Cyber security and digital health: Strategy and regulation

One can imagine the damages related to a leakage of e.g. people's medical history or their correspondence with general practitioners or breaches of healthcare databases exposing patient data. As cybersecurity threats cannot be eliminated, effectively managing cyber risks related to digital health solutions is key to reducing:

• the risk of security incidents occurring, and
• the potential damage caused by security incidents.

Generally, cyber security refers to the technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access – and cyber resilience to the ability of organisations to respond to, and recover from, security incidents – both with the overall objective of ensuring the availability, integrity, authentication, confidentiality, and non-repudiation of information (and data). 

Digital health solutions inevitably involve the processing of large quantities of health information, including sensitive personal data. Therefore, cyber security is the natural number one concern in relation to digital health solutions. 

National cyber and information security strategy in the Danish health sector 

In the wake of the national effort to enhance cyber security capabilities in critical sectors, and to meet current and emerging cyber security threats, the Danish health sector has published a strategy for cyber and information security applicable in the period 2019-2022: 

The strategy points out that the threats against the health sector are both complex and ever-changing, including espionage, ransomware, and phishing emails.

The strategy sets out four tracks (adopting four of five functions of the NIST Cyber Security Framework) to meet cyber and information security issues, namely: 

1. Identify - e.g. by identifying critical business processes and IT systems across healthcare actors
2. Prevent - e.g. by educating staff, managing security in legacy systems, etc.
3. Detect - e.g. by performing regular security tests and by monitoring and analysing activity in health sector systems 
4. Respond - to incidents by establishing emergency responses. 

The ties between private digital health solutions and the public health sector are getting stronger as the health sector is widely engaged with private and commercial initiatives. A tendency that seems to be growing. Therefore, it is an advantage as a digital health provider to be familiar with the considerations and initiatives laid out in the strategy for cyber and information security in the health sector (2019-2022). 

Legal landscape related to cyber security 

The legal landscape within the field of cyber security applicable to the health sector is made up by a number of laws and regulations, overall consisting of:

• The EU Directive on Network and Information Security systems (Directive 2016/1148/EU of 6 July 2016) as implemented into Danish law via sector-specific regulation. 
• The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). 

The legislation generally requires operators of essential services (OES), such as hospitals and private clinics in the health sector, to adopt appropriate and proportionate technical and organizational measures to manage cyber security risks. 

Suppliers of digital health solutions are not directly subject to the NIS legislation. However, requirements deriving from the regulatory framework may be imposed on suppliers contractually. In addition, the overall security requirements laid down in the NIS legislation are, for all intents and purposes, in line with generally applicable international standards and industry practices reflecting customers' and patients' reasonable expectations for the protection of health information.

Standards related to cyber security 

ISO 27001 is an international standard for information security management, providing a methodology to assess potential threats and incidents (i.e. risks), and define procedures for how to mitigate and prevent such risks. ISO 27001 is adopted as a state security standard in Denmark, which all governmental institutions in Denmark must follow. 

ISO 27001 implementation is not compulsory for the health sector (hospitals, pharmacies, treatment facilities, general practitioners). However, the ISO 27001 standard is the general basis for security principles and, accordingly, the regions have approved a joint regional information security policy that supports their compliance with ISO 27001, and the Danish Health Data Authority has prepared guidelines on the implementation of the principles of ISO 27001 in the health care sector. In these guidelines, the Danish Health Data Authority emphases e.g. data security. 

Suppliers need to provide solutions that the customers can buy. From a business perspective, it can be an advantage for suppliers of digital health solutions to demonstrate that they take security seriously, including by following or complying with one or more of the security controls of the ISO 27001 standard, e.g. in relation to the identification and mitigation of risks related to handling sensitive and vital data. 

The GDPR/data privacy regulation is a subarea of information and cyber security and will be the subject of a separate digital health article.