Hospitals should inform patients if their treatment is being delayed due to a cyber attack, say new recommendations from Europe
If a hospital suffers a computer attack with ransomware but the hackers do not manage to access or steal any patient data, the hospital should still report it. This is the conclusion reached by the European Data Protection Board, which has released new recommendations, although they are still in draft form.
The EDPB is one of the European bodies responsible for ensuring the security of personal data of citizens and businesses. This week it has published a dossier with general recommendations for companies and administrations that serve as a complement to the work already published on the European Union's General Data Protection Regulation (GDPR).
One of the main novelties included in this document, to which modifications or suggestions can be added until March 2nd via this link, is that hospitals will have to inform their patients whenever they suffer a computer attack.
Even if the incident does not result in the theft of patients' health information and the hospital can mitigate it with a backup copy, the EDPB believes that it is necessary to provide explanations and information to those patients who may be affected by the attack. A ransomware attack attempts to block systems until victims pay a ransom to the cybercriminals, so by its nature, it could cause delays in operations and medical treatment.
Companies and public administrations are obliged to report all types of attacks or attempted attacks on control bodies. In the case of Spain, this role is played by the Spanish Data Protection Agency (AEPD). However, companies only rarely communicate this type of incident to their clients -or patients, in the case of a healthcare center.
The hospital will have to explain if the delays are due to computer attacks
These exceptional occasions are due to the fact that during the attack very sensitive personal data, such as health-related data, could have been leaked. However, in its new recommendations, the EDPB understands that "although in recent years patient data has been encrypted" -and therefore is more secure- the data controller of an attacked hospital should inform patients who suffer delays in their operations or treatment.
Basically, what the EDPB proposes is that health centers properly explain to patients who may be affected the reason for the possible delays they may suffer. All this is specified in one of the cases contained in the dossier, with which the European body tries to exemplify a large number of possible situations.
Specifically, the EDPB asks what would happen if a hospital was attacked with ransomware but fortunately no personal data was leaked and the center could recover without paying any ransom because they had a backup of their systems. "Notifying the control authority would be considered necessary, as the personal data involved in the incident is of a special category".
The WHO believes that the current deployment of the vaccine is a "catastrophic moral failure"
"Also, because data recovery could take time, causing long delays in patient care, reporting the gap will be necessary because of the impact it can have.
A woman died in Germany while waiting for treatment and her hospital was attacked
Reuters
The EDPB highlights among its examples a hypothetical computer attack on a hospital after one year, that of the pandemic, in which this type of incident has been commonplace. The most serious case occurred in Germany, where such an attack caused delays and delays in operations, leading to the death of a woman while she was being transferred to another facility. In May, the owner of the Quirónsalud hospitals suffered another hack, details of which became known weeks later.
Laura Prats is the head of the Cyber-risk area at Sham Spain, and is a risk manager specializing in health and medical-social issues who has adapted to "the new cyber-threats". Her company works with the health services of Madrid, Andalusia, Catalonia and the Basque Country, as well as with private hospital groups.
Prats explains that the health sector has become one of the main targets of cyber-criminals, "due to the sensitivity of the data managed and the critical nature of many of the services offered". "Technology is the network that supports many of today's healthcare services, and therefore we must keep this network secure so that professionals can carry out their work in optimum conditions", she recalls.
The pandemic and the use of technologies are behind a worsening of physical injuries
Spain is one of the countries where attacks on hospitals grew the most in 2020, according to recent data from Check Point. It is only behind Canada and Germany. "The expectation is that the situation will get worse," warns Prats. In March last year, with the lockdown, experts warned Business Insider Spain that the incidents suffered by these centers in the digital arena were being "an outrage".
"Investment in cyber security is growing, but the situation is still variable".
"We know that investment in cybersecurity is increasing, but the situation is still variable and needs improvement in some aspects, both technological and organizational," said Prats. At the end of 2019, the hospitals of Vithas were attacked. In March, a hospital in the Czech Republic suffered an attack and a subsequent 'computer blackout' that even led them to diagnose coronavirus using pencil and paper.
Spain loses thousands of doses of COVID-19 vaccines because it does not have the right syringes
Until the new recommendations of the European Data Protection Committee come into force, Prats, of Sham España, refers to the prevention guides that appear on the websites of the National Cybersecurity Institute, the National Cryptology Center or the ENISA, the European cyber security agency. "If, despite everything, a hospital suffers a cyber attack that it is unable to deal with, it should contact an expert technical service as soon as possible so that they can intervene".
"The time between the start of the attack and a correct response is key to minimizing the damage", stresses the professional. "Once the incident has been contained, the authorities and legal services must be contacted. The notification of incidents is essential to warn the sector".
from Business Insider https://ift.tt/2Y18WK2
No comments