Cybersecurity in healthcare = Mission Impossible
The European Parliament is preparing to issue an NIS 2 directive, which according to all known information will significantly expand the range of entities that will be actively affected by cyber security regulation. To put it very simply, almost every healthcare facility with more than 50 employees will have to comply with this legislation (of course, national harmonization legislation will be issued, but it is unlikely to mitigate this criterion). Will these "small" facilities really be able to meet the requirements of the legislation, not only formally, but practically implement elements of cyber security? From the way the current 46 obligatory hospital entities deal with the implementation, it is clear that the implementation in other (smaller) medical facilities is basically "mission: impossible". In the following article, we will discuss the biggest obstacles that currently prevent the smooth implementation of cyber security.
There is no clear definition of cyber security, but for our purposes we will stick to the definition from the Cyber Security Glossary available on the NUKIB website, which states that cyber security is collection of legal, organizational, technological and educational means aimed at providing protection of cyberspace.
If you ask (not only) hospital top managers about cyber security, they will almost certainly tell you that it is hot topic for them and the hospital invests a lot of money into it. But is it really so? Can cyber security be bought? Is it possible to successfully implement cyber security in the conditions of the Czech healthcare system? What are the most common and biggest obstacles in KB implementation? Are there any show stoppers? We will try to answer this in the following article.
If we ask the mentioned managers another question, what are the biggest obstacles for the implementation of cyber security law in their facility, they will certainly tell a lack of money and a lack of people. I would add a third obstacle - little managerial support, or in another words the misunderstanding or unwillingness of top managers to change the organization's years of established practices - because that's exactly what makes security (not just cyber) security – changing and managing processes!
Tomáš Iránek
is IT manager with more than 20 years of experiences in commercial sector as well as in hospitals. Lately he was working as CIO in faculty hospital, regional and local district hospital, so he is able to compare IT needs and service levels based on hospital size.