In this new digitalization period that we are going through, the healthcare sector is continuously adopting new technology to improve patient care, to offer new services focusing on patient-at-home care, and to reach operational excellence. However, the use of new technology opens up new challenges regarding data protection and cybersecurity, especially in healthcare, which is proven to be one of the most vulnerable to cyberattacks.

Cloud technology in healthcare can help increase operational efficiency, cut costs on IT expenditure and improve cybersecurity and data protection. The COVID-19 pandemic has pushed cloud-based technology and artificial intelligence in the healthcare sector, which has raised security and data protection concerns. 

ENISA conducted a study to help ensure Cloud security practices for the healthcare industry and identify security aspects, including relevant data protection aspects, to be taken into account when adopting Cloud services for the healthcare. They used three of the most prominent use cases, in which they identified 17 security and data protection measures to be relevant for ensuring Cloud security in healthcare.

This study provides an overview of Cloud services used in healthcare, cybersecurity and data protection considerations for the use of Cloud in this sector, as well as a threat taxonomy based on the ENISA procurement guide. Finally, it concludes by listing measures for ensuring Cloud security for healthcare services, including additional data protection considerations. (Enisa, Cloud Security for Healthcare Services)

Healthcare and Cloud

Legislation is important in defining cybersecurity requirements and identifying cybersecurity and data protection related measures. In healthcare, the policy landscape at national or European level is still at early stages of development. There are not many Cloud-related guidelines specifically for the healthcare sector, simply because if Cloud security guidance is in place, it applies to all critical sectors. 

The ENISA study shows there is a dedicated legislation for healthcare activities (not necessarily covering cybersecurity) and in several cases they adopt cybersecurity guidelines for Cloud computing, but there is not a specific legislation for healthcare and Cloud. Thus, the identification of requirements deriving from national or European legislation is crucial when procuring Cloud services. Some healthcare services, electronic health records for instance, have a separate law entailing security and data protection requirements. 

The illustration below depicts the legislative situation regarding Cloud security and healthcare. From a legal requirements perspective, the following four topic-related dimensions were examined: privacy, cybersecurity, Cloud security, and healthcare.

In the healthcare sector, different Cloud solutions can be used for different healthcare services. This report provides a non-exhaustive overview of the currently identified Cloud solutions for healthcare systems. These solutions may come in different cloud service types (e.g. SaaS, PaaS etc.) or cloud deployment models. Figure 2 below illustrates these Cloud solutions for healthcare systems.

The Cloud Security challenges that have been identified for the healthcare sector are:

• Lack of trust of Cloud solutions 

• Lack of security and technology expertise 

• Cybersecurity investment is not a priority 

• Proving regulatory compliance of the CSP 

• Integration of Cloud with legacy systems difficulties 

The Data Protection challenges in the cloud are:

• Privacy by design techniques 

• Data management 

• Data deletion 

• Data portability 

• Encryption 

Finally, all Cybersecurity threats identified for healthcare are presented in Figure 3 below.

The three use cases used in this study are Electronic Health Record, Remote Care and Medical Devices. The factors that were considered for the risk impact assessment of all use cases were Confidentiality, Integrity and Availability. They also assessed each use case for cybersecurity risk likelihood and they provide a list of possible threats associated with each case.

This study concludes by providing a list of 17 cloud security measures, and the corresponding responsibility, which depends on the chosen service and deployment model and how each security measure eventually satisfies a potential data protection requirement. 

The full list of the proposed Security Measures (SM) is provided below in Table 1.