including both private and public entities, will be identified by national legislation of each member state based on the following criteria:
- The entity provides a service which is essential for the maintenance of critical societal and/ or economic activities.
- the provision of that service depends on network and information systems; and
- an incident affecting the network and information systems of that service would have significant disruptive effects on its provision.
According to the text of the Directive, healthcare providers[1], as defined in Article 3 g of the former Directive 2011/24 EU “on the application of patients’ rights in cross-border healthcare”, is a typical description of essential services. For instance, the term “healthcare providers” covers hospitals and GB surgeries as well as potential private sector healthcare businesses.
In order to determine if the Directive applies and which national law does, it is crucial to define the operator establishment, as the effective and real exercise of activity through stable arrangements (branches and subsidiaries will be also included) within a national territory.
Another important feature of the new legislation is the implementation of a reporting scheme, defined by the Member State in question. Under the latter, the company must notify the competent authority without undue delay of incidents that have a significant disruptive effect on the provision of a service. Regarding the health sector, the number of patients under the provider’s care per year is the most significant factor to determine the gravity of the breaches. Furthermore, established authorities will have the power to audit the operator compliance with the security standards and require for information needed to assess the security of their networks. The authorities also have the power to demand evidence of “effective implementation” of the security policies of the companies.
Concerning the transposition into domestic law, the Member States will have up to 21 months from the publication of the NIS Directive to publish national laws that implement the NIS Directive and to bring them into force.
Our law firm’s comment
Adopting and implementing legislation to impose security measures and monitoring systems will contribute to stakeholder trust in digital health applications. We therefore support the attempt of the European legislator to improve the individual capabilities of EU Members and to enforce cooperation on cybersecurity, as well as to promote a high level of risk management practices and a set of minimum standards for the network security. However, given that the final text has not yet been adopted and that Directives usually entail important differences in their incorporation into national law, we suggest patience, especially in seeing how they will approach the co-operation requirements under the NIS Directive to create co-ordinated responses to incidents.
[1] ‘Healthcare provider’ means any natural or legal person or any other entity legally providing healthcare on the territory of a Member State. ‘Healthcare’ means health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provision of medicinal products and medical devices
