The NIS2 directive (Network and Information Systems Directive 2) places increased demands on hospitals that have to raise their IT security to a higher level. The aim of the directive is to improve the protection of critical infrastructure against cyberattacks and IT failures. In order to meet NIS2 requirements, hospitals are required to take a number of basic measures that address various levels of IT security.
One problem area for the NIS 2 directive is the rapid technical progress and the integration of new systems. This dynamic makes it difficult to ensure security standards as new vulnerabilities constantly emerge. In addition, innovative technologies require continuous adaptation, which requires high cybersecurity resources and regular updates to address the growing threat landscape.
An essential measure is the implementation of comprehensive risk management. Hospitals must analyze all relevant IT systems and networks for vulnerabilities and take appropriate measures to reduce risks. This includes, for example, regularly carrying out penetration tests in order to identify security gaps at an early stage. A central issue is the segmentation of networks in order to contain the spread of malware and better protect critical systems.
In addition, introducing security information and event management (SIEM) is essential to monitor suspicious activity in real time and respond immediately to potential threats. This goes hand in hand with building an incident response plan. In the event of a security incident, such as a ransomware attack, clear instructions must be in place. The response plan includes, among other things, the isolation of affected systems, the initiation of forensic measures and communication with affected bodies and authorities.
The human factor is particularly challenging. Hospitals must conduct regular training for their employees to raise awareness of phishing attacks and other cyber threats. A lack of IT knowledge in everyday clinical practice can quickly become a weak point.
Another problem area is technical progress and the integration of new systems. Many hospitals work with a heterogeneous IT landscape that has grown over the years. Harmonizing these different systems without creating new vulnerabilities represents a significant challenge.
Violations of the NIS 2 directive can result in significant penalties. Companies that ignore cybersecurity regulations risk fines of up to 10 million euros or 2% of annual global turnover. In addition, there is a risk of sanctions such as restrictions on business activities or liability of managers in serious cases.
In summary, compliance with the NIS2 directive requires hospitals to take a coordinated approach at a technical, organizational and personnel level. This is the only way to achieve a sufficient level of security and maintain it in the long term.
Author: Wolf-Dietrich Lorenz
Photo: Adobe Stock / ludariimago
