COVID-19

Start of main content

Cybersecurity and health; a reflection in times of crisis

| COVID-19 / News | Litigation

Vicente Moret and José Miguel Soriano analyse cybersecurity in institutions and companies that are responsible for health management

Since the outbreak of the coronavirus pandemic, Spanish society has been aware of the importance of health services working at full capacity and without suffering any loss of operability more than ever.

Some health infrastructures, specifically eleven, form part of the Health Sector's Critical Infrastructure Protection System, following the approval of the Health Sector's Strategic Sectoral Plan in 2018.

Following the successive rules derived from the state of alert, the scope of what is defined as essential services has been significantly extended to include the entire health system, public or private, and therefore the obligations of all kinds that fall on these essential service operators have been extended as well.

The article in the Royal Decree that approved the state of alert was precisely the extension of the application of the obligations of critical infrastructure operators to all those companies and suppliers that are not considered critical, but are essential to ensure the supply of the population and the essential services themselves.

However, in the last few days news has appeared that a series of cyber-attacks have been perpetrated, mostly by 'ransomware', against some health infrastructures and health research centres, apart from the thousands of websites created with malicious purposes to carry out online fraud activities taking advantage of the pandemic.

That is why it is essential to highlight the importance of institutions and companies that are responsible for health management to establish among their priorities that of strengthening their organizations in this area.

The health sector is very attractive to cybercriminals because of the large amount of sensitive data and financial information it handles, the large number of legacy systems that are easy to penetrate, and the investigations that are carried out in some cases with high added value.

In the health sector there are also added considerations that aggravate the consequences of a cyber-attack compared to other sectors, such as the imperative need to continue providing services.

The large number of connected devices being used in this sector is also a growing threat, increasing the surface area of attack.

For some years now, the competent authorities have been placing great emphasis on the need to strengthen the cybersecurity of health services, both at national and European level. Thus, the CCN (National Cryptological Center), which depends on the CNI (National Intelligence Centre) or ENISA, the European Cybersecurity Agency, has been publishing guides and recommendations in which they insist on the need for technological security measures to build robust and resilient organizations.

To this the variable of regulatory compliance must be added, given that there is already a Royal Decree-Law which, since November 2018, obliges operators of essential services to adopt a series of measures which, in the event of non-compliance, can lead to very heavy penalties.

However, it is important to insist that each of these organizations must consider the development and implementation of a cybersecurity policy in which technological aspects are especially important, but not the only ones. It is essential to establish solid internal rules and action protocols that involve the people who make up the organization at all levels, since cybersecurity is a shared effort.

Most cyberattacks today are based on social engineering techniques that exploit the errors, omissions, or lack of diligence of the human element in the organization to implant malware or impersonate identities, or to carry out other malicious actions that constitute criminal offences. A large number of online frauds would be avoided by means of legally well-constructed internal rules that make it possible to prevent incidents, protocol actions in the event of incidents, assign responsibilities, carry out training actions, establish specific policies and, above all, raise awareness of the importance of complying with these rules.

On the other hand, investments aimed at increasing the cybersecurity of organizations could no longer be considered a superfluous cost. The current situation allows us to understand that our lives already have an undeniable digital component and will increase as a result of this crisis.

Organizations that know how to implement a solid and well-regulated cybersecurity policy will have several advantages.

They will increase resilience, thereby protecting the entire health system and citizens. But they will also have a clear competitive advantage over other companies in the sector that are not so diligent in this area. It should be borne in mind that this is a sector in which the confidence perceived by the patient is essential.

In short, this pandemic has shown us how dependent on digital technology we already are.

Any organisation, but especially those that are operators of essential services in a sector as crucial as health, must make cyber security a priority.

An extra effort must be made to bring the health sector up to the level of cyber security that is essential to successfully meet the challenges posed by digital disruption.

You can read the full article in El Economista.

End of main content