The European Agency for cybersecurity, ENISA, has published guidelines aimed at helping healthcare organisations securely adopt cloud services and prepare for cybersecurity challenges.

The January 2021 report, Securing Cloud Services for Health, builds on ENISA's procurement guidelines for cybersecurity in hospitals (2020) by assessing the cyber risks of cloud services, highlighting best practices for their secure integration into the European healthcare sector. The report is linked to the EC's 2021 focus on the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.

The COVID-19 pandemic brought into sharp focus the need for efficient and secure digital healthcare services. Cloud-based solutions enable flexible and rapid deployment of the electronic storage of data and communications like telemedicine. However, several barriers are standing in the way of adoption in healthcare, including:

  • The complexity of legal systems.
  • The complexity of new technologies.
  • Concerns over the security of sensitive patient data. 


The security guidelines zoom in on these very concerns with a view to further digitising healthcare services with cloud services, which are used for:

  • Electronic Health Records (EHR): Systems focusing on the collection, storage, management and transmission of health data, such as patient information and medical exam results.
  • Remote care: The subset of telemedicine supporting remote patient-doctor consultation. 
  • Medical devices: Cloud services supporting the operation of medical devices such as making medical device data available to different stakeholders or for device monitoring.


For each one, the report key factors that need taking on board when healthcare organisations conduct risk assessments, e.g. in terms of risk to sensitive patient data or the availability of a medical service. 

However, the guidelines are intended as a first step for healthcare providers for the secure shift to the cloud. On top of these, the sector needs to ensure support from established industry standards on cloud security, specific direction from national and EU authorities and further guidelines from Data Protection Authorities on transferring healthcare data to the cloud. 

The report also proposes a set of security measures for healthcare organisations to implement when planning their move to cloud services, e.g. processes for incident management, data encryption requirements, data portability and interoperability. 

The measures are proposed in the light of the draft candidate EU Cybersecurity Certification Scheme on Cloud Services (EUCS) to ensure compatibility and requirements mapping, which is part of the larger certification framework aimed at enhancing trust in ICT products, services and processes across Europe. 

Lookout Watch Entry Date: 24.02.2021

Watch category:

Watch Type: