As the health care sector is going through a comprehensive digitalization process, the integration of cloud-based tools and services creates new challenges in terms of cybersecurity and data protection.
ENISA published its Report on January 18, 2021. The scope of the Report relates more specifically to the eHealth ecosystem (e.g., health care services and facilities, medical devices and equipment, remote care, etc.). It provides guidance to the health care sector and cloud service providers ("CSPs") on cloud security practices and on the identification of critical data security aspects.
To begin with, the Report outlines the applicable policy context (i.e., NIS Directive, GDPR, additional regulators' guidelines), recalls cloud computing basic elements and lists the key types of cloud services in the health care sector. The Report also summarizes the main security and data protection challenges faced by health care organizations when using cloud services, such as the lack of cybersecurity expertise and the complexity of proving regulatory compliance of the CSPs. While facing a wide range of cyber threats, such as natural disasters, supply chain or system failures, human errors and malicious actions, it can indeed be particularly complex for health care organizations to navigate the offerings of the CSPs to validate that sufficient data governance controls are in place, and that privacy by design, data management, and portability obligations are met. This is all the more important in view of national and European legislative efforts to introduce class actions also in relation to cyber breaches.
To help health care organizations and CSPs address cyber risks, ENISA presents three practical use case scenarios of cloud services applicable to the health care sector, namely electronic health record services, remote care services, and services involving a medical device—all available in the cloud. ENISA also identifies factors organizations should consider during the risk-assessment phase and provides risk-mitigation measures.
Against this background, the Report provides a set of cloud security measures and recommended practices for the health care sector, based on common frameworks for cloud security and the ongoing work on a cloud certification. Each suggested security measure is cross-referenced with recommended practices included in ENISA's existing Procurement Guidelines for Cybersecurity in Hospitals and with the different use case scenarios. In addition, the roles of both cloud customer and CSP are indicated for each cloud security measure, along with additional data protection considerations.
In total, 17 security measures are suggested in the Report, including identifying applicable cybersecurity and data protection legal requirements, conducting a risk assessment and a data protection impact assessment, establishing processes for security and data protection incident management and response, establishing business continuity and disaster recovery plans, and enabling data encryption for data at rest and data in transit.
As reminded by ENISA, the cloud security measures and the related responsibilities vary depending on the type of cloud service (e.g., SaaS, PaaS, or IaaS) and the deployment model (e.g., public, private or hybrid cloud). For instance, only the CSP would normally be responsible for establishing processes for security and data protection incident management in a typical case of remote care services—whereas, for the use case relating to the provision of services based on a medical device, the Report provides that both the CSP and the cloud customer would normally be responsible for implementing such a security measure.
As the conclusion of the Report highlights, health care organizations may still be reluctant to adopt cloud services beyond those relating to the management of administrative data. This is due to a number of factors, including the lack of cloud expertise and the extensive compliance requirements, in particular with respect to data protection and professional secrecy obligations. In addition, although not mentioned in the Report, health care organizations and CSPs should take into account the additional data protection challenges resulting from the recent "Schrems II" ruling of the European Court of Justice if they contemplate any transfers of personal data from the EU to third countries. See our previous Jones Day Commentary.
Although it is clear from the Report that further support is expected to facilitate the development and implementation of cloud services in the health care sector (e.g., specific guidance from national and EU authorities, industry standards for cloud security in the health care context, guidelines from data protection authorities on moving health care data to the cloud, etc.), the ENISA Report provides useful guidance for health care organizations and CSPs looking at implementing cloud services in compliance with the current cybersecurity and data protection legal constraints as well as recommended practices.