The European Data Protection Board (EDPB) has ruled that organizations that are victims of ransomware infections should notify users and employees, regardless of whether the attack leads to the theft of confidential information, especially at hospitals. At the moment it is only a proposal, but this could change in the immediate future. The EDPB is a body that collaborates to comply with the European Union General Data Protection Regulation (GPDR).
The EDPB has decided that hospitals will have to notify their patients and staff in the event of ransomware infection or any other cybersecurity incident: “We understand that it is necessary to provide information to those patients and staff in general who may become cyberattack targets.” As you may remember, a ransomware attack consists of infection of an affected device with an encryption malware, blocking access to information until a ransom payment, usually cryptocurrency, is fulfilled.
In this way, European data protection authorities seek to force companies to maintain updated information on any security risks. Cybersecurity experts say that while these practices have improved with the enactment of the GDPR, many organizations remain reluctant to submit information security reports to relevant control bodies.
The authorities continue to look for ways to prevent data leaks and improve user service: “Health institution managers should inform their patients of any service failure or delay in medical treatments,” says the EDPB draft.
Patients affected by hospital system flaws
These are not improvised measures. For more than a year the Broad has collected information on a number of cases justifying the possible implementation of these measures; the most serious of these cases occurred in Germany, where the flaws in a hospital’s systems resulting from a ransomware attack led to the death of a female patient that needed a critical surgery.
Laura Prats, a cybersecurity specialist at a Spanish risk management firm, believes that the process of adapting to these standards can be complicated, but that this is a necessary measure: “We will continue to adapt to new cyber threats to minimize harm to users of health services,” she says.
The healthcare sector has become one of the main objectives of cyberattacks, as these organizations store highly sensitive information and their IT systems must be safeguarded at all costs, especially in the context of the pandemic.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.