ENISA publishes Cloud Security for Healthcare Services report

On January 18 2021, the European Union Agency for Cybersecurity (ENISA) published its Cloud Security for Healthcare Services report, which provides cybersecurity guidelines to healthcare organisations and discusses relevant data protection considerations and cybersecurity risks when using cloud services. The report builds on the previous procurement guidelines for cybersecurity in hospitals and comes at a time where the European Commission is progressing its European Health Data space initiative to promote the safe exchange of patient’s data and access to health data.


With the growth of digitalisation comes new solutions, which are particularly attractive to the healthcare industry which seeks to improve overall patient care and achieve operational excellence in their organisations. The COVID-19 pandemic has further highlighted the need for efficient and secure healthcare services, especially in relation to telemedicine for patient-doctor consultations. Cloud services, which allow for the storage of data and electronic communications, are an effective way to achieve this by increasing operational effectiveness, cutting IT costs and improving cybersecurity.

Despite these benefits, cloud integration in the healthcare industry in the European Union is still in its early stages. The report mentions that the healthcare sector has been slow on the uptake of these systems, which can be attributed to factors such as the complexity of such systems, lack of expertise and concerns over sensitive data security.

Content of the report

The report starts by outlining the various laws governing cloud security, such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation, as well as other non-regulatory guidelines and goes on to discuss the key types of cloud services used in the healthcare sector, for example, platform as a service. It then finishes with a set of cybersecurity challenges faced by the healthcare sector and how these can be overcome, and uses three use cases to illustrate this point.

The three use cases used in the report are:

  1. Electronic Health Records (EHR), which are systems that focus on the collection, storage, management and transmission of health data such as patient information and medical exam results;
  2. Remote care, which has been a safe way to provide care and advice during the COVID-19 pandemic; and
  3. Medical devices, whereby the medical device’s data can be made available to different stakeholders such as doctors or nurses to enable remote patient monitoring, for example for those that suffer with heart disease or diabetes.

When discussing these three cases, the report helpfully highlights the main factors and risks to consider when healthcare organisations assess both the cybersecurity risk impact and the risk likelihood. It mentions that healthcare organisations should take into account the impact of a cybersecurity incident such as human errors or system failures on confidentiality, integrity and availability, which would allow them to assign a value to the appropriate risk impact.

The guidelines are the first steps to allowing healthcare providers to adapt to the cloud and aim to guide healthcare professionals in preserving the security of data so appropriate measures can be taken. Moreover, the report proposes a set of 17 security measures for healthcare organisations to implement when using cloud services such as forming incident management processes and encrypting sensitive data at rest and in transit. The report also discusses these measures in detail for each of the three aforementioned use cases.

Concluding remarks

While the report assists healthcare organisations on how to best operate cloud services, it also highlights that more needs to be done to make the process of implementing a cloud solution easier. ENISA calls for additional support for the healthcare sector in the form of specific guidance from EU and national authorities, industry standards on cloud security in the healthcare sector and clearer guidelines from data protection authorities, so that the use of cloud services is made easier.

ENISA will continue to focus on the cybersecurity of Europe’s healthcare sector by publishing guidance and collaborating with policy makers, especially given the European Union’s efforts to become more cyber secure for providers, users and patients in the healthcare industry.


New podcast channel, Tech Law Talks, now live!

Reed Smith is proud to announce the launch of its sixth podcast channel, Tech Law Talks. The channel will present in-depth, practical observations on tech and data legal trends that practitioners encounter every day. Tune in for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more.

First up on the channel is the M365 in 5 Foundation Series, a seven-part series in which Reed Smith lawyers team up with experts from Lighthouse to discuss Microsoft’s Exchange, SharePoint, OneDrive, A/V conferencing, file-sharing, and collaboration platforms. The Reed Smith M365 in 5 series will continue to dive into operational considerations when rolling out M365 tools related to governance, retention, e-discovery and data security. Visit reedsmith.com to learn more about the series.

Tenn. Attorney General Slatery on state and federal consumer privacy in 2021 and beyond

In a recent Q&A with Tennessee Attorney General (AG) Herbert Slatery, the eight-year term AG discusses how he makes consumer protection, including privacy and cybersecurity issues, a top priority for Tennessee citizens and businesses. AG Slatery shares his thoughts on privacy on a multi-state state level, the prospect of standards of enforcement for technology companies, and how states are working with the Federal Trade Commission to address issues concerning data collection and (mis)use in the interim. Lastly, AG Slatery discusses how his office is responding to the new Biden administration and challenges that have been brought forth by COVID-19. Read more in the IAPP Privacy Advisor article here.

Data flows to the UK from the EU won’t hit a dam

The European Commission published a draft decision on UK adequacy for transfers of personal data from the EU to the UK, which you can read here. This EC conducted an assessment of the UK’s GDPR framework under the UK Data Protection Act 2018, including data protection rules applicable to UK law enforcement and national security and surveillance. It concludes that the UK ensures an ‘essentially equivalent’ level of protection to that within the EU, under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), meaning data transfers can flow from the EU to the UK without further safeguards.

Continue Reading

Washington State weighs enforcement mechanism for its comprehensive privacy bill

Washington State legislators continue in their effort to pass only the second comprehensive privacy legislation in the U.S., the Washington Privacy Act (WPA).  Introduced on January 11, 2021, the WPA is currently making its way through committee hearings.  The debate continues, with the Washington State Senate Ways & Means Committee recently holding a public hearing to discuss the enforcement provision proposed in the WPA.  Currently, $1.4 million is proposed to the Washington State Attorney General’s office for enforcement of the WPA.  Some are calling for an increased budget, others for private right of action. Continue Reading

Use of biometric technology is latest trend toward a verified internet

Many online platforms are using verification tools to address the broader concern of trustworthiness and credibility on the Internet. With a general move toward a “verified internet,” these online platforms are looking at new verification measures, including facial recognition and other biometric technology. The online adult video platform Pornhub announced last week that it will be introducing biometric technology to verify users who upload videos. In a statement, Pornhub explained that verification will be done by Yoti, a digital identity verification company, “by providing a current photo and government-approved identification document.”

Yoti advertises that it is a “privacy driven” verification solution. The company is a conduit between consumers and the platform owners, like Pornhub. Essentially, a consumer will provide Yoti with their biometric identifier, such as a video or voice recording, plus their government identification. Yoti will then verify that data for the platform owner, such as Pornhub. Pornhub will not see that information, but will rely on the verification to allow the consumer to access their site. Continue Reading

The ICO offers guidance on personal data transfers to the SEC

On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR).


Firms regulated by the SEC must fulfil requests for documentation made by the SEC and make their books, records or documents available for inspection, to ensure compliance with U.S. federal securities laws, rules and regulations. This calls for the production of information, documentation, and other records, which may include personal data and special category personal data.

Continue Reading

The EDPB and EDPS adopt joint opinions on the new draft SCCs

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors. Continue Reading

Six advertising law trends and what brands should watch out for in in 2021

In a Law360 article published last week, the top six media and advertising trends expected in 2021 are discussed. It is no surprise that data privacy and protection issues will likely continue to be a major focus for those operating in the media and advertising sectors. Two major themes identified include the potential for increased Federal Trade Commission (FTC) attention on consumer privacy and behavioral advertising under the new Biden administration and considerations for advertisers under the new requirements of the California Privacy Rights Act (CPRA). A full copy of the article is available here.

Amendments to the Electronic Transactions Act offer new opportunities for trade and commodities finance and fintechs in Singapore

The Singapore government introduced a bill into parliament to amend the Electronic Transactions Act (ETA) (Cap. 88) (ETA) on January 4, 2021. The amendments set out in the Electronic Transactions (Amendment) Bill will be of relevance to the trade and commodities finance and fintech sectors as their primary object is to achieve recognition and equivalence for transferable documents and instruments, such as bills of lading, bills of exchange and promissory notes, represented in electronic form.

Our recent client alert summarizes the key proposed changes and outlines some of the potential implications for the trade and commodities finance and fintech sectors.