Implications of GDPR and NIS2 for Cyber Threat Intelligence Exchange in Hospitals
Rajamäki, Jyri; Jarzemski, Dominik; Kucera, Jiri; Nyman, Ville; Pura, Ilmari; Virtanen, Jarno; Herlevi, Minna; Karlsson, Laura (2024)
Lataukset:
World Scientific and Engineering Academy and Society (WSEAS)
2024
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2024040214248
https://urn.fi/URN:NBN:fi-fe2024040214248
Tiivistelmä
Abstract: - The DYNAMO Horizon Europe Project aims to support critical sector (healthcare, energy
production, marine transport) stakeholders in enhancing resilience and minimizing the effects of cyber-attacks. DYNAMO's objective is to use artificial intelligence to integrate cyber threat intelligence (CTI) and business continuity management (BCM) to support decision-making. The goal is joint preparation for EU cyber threats, necessitating timely global situational awareness and effective communication to address threats before they escalate. This paper focuses on the intelligence sharing and trust needs of the DYNAMO use cases while also meeting regulatory requirements. Analyzing DYNAMO’s internal materials and aligning them with authorities' requirements, particularly NIS2 and GDPR, reveals that healthcare organizations need to prepare for more effective data protection, incident response, and cyber-attack mitigation. While NIS2 doesn't specify technical requirements for healthcare, it offers a broader framework for organizations to make informed decisions about equipment suppliers and security applications. After the general review, this study examines a specific healthcare use case: a hospital infected by phishing, emphasizing that CTI exchanges may contain sensitive data falling under GDPR and NIS2 regulations. This includes technical details, health-related information, patient data, insurance details, and employee information. Concerning the AI-based approaches used, DYNAMO must handle this CTI exchange in compliance with the law. The case study compares the DYNAMO project's CTI exchange use case with GDPR and NIS2 requirements, highlighting challenges such as the difficulty in separating sensitive data under GDPR and differences in language and terms between the two regulations. Despite these challenges, the study discusses the impact of GDPR and NIS2 on CTI exchange in the healthcare sector, providing key implementation points and guidelines.
production, marine transport) stakeholders in enhancing resilience and minimizing the effects of cyber-attacks. DYNAMO's objective is to use artificial intelligence to integrate cyber threat intelligence (CTI) and business continuity management (BCM) to support decision-making. The goal is joint preparation for EU cyber threats, necessitating timely global situational awareness and effective communication to address threats before they escalate. This paper focuses on the intelligence sharing and trust needs of the DYNAMO use cases while also meeting regulatory requirements. Analyzing DYNAMO’s internal materials and aligning them with authorities' requirements, particularly NIS2 and GDPR, reveals that healthcare organizations need to prepare for more effective data protection, incident response, and cyber-attack mitigation. While NIS2 doesn't specify technical requirements for healthcare, it offers a broader framework for organizations to make informed decisions about equipment suppliers and security applications. After the general review, this study examines a specific healthcare use case: a hospital infected by phishing, emphasizing that CTI exchanges may contain sensitive data falling under GDPR and NIS2 regulations. This includes technical details, health-related information, patient data, insurance details, and employee information. Concerning the AI-based approaches used, DYNAMO must handle this CTI exchange in compliance with the law. The case study compares the DYNAMO project's CTI exchange use case with GDPR and NIS2 requirements, highlighting challenges such as the difficulty in separating sensitive data under GDPR and differences in language and terms between the two regulations. Despite these challenges, the study discusses the impact of GDPR and NIS2 on CTI exchange in the healthcare sector, providing key implementation points and guidelines.