Hospitals must notify their patients of any cybersecurity incidents

The European Data Protection Board (EDPB) has ruled that organizations that are victims of ransomware infections should notify users and employees, regardless of whether the attack leads to the theft of confidential information, especially at hospitals. At the moment it is only a proposal, but this could change in the immediate future. The EDPB is a body that collaborates to comply with the European Union General Data Protection Regulation (GPDR).

The EDPB has decided that hospitals will have to notify their patients and staff in the event of ransomware infection or any other cybersecurity incident: “We understand that it is necessary to provide information to those patients and staff in general who may become cyberattack targets.” As you may remember, a ransomware attack consists of infection of an affected device with an encryption malware, blocking access to information until a ransom payment, usually cryptocurrency, is fulfilled.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ransomware22012021.jpg

In this way, European data protection authorities seek to force companies to maintain updated information on any security risks. Cybersecurity experts say that while these practices have improved with the enactment of the GDPR, many organizations remain reluctant to submit information security reports to relevant control bodies.

The authorities continue to look for ways to prevent data leaks and improve user service: “Health institution managers should inform their patients of any service failure or delay in medical treatments,” says the EDPB draft.

Patients affected by hospital system flaws

These are not improvised measures. For more than a year the Broad has collected information on a number of cases justifying the possible implementation of these measures; the most serious of these cases occurred in Germany, where the flaws in a hospital’s systems resulting from a ransomware attack led to the death of a female patient that needed a critical surgery.

Laura Prats, a cybersecurity specialist at a Spanish risk management firm, believes that the process of adapting to these standards can be complicated, but that this is a necessary measure: “We will continue to adapt to new cyber threats to minimize harm to users of health services,” she says.

The healthcare sector has become one of the main objectives of cyberattacks, as these organizations store highly sensitive information and their IT systems must be safeguarded at all costs, especially in the context of the pandemic.