The EU Cybersecurity Directive and Life Sciences Businesses
With the new EU Cybersecurity Directive due to come into force, your Life Science business needs to act now in order to be compliance-ready.
As businesses take advantage of technological advances such as cloud computing, mobile technology and the Internet of Things (IoT), they are at the same time bracing themselves against the increased risk of cybercrime. The threat of cybercrime, cyber espionage and attacks against online infrastructure is a growing global problem with an annual cost to the global economy estimated to be in excess of $400 billion. Businesses who would consider themselves of little interest to cyber criminals are discovering the high cost of their weak security programs. For more than a year now, reports of hackers targeting the pharmaceutical and healthcare sectors have been rife.
EU Cybersecurity Strategy
In response to the international nature of cybercrime, and to bolster confidence in its digital economy, the European Union (EU) has developed a strategy aimed at improving EU cybersecurity by tackling network and information security incidents and risks across the EU.
As part of this strategy, the EU will implement the Network and Information Security Directive (NIS), commonly known as the EU Cybersecurity Directive. The directive sets minimum security standards and incident reporting requirements for critical infrastructure operators such as energy, health, transport, and financial services, as well as for key internet companies and public administrations. The requirement will also apply to a broad range of private sector companies.
Where the security of personal data has been compromised, the EU's new General Data Protection Regulation (GDPR) will apply, which requires the data controller to report a data breach without undue delay and notify data subjects in the event that they could be adversely affected by the breach. The regulation proposes stiff penalties for non-compliance – 5 percent of a firm's annual turnover or €100 million, whichever is greater.
EU Cybersecurity Compliance
By the end of 2017, all EU businesses will have to comply with the new EU cybersecurity legislation. Life Science businesses will need to ensure that they have the capabilities to detect, prevent, analyze and respond to breaches in a timely manner. As a priority for the coming year, your business should set about implementing measures to manage cybersecurity risks to your network infrastructure and establishing reporting mechanisms for those cybersecurity incidents which will result in a significant impact on the services you provide.
If, like many businesses in the EU, you find the guidelines on achieving compliance with the new EU cybersecurity legislation confusing, PwC Legal offers the following advice on identifying the critical issues:
“These are principally about the need for good governance structures, risks assessments, the engineering-in of good privacy and security controls and appropriate levels of transparency with consumers and regulators – for instance, about consents and breach disclosure."
EU Cybersecurity for Medical Devices
Even though the EU parliament has proposed to exclude software developers and hardware manufacturers from the scope of its directive, the wider use, among an increasingly aging population, of medical devices relying on wireless, Internet and network connected devices, as well as the frequent transmission of sensitive medical data related to these devices means that effective cybersecurity to assure functionality and safety is now essential. Both consumers and government procurement bodies will expect your business to demonstrate that it can meet the EU cybersecurity standards set by the new directive.
Advice offered by the European Commission in relation to NIS states:
"Electronic medical devices are found throughout hospitals and clinics, so it is essential that only known, authorised devices are able to connect to their network. Online or electronic patient medical records are increasingly used and it is essential to protect this personal health and financial information from cybercrime."
Expert advice from Axon Lawyers, specialists in EU legal and regulatory issues relating to medical technology suggests that many medical device manufacturers will need to comply with the EU Cybersecurity Directive:
"…as I have observed many times now, medical devices manufacturers are less and less mere widget pushers these days. As a consequence any medical device manufacturer that operates a service in relation to medical devices would be caught under the NIS directive."
The EU has formulated its Cybersecurity Directive in response to consumer demand for better protection against cybercrime. Therefore your business should treat compliance with the new directive as the basis for the development of a robust and mature cybersecurity program in order to demonstrate your commitment to the quality of your products and services, and the well-being of your customers. Ultimately, your business's reputation depends on it.
Cybercrime is proliferating globally as more businesses adopt the latest digital advances.
The EU Cybersecurity Directive is designed to promote confidence in the EU digital economy by providing a common baseline of shared security standards.
Life Science businesses will fall under the scope of the EU Cybersecurity Directive and will need to comply by the end of 2017.