ENISA’s Recommendations on Protecting eHealth Information


The European Union Agency for Network and Information Security (ENISA) recently announced that planning has begun for European Cybersecurity Month 2016. Wasting no time, the very next day the agency issued recommendations on protecting eHealth information.

This is the fourth year that ENISA has launched cybersecurity month, typically in October, and 2015 saw 32 countries participate.

During the month, ENISA promotes cybersecurity for EU citizens by hosting a variety of events.

Following this year’s cybersecurity month, ENISA concluded that there is substantial and growing interest for EU Member States and partner countries to work together on cybersecurity education, and the European Commission and other EU bodies, such as the European Economic and Social Committee, continue to involve themselves in cybersecurity education efforts.

In this spirit of member-state cooperation, ENISA’s health care study looked at the approaches taken by the states to protect their health-care systems. The governance models used for eHealth services—be they centralized, decentralized or cross-border—can vary widely.

The study seeks to provide guidelines for an industry that most states consider to be a critical sector. ENISA’s recommendations focus, in particular, on electronic health records; national eHealth services, such as ePrescription; and cloud services that support eHealth systems.

Specifically, the report recommends that:


  • Member state data protection authorities identify critical eHealth assets and conduct risk assessments with the aim of mitigating risks; 
  • Impact/cost benefit analyses on cybersecurity incidents be conducted to increase investment on security for eHealth systems;
  • Policy makers introduce baseline cybersecurity guidelines for eHealth infrastructure and services;
  • eHealth operators, with public sector actors, set up an information-sharing mechanism to exchange best practices and expertise on threats and vulnerabilities; and
  • Member states introduce clear cybersecurity guidelines to protect eHealth infrastructure and services.

It seems clear that the more ENISA’s cybersecurity month does to increase awareness through education, the better equipped the states will be for sharing and cooperating to ensure the security of eHealth systems.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.