Implications of GDPR and NIS2 for Cyber Threat Intelligence Exchange in Hospitals-Reference-Cited by-同舟云学术

Implications of GDPR and NIS2 for Cyber Threat Intelligence Exchange in Hospitals

Published:2024-04-01 Issue: Volume:23 Page:1-11
ISSN:2224-2872
Container-title:WSEAS TRANSACTIONS ON COMPUTERS
language:en
Short-container-title:

Author:

Rajamäki Jyri¹,Jarzemski Dominik¹,Kucera Jiri¹,Nyman Ville¹,Pura Ilmari¹,Virtanen Jarno¹,Herlevi Minna¹,Karlsson Laura¹

Affiliation:

1. Unit W, Laurea University of Applied Sciences, Vanha maantie 9, 02650 Espoo, FINLAND

Abstract

The DYNAMO Horizon Europe Project aims to support critical sector (healthcare, energy production, marine transport) stakeholders in enhancing resilience and minimizing the effects of cyber-attacks. DYNAMO's objective is to use artificial intelligence to integrate cyber threat intelligence (CTI) and business continuity management (BCM) to support decision-making. The goal is joint preparation for EU cyber threats, necessitating timely global situational awareness and effective communication to address threats before they escalate. This paper focuses on the intelligence sharing and trust needs of the DYNAMO use cases while also meeting regulatory requirements. Analyzing DYNAMO’s internal materials and aligning them with authorities' requirements, particularly NIS2 and GDPR, reveals that healthcare organizations need to prepare for more effective data protection, incident response, and cyber-attack mitigation. While NIS2 doesn't specify technical requirements for healthcare, it offers a broader framework for organizations to make informed decisions about equipment suppliers and security applications. After the general review, this study examines a specific healthcare use case: a hospital infected by phishing, emphasizing that CTI exchanges may contain sensitive data falling under GDPR and NIS2 regulations. This includes technical details, health-related information, patient data, insurance details, and employee information. Concerning the AI-based approaches used, DYNAMO must handle this CTI exchange in compliance with the law. The case study compares the DYNAMO project's CTI exchange use case with GDPR and NIS2 requirements, highlighting challenges such as the difficulty in separating sensitive data under GDPR and differences in language and terms between the two regulations. Despite these challenges, the study discusses the impact of GDPR and NIS2 on CTI exchange in the healthcare sector, providing key implementation points and guidelines.

Publisher

World Scientific and Engineering Academy and Society (WSEAS)

Reference34 articles.

1. D. Wyatt, S. Lampon and C. McKevitt, Delivering healthcare’s ‘triple aim’: Electronic health records and the health research participant in the UK National Health Service, Sociology of health & illness, Vol. 42, Iss. 6, pp. 1312–1327, 2020.

2. S. Borna, M. Maniaci, C. Haider, K. Maita, R. Torres-Guzman, F. Avila, J. Lunde, J. Coffey, B. Demaerschalk and A. Forte, Artificial Intelligence Models in Health Information Exchange: A Systematic Review of Clinical Implications, Healthcare, Vol. 11, Iss. 18, p. 2584, 2023, https://doi.org/10.3390/healthcare11182584.

3. DYNAMO, Home - DYNAMO Project, 2023, [Online]. https://horizon-dynamo.eu/ (Accessed Date: January 18, 2024).

4. ENISA, Minimum Security Measures for Operators of Essentials Services, 2022. [Online], https://www.enisa.europa.eu/topics/cybersecu rity-policy/nis-directive-new/minimumsecurity-measures-for-operators-of-essentialsservices (Accessed Date: January 18, 2024).

5. C. Laprise, It's time to take a sustainable approach to health care in the face of the challenges of the 21st century, One Health, Vol 16, p. 100510, 2023, https://doi.org/10.1016/j.onehlt.2023.100510.