eHealth Conference: Sector Matures in terms of Cybersecurity but not fast enough

Back to News

Organised with the support of the Danish Health Data Authority, the European Union Agency for Cybersecurity (ENISA) hosted the 7th eHealth conference on the latest developments in policy and emerging challenges of the evolving threat landscape.

Around 90 eHealth security experts from both the public and private sectors met in Rigshospitalet, a highly specialised hospital in Copenhagen, Denmark, to share their expertise and knowledge. The event held on October 10th, allowed them to discuss the current and new challenges in the sector at national and EU levels.

Vibeke van der Sprong, Deputy Director General of the Danish Health Data Authority (DHDA) opened the event with a welcome address, highlighting the importance of a key sector for the implementation of the EU cybersecurity strategy.

This edition of the event focused on the latest evolution of the threat landscape, with the evolving ransomware attacks and supply chain issues as evidenced by the incidents reported under the NIS directive for the health sector in 2021 - notably, for 14% of these incidents, the root cause related to ransomware.

Experts from Member States were also invited to share how they approached the transition from Covid-19 to the war, and to share insights on major ransomware incidents. The National Cyber Security Centre of Ireland and the Information Security Authority of the Czech Republic (NÚKIB) shared the nature of the attacks they faced, the recovery activities, as well as the impact and aftermath. The critical infrastructures of the healthcare services impacted had already been compromised for two months before ransomware was deployed by the attackers on 14th May 2021. The attack affected hospitals, emergency services, primary care, laboratories, etc. and it took up to the end of September 2021 for all systems to be restored. Recovery actions included the shutting down of all systems and calling for experts to support the response and recovery procedures.

Additionally, a hacking demonstration by the Danish Health Data Authority provided the audience with some attack vectors easily exploiting human behaviour in order to access valuable network information and resources. One example was the live demonstration of how the saved WiFi networks on the participants’ phones could be enumerated and exploited to gain further access onto the devices and intercept traffic.

Finally, ENISA experts introduced the updates on the EU cybersecurity policy framework, i.e. NIS2 and the Cyber Resilience Act (CRA). Participants discussed the latest developments in cybersecurity policy, such as the provisions of the new Cyber Resilience Act and how these could impact the sector in light of the new requirements of the Act to ensure the cybersecurity of digital products throughout their lifecycle.

ENISA also presented the planned awareness raising activities in support of the health sector, such as the sector specific awareness raising programmes launched together with Cyber Europe exercise. The exercise was organised by the Agency and Member States in June 2022 and aimed to test the resilience of healthcare services in Europe.

Further Information

ENISA’s Resources Page for Healthcare

6th eHealth Conference - Online Series

Procurement Guidelines for Cybersecurity in Hospitals

ICT Security Certification Opportunities in the Healthcare Sector

Cybersecurity and Resilience for Smart Hospitals

Cyber Resilience Act

Contact

For press questions and interviews, please contact press (at) enisa.europa.eu