Denmark: Cyber and Information Security Strategy 2019-2022
A consistently high level of cyber and information security across the healthcare sector is crucial to ensure that the healthcare service is future-proof. The aim of the Danish strategy 2019-2022 is to further strengthen joint and coordinated efforts towards more resilient and trusted services as the complexity of healthcare systems increases and with it the vulnerabilities to cyber attacks.
The strategy highlights six general vulnerabilities for healthcare systems, underlining that cyber and information security is not only about technology, but about people as well.
- A large staff community. Thousands of employees with very different levels of knowledge and experiences of cyber and information security.
- A large and complex IT landscape. IT systems process substantial amounts of sensitive personal data - a complex and extensive task.
- Dependence on joint digital infrastructure. In Denmark, the sector is closely interconnected through the Danish Health Data Network, which is used for exchanging patient data. A lack of confidentiality, integrity and availability concerning the data could have major consquences for the sector, not least, for citizens.
- Legacy systems and IoT devices. Ciritical medical equipment may be connected to legacy systems that do not have a sufficient level of security but that cannot be replaced. In addition, more and diverse IoT devices are becoming part of the IT system.
- Large data collections. Large of volumes of data about healthcare service activities are stored in patient recods, national registries and clinical quality databases. It is critical to maintain the confidentiality, integrity and availability of all this data.
- Heterogeneous sector. Actors within the healthcare sector have varying levels of maturity about cyber and information security, from large, highly specialised hospitals with thousands of employees to small, private medical clinics with fewer employees.
The Strategy is aimed at addressing these challenges through the collective ability to predict, prevent, detect, and respond to cyber and information security incidents. This requires a holistic approach and cross-sectorial coordination, as well as a collectively high level of security across the actors in the sector.
The Strategy is therefore based on continuous analyses and conclusions.
- Analysis of threats + Analysis of vulnerabilities: This has to be a dynamic process that is regularly repeated and updated with an emphasis on development and learning.
- Likelihood x Consequence: The strategy’s initiatives are evaluated and adjusted in order to continually strengthen the Danish healthcare sector against Likelihood x consequence
- Risk Assessment: The strategy is based on a holistic, risk-based approach to ensure that the strategy’s initiatives are implemented where the need and effect are greatest.
PANACEA Research perspectives: The Danish strategy for cybersecurity in healthcare has several similiarities of the PANACEA approach, from human-centric, holistic priorities spanning risk governance to threat analysis and response.
Lookout Watch entry date: 07/08/2019