The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.
The COVID-19 pandemic has underlined an increased need for efficient – and secure – digital healthcare services. Cloud solutions allow for the flexible and rapid deployment of the electronic storage of data and of electronic communications such as telemedicine. However, the complexity of legal systems and new technologies, as well as concerns over the security of sensitive patient data have slowed the healthcare sector in adopting cloud services.
The report addresses these concerns by providing security guidelines for three main areas in which cloud services are used by the healthcare sector, namely for:
- Electronic Health Record (EHR), i.e. systems focusing on the collection, storage, management and transmission of health data, such as patient information and medical exam results;
- Remote Care, i.e. the subset of telemedicine supporting remote patient-doctor consultations;
- Medical Devices, i.e. cloud services supporting the operation of medical devices such as making medical device data available to different stakeholders or for device monitoring.
For each of these use cases, the report highlights the main factors to be considered when healthcare organisations conduct the relevant risk assessment – for example, in terms of risk to sensitive patient data or availability of a medical service. These guidelines, however, are only a first step for healthcare providers to adapt securely to the cloud. More support is needed, such as established industry standards on cloud security, specific direction from national and EU authorities, and further guidelines from Data Protection Authorities on transferring healthcare data to the cloud.
The report also proposes a set of security measures for healthcare organisations to implement when planning their move to cloud services, such as establishing processes for incident management, defining data encryption requirements, and ensuring data portability and interoperability. The measures are proposed taking into consideration the draft candidate EU Cybersecurity Certification Scheme on Cloud Services (EUCS) to ensure compatibility and requirements mapping. The Agency’s draft scheme is part of the cybersecurity certification framework aimed at enhancing trust in ICT products, services and processes across Europe. The draft scheme is open for public consultation until 7 February 2021.