Security in the healthcare system is of critical importance. This is particularly so in the phase of digital transition of health systems where privacy and security of sensitive patient information is concerned. As such, threats to cybersecurity are one of the biggest challenges health systems have to face. There are different mandatory security obligations in a diverse legal framework. Not only do the GDPR security obligations apply, but also Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) [1]. The Commission also plans to adopt a proposal for a Cyber Resilience Act in 2022 [2] [3]. This Act would set out the cybersecurity requirements for digital products and ancillary services. The security requirements set out in the European Health Data Space (as mentioned in the course Legal, Regulatory, and Health Technology Assessment (HTA) Concepts of Digital Health page 2. The European Health Data Space (EHDS)notably as regards the special sensitivity of health data [4] held in electronic health record systems, provide more specific requirements for the health sector, such as access control. The EHDS complements the initiative and provides more tailor-made rules for the health sector, where needed.

Further, the European Union Agency for Cybersecurity, ENISA [5], established in 2004 and strengthened by the EU Cybersecurity Act [6] contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes, cooperates with Member States and EU bodies, and helps Europe prepare for cyber challenges. ENISA has been working in the area of privacy and data protection since 2014, by analysing technical solutions for the implementation of the GDPR, privacy by design and security of personal data processing [7].

The COVID-19 pandemic [8] has highlighted the need for more security in the digital world. People have increased their presence online to maintain personal and professional relations, while cybercriminals have taken advantage of this situation. The health care system and its facilities have been among the top targets for cyber and ransomware attacks and will likely continue due to the large amount of personal-sensitive data (see  the ENISA Threat Landscape (ETL) annual report) [9].

Without a continuing focus on cyberhealth health systems open themselves to additional risks as they increase digital activities [10].



[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
[2] European Commission: Initiative for a Cyber resilience act.
[3] European Commission consultation: the new Cyber Resilience Act.
[4] TEHDAS: the special sensitivity of health data 2021.
[5] The European Union Agency for Cybersecurity.
[6] The EU Cybersecurity Act.
[7] Previous works of ENISA in 2019: the recommendations on shaping technology according to GDPR
and in 2022 Deploying Pseudonymisation Techniques
[8] COVID-19 pandemic European Centre for Disease Prevention and Control.
[9] ENISA annual report on the state of the cybersecurity threat landscape. October 2021, 9th edition, period of reporting starting from April 2020 up to July 2021.
[10] Digital transformation from a buzzword to an imperative for health systems, Deloitte Insights (2021).