Training, European Health Data Space (EHDS)

Training program 1

Preparing for the European Health Data Space (EHDS), for EU and non-EU healthcare providers (tailored-made training).

Note: This program will be offered 3 months after the announcement of the final text of the European Health Data Space (EHDS).

Possible modules of the tailor-made training program.

- Reasons, and objectives of the European Health Data Space (EHDS).

- The problems with the uneven implementation and interpretation of the GDPR Regulation, and the considerable legal uncertainties, resulting in barriers to secondary use of electronic health data.

- The EHDS as a domain-specific common European data space.

- Health-specific challenges to electronic health data access and sharing.

- The EHDS as part of the European Health Union.

- How the EHDS complements the Data Governance Act (that lays down conditions for secondary use of public sector data), and the Data Act (that enhances portability of certain user-generated data, that include health data), and provides more specific rules for the health sector.

- How the EHDS interacts with the NIS 2 Directive, that improves cybersecurity risk management and introduces reporting obligations across sectors such as energy, transport, health and digital infrastructure.

- Subject matter, scope and definitions of the EHDS regulation.

- The additional rights and mechanisms designed to complement the natural person’s rights provided under the GDPR in relation to their electronic health data.

- The obligations of health professionals in relation to electronic health data.

- The need for each Member State to have a digital health authority, responsible for monitoring the EHDS rights and mechanisms.

- The new common infrastructure "MyHealth@EU", that facilitates cross-border exchange of electronic health data.

- The mandatory self-certification scheme for EHR systems, and compliance with interoperability and security requirements.

- Compatibility of electronic health records for easy transmission of electronic health data between systems.

- The obligations of each economic operator of EHR systems.

- The labelling of wellness applications, interoperable with EHR systems.

- The EU database where certified EHR systems and labelled wellness applications will be registered.

- The secondary use of electronic health data, for research, innovation, policy making, patient safety or regulatory activities.

- Data types that can be used for defined purposes. Prohibited purposes.

- The implementation of "data altruism" in health.

- Duties and obligations of the health data access body, the data holders and the data users.

- Responsibilities for the health data access bodies and data users as joint controllers of the processed electronic health data.

- The secondary use of electronic health data, the costs, and the transparency of fees calculation.

- The secure processing environment, required to access and process electronic health data.

- The conditions and the information needed in the data request form for obtaining access to electronic health data.

- Conditions attached to the issuance of the data permit.

- Setting up and fostering cross-border access to electronic health data, so that a data user in one Member State can have access to electronic health data for secondary use from other Member States, without having to request a data permit from all these Member States.

- The cross-border infrastructure.

- The international access to non-personal data in the EHDS.

- The ‘European Health Data Space Board’ (EHDS Board) that facilitates the cooperation between digital health authorities and health data access bodies.

- The composition of the EHDS Board, and how it is organised and functioning.

- Joint controllership groups, tasked with taking decisions related to the cross-border digital infrastructure necessary, both for primary and secondary use of electronic health data.

- The European Health Data Space (EHDS) for non-EU healthcare providers.

- The other EU directives and regulations that affect healthcare providers.

- Closing remarks.

Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU healthcare providers, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the European Health Data Space (EHDS) and the other EU directives and regulations that affect the healthcare industry.

Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf

Training program 2.

Cybersecurity training for the healthcare industry.

Overview

In 2020, hospitals, healthcare providers and medical facilities were struggling to handle not only the influx of patients suffering from Covid-19, but also a surge of ransomware attacks, as criminals (including state-sponsored groups) exploited the crisis to hit the sector.

Month after month, there are many successful cyberattacks on the healthcare industry. Cybersecurity breaches that expose sensitive data from thousands of people are especially important, as the privacy rules have become a nightmare for healthcare providers.

Social engineering, malware attacks, computer theft, unauthorized access to sensitive information (medical history, treatment of patients etc.) and ransomware, are only some of the challenges. WannaCry ransomware, for example, crippled parts of the U.K.’s National Health Service for many days.

After a successful attack, the damage to brand reputation of the healthcare provider is very important.

Healthcare providers must have sufficient defense mechanisms in place, and must be able to provide evidence about that. Cybersecurity awareness and training for healthcare practitioners, doctors and personnel is an important step, as even the best systems cannot protect the industry, when the persons having authorized access do not understand the risks and the modus operandi of the attackers.

Cybersecurity was not historically a major component of healthcare management. Month after month the industry is evolving into an increasingly digital environment, and in today’s threat landscape, healthcare organizations have cybersecurity professionals on staff, establish security policies and procedures, follow corporate governance best practices, ensure C-suite support and board involvement in understanding risks and countermeasures, and train all persons that have access to sensitive data.

A very significant priority is to ensure that each user who has access to sensitive data is well-trained and able to use data efficiently for the appropriate purpose. Cybersecurity leads to inconvenience by design. Only when users understand the risks and the need for countermeasures, they do not cut corners and they follow the policies and the procedures.

We always tailor our training programs to meet specific requirements. You may contact us to discuss your needs.

Target Audience

The program is beneficial to all persons working for the healthcare industry (medical care, administration, research, sales, and consulting). It has been designed for doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.

Duration

One hour to one day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.

Instructor

Modules of the tailor-made training

Introduction.

- Important developments in the healthcare industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- March 2016, 21st Century Oncology reveals that 2.2 million patients’ personal information may have been stolen, including patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.

- September 2020, a ransomware attack to Universal Health Systems caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries.

- May 2022, hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island, affecting health services.

- January 2022, a hacking group breached several German pharma and tech firms. According to the German government, it was primarily an attempt to steal intellectual property.

- January 2022, hackers breached systems belonging to the International Committee of the Red Cross, gaining access to data on more than 500,000 people and disrupting their services around the world.

- March 2021, intelligence services targeted the European Medicines Agency, stealing documents relating to COVID-19 vaccines and medicines.

- December 2020, hackers accessed data related to the COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted COVID-19 vaccine developer AstraZeneca by posing as recruiters and sending the company’s employees fake job offers that included malware.

- May 2018, atatckers used Facebook Messenger to distribute spyware to targets in the Middle East, Afghanistan, and India in an attempt to compromise government officials, medical professionals, and others.

- April 2019, pharmaceutical company Bayer announced it had prevented an attack targeting sensitive intellectual property.

- How could all these attacks succeed? Can we prevent challenges like the above?

Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the healthcare industry.

- Professional criminals and information warriors.

- Cyber attacks against doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.

How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.

Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the healthcare industry?

What do we need? How can it be exploited?

- a. Speed and convenience.

It is difficult to balance speed, convenience, and security.

- b. Effective and efficient web site, medical computers and systems, mobile tracking, and monitoring of health devices.

Examples of challenges and risks.

- c. Great customer service.

Example - how it can be exploited.

- d. A nice facility and great housekeeping.

Example - “The cleaning staff’s hack”.

- e. Food, drinks, and entertainment.

Point-of-sale (POS) fraud and challenges.

Credit card cloning.

- f. Internet access.

Honeypots, rogue access points, man-in-the middle attack.

- g. Security.

Unauthorized access is a major problem, and social engineering is a great tool for attackers.

- h. Privacy.

The healthcare industry is considered one of the most vulnerable to data threats.

- i. Money (if they can sue the health provider for negligence).

What must be protected?

- Best practices for managers, employees, doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.

Malware.

- Trojan Horses and free programs, games, and utilities.

- Ransomware.

Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.

Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.

Cyber Hygiene.

- The online analogue of personal hygiene.

- Personal devices.

- Untrusted storage devices.

Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

- March 2016, 21st Century Oncology attack.

- September 2020, Universal Health Systems attack.

- May 2022, Greenland’s healthcare system attack.

- January 2022, German pharma and tech firms attack.

- January 2022, International Committee of the Red Cross attack.

- March 2021, European Medicines Agency.

- December 2020, COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted AstraZeneca by posing as recruiters.

- May 2018, Facebook Messenger to distribute spyware to medical professionals.

- April 2019, Bayer announced it had prevented an attack targeting sensitive intellectual property.

- What has happened? Why has it happened? Which were the consequences? How could it be avoided? What can we learn from that?

Closing remarks and questions.

Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.

Instructor.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com

Web: https://www.cyber-risk-gmbh.com

We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.

Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. The European Data Governance Act (DGA)

11. The EU Cyber Solidarity Act