In recent years, and for multiple reasons, cyber-attacks against healthcare providers have increased significantly on a global level. First, IT platforms and devices used by healthcare providers have a technical diversity, while sources devoted to an integrated cybersecurity system for these IT platforms are often limited, making the IT systems vulnerable and ideal targets of potential cyber-attacks. Second, health data qualifies as “highly sensitive data,” which is considered very valuable on the black market compared to other types of personal data.
Cyber-attacks against healthcare providers can cause significant damage, not only to the individuals and institutions concerned, but also on a social level, particularly because cyber-attacks against healthcare institutions can often result in a partial or complete disruption of patient care. Furthermore, cyber incidents can also cause substantial reputational damage to the institutions involved.
Such problems have been observed in numerous cyber-attacks, such as the WannaCry ransomware attack against the UK’s National Health System in 2017, which affected numerous hospitals and other NHS bodies. Nor has Hungary been immune from cyber incidents affecting the healthcare sector. According to the National Cyber Defense Institute in Hungary (NKI), the number of cyberattacks against Hungarian healthcare institutions and hospitals increased significantly in 2019. The NKI points to phishing and ransomware attacks as the main threats in this sector.
In the European Union, healthcare providers, such as hospitals and private clinics, are obliged to comply with both: (i) the local cybersecurity-related legal framework implementing the NIS Directive (Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union); and (ii) the GDPR (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
In addition, in Hungary, under the country’s cybersecurity regime, certain healthcare providers must, among other requirements: (i) maintain an adequate level of protection of their electronic information systems; (ii) establish an operator security plan; (iii) appoint a liaison officer; and (iv) report cyber incidents to the NKI.
Under Hungarian law, cyber incidents include any loss of or damage to the confidentiality, integrity, authenticity, functionality, or availability of information recorded and stored in an electronic information system. In the event of a cyber incident, the affected healthcare providers are obliged to notify the NKI without delay. Following notification, the NKI contacts and cooperates with the relevant organizations, service providers, and authorities to address the cyber incident. Failure to comply with specific cybersecurity-related obligations could lead to a fine of up to HUF 5 million (approximately USD 16,700).
In addition to these cyber security requirements, the GDPR requires healthcare providers to notify the National Authority for Data Protection and Freedom of Information (the NAIH) of any privacy incident without undue delay, if possible within 72 hours after identifying the privacy incident, in addition to other related obligations.
Should the healthcare provider fail to comply with the requirements set out by the GDPR in relation to the management of data breaches, e.g., by failing to notify the NAIH of a cyber incident concerning personal data, the NAIH can impose an administrative fine of up to 4% of the annual global turnover of the company group or EUR 20 million, whichever is higher. In addition, the competent authority may prohibit the breaching healthcare provider from continuing the non-compliant data processing activity, which could pose a significant risk to business continuity if the healthcare provider heavily relies on processing personal data as part of its business model.
In addition, a number of criminal offenses have been introduced into Act C of 2012 of the Criminal Code (including information systems fraud, information system or data violation, circumvention of technical information system pr–otection, misuse of personal data, etc.) in order to protect personal data and sensitive health-related data by threatening perpetrators with criminal prosecution.
In practice, cyber incidents raise numerous complex issues involving cybersecurity, data protection, and criminal law. We are of the view that although cyber-attacks cannot be fully prevented, preparation for such cyber-attacks is critical, especially in light of the NHS’ Lessons learned review of the WannaCry Ransomware Cyber Attack (February 2018), according to which “[…] in the judgement of most industry experts, it is not a question of ‘if’ but ‘when’ the next cyber-attack strikes the health and social care system.”
By Akos Nagy, Partner, Eszter Takacsi-Nagy, Special Counsel, Zsombor Orban, Managing Associate, and Bianka Pandur, Junior Associate, Kinstellar