New Cyber-attack Advice for European Hospitals

New Cyber-attack Advice for European Hospitals

The European Data Protection Board has issued new advice to hospitals regarding what action to take in the event of a cyber-attack.

Currently released in draft form, the new set of recommendations urges healthcare providers hit with ransomware to report the attack even if no patient data is accessed or exfiltrated. 

The guidelines state: "The internal documentation of a breach is an obligation independent of the risks pertaining to the breach and must be performed in each and every case." 

A series of attack scenarios are described in the recommendations along with appropriate prior measures, risk assessment, mitigation, and obligations. 

"The fact that a ransomware attack could have taken place is usually a sign of one or more vulnerabilities in the [data] controller's system," state the guidelines.

In example case number three, a hospital suffers a ransomware attack in which data was encrypted but not exfiltrated and backups of the data are available in an electronic form. Such an attack could have a large impact on patients, according to the EDPB. 

"The quantity of breached data and the number of affected data subjects are high, because hospitals usually process large quantities of data," state the guidelines. 

"The unavailability of the data has a high impact on a substantial part of the data subjects. Moreover, there is a residual risk of high severity to the confidentiality of the patient data."

Despite data restoration's being possible in this circumstance, the EDPB said such an a ..