On January 18 2021, the European Union Agency for Cybersecurity (ENISA) published its Cloud Security for Healthcare Services report, which provides cybersecurity guidelines to healthcare organisations and discusses relevant data protection considerations and cybersecurity risks when using cloud services. The report builds on the previous procurement guidelines for cybersecurity in hospitals and comes at a time where the European Commission is progressing its European Health Data space initiative to promote the safe exchange of patient’s data and access to health data.


With the growth of digitalisation comes new solutions, which are particularly attractive to the healthcare industry which seeks to improve overall patient care and achieve operational excellence in their organisations. The COVID-19 pandemic has further highlighted the need for efficient and secure healthcare services, especially in relation to telemedicine for patient-doctor consultations. Cloud services, which allow for the storage of data and electronic communications, are an effective way to achieve this by increasing operational effectiveness, cutting IT costs and improving cybersecurity.

Despite these benefits, cloud integration in the healthcare industry in the European Union is still in its early stages. The report mentions that the healthcare sector has been slow on the uptake of these systems, which can be attributed to factors such as the complexity of such systems, lack of expertise and concerns over sensitive data security.

Content of the report

The report starts by outlining the various laws governing cloud security, such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation, as well as other non-regulatory guidelines and goes on to discuss the key types of cloud services used in the healthcare sector, for example, platform as a service. It then finishes with a set of cybersecurity challenges faced by the healthcare sector and how these can be overcome, and uses three use cases to illustrate this point.

The three use cases used in the report are:

  1. Electronic Health Records (EHR), which are systems that focus on the collection, storage, management and transmission of health data such as patient information and medical exam results;
  2. Remote care, which has been a safe way to provide care and advice during the COVID-19 pandemic; and
  3. Medical devices, whereby the medical device’s data can be made available to different stakeholders such as doctors or nurses to enable remote patient monitoring, for example for those that suffer with heart disease or diabetes.

When discussing these three cases, the report helpfully highlights the main factors and risks to consider when healthcare organisations assess both the cybersecurity risk impact and the risk likelihood. It mentions that healthcare organisations should take into account the impact of a cybersecurity incident such as human errors or system failures on confidentiality, integrity and availability, which would allow them to assign a value to the appropriate risk impact.

The guidelines are the first steps to allowing healthcare providers to adapt to the cloud and aim to guide healthcare professionals in preserving the security of data so appropriate measures can be taken. Moreover, the report proposes a set of 17 security measures for healthcare organisations to implement when using cloud services such as forming incident management processes and encrypting sensitive data at rest and in transit. The report also discusses these measures in detail for each of the three aforementioned use cases.

Concluding remarks

While the report assists healthcare organisations on how to best operate cloud services, it also highlights that more needs to be done to make the process of implementing a cloud solution easier. ENISA calls for additional support for the healthcare sector in the form of specific guidance from EU and national authorities, industry standards on cloud security in the healthcare sector and clearer guidelines from data protection authorities, so that the use of cloud services is made easier.

ENISA will continue to focus on the cybersecurity of Europe’s healthcare sector by publishing guidance and collaborating with policy makers, especially given the European Union’s efforts to become more cyber secure for providers, users and patients in the healthcare industry.