Experts shared their knowledge

In the era of digitalization and the medical sector’s growing dependence on information technology, the issue of cybersecurity is becoming crucial for the functioning of healthcare facilities. In response to these challenges, a specialized training session on this topic was held on September 30 in Białystok, bringing together representatives of hospitals, medical facilities, and experts from across the country.

Białystok 30.09.2024

The training was an opportunity to listen to lectures by leading experts in the field of cybersecurity and medical law:

• Dr. Paweł Kaźmierczyk gave a presentation entitled “Cybersecurity in healthcare from a lawyer’s perspective.” He discussed current legal regulations, with particular emphasis on the NIS2 directive, and pointed out the obligations of medical facilities in terms of patient data protection. He stressed the importance of complying with GDPR regulations, drawing attention to recent cases of high fines imposed by the Personal Data Protection Office (UODO) on hospitals for violations. He mentioned sanctions of up to PLN 1.4 million, which is a serious warning to all medical entities. Dr. Kaźmierczyk also discussed the practical aspects of minimizing the risk of violations and the procedures that should be implemented in medical facilities.

• Piotr Rybicki MBA MPA, a direct representative of the e-Health Center, presented “An Effective Cybersecurity Strategy in Healthcare.” He emphasized the importance of a comprehensive approach to digital security and provided practical tips on implementing effective strategies in hospitals. As a representative of the e-Health Center, he also discussed the initiatives undertaken by this institution to support medical facilities in the field of cybersecurity. He highlighted the importance of cooperation between medical institutions and state authorities in order to create a coherent and effective system for protecting patient data.

• Piotr Welenc focused on “Formal requirements for accreditation under NIS2.” He explained the process of adapting to the new standards and emphasized their importance for ensuring the continuity of medical facilities. He pointed out that every medical facility that wants to prepare to meet the requirements of the NIS2 directive should conduct an external audit. Such an audit will allow for the identification of weaknesses in the organization, but at the same time will contribute to the identification of potential projects to be implemented under the National Recovery Plan (KPO). He emphasized that an external audit is not only a tool for assessing the current state of security, but also a key element of strategic planning and fundraising for necessary investments. This allows medical facilities to effectively prepare to meet the requirements of NIS2 while optimizing their processes and infrastructure.

• Michał Szczypiński, representative of the Social Insurance Institution (ZUS) and head of the Department of Certificates Issued to Doctors, discussed “Legal aspects of eZLA certificate abuse and GDPR.” He drew attention to the potential risks associated with electronic sick leave certificates (e-ZLA) and ways to minimize threats in the context of personal data protection. He emphasized that abuse in the area of e-ZLA can lead to serious legal and financial consequences for both medical facilities and doctors themselves. Michał Szczypiński also presented practical solutions and procedures that can help prevent unauthorized access to certificates and verify the authenticity of issued documents. He pointed out the importance of regular training of medical personnel in the safe use of IT systems and compliance with personal data protection rules in accordance with the GDPR.

• Dawid Dybuk i Tomasz Sochacki w prezentacji “Cyberbezpieczeństwo w ochronie zdrowia – nowe zagrożenia i strategie ochrony” przedstawili aktualne trendy w cyberprzestępczości oraz zaprezentowali nowoczesne technologie służące ochronie systemów medycznych. Omówili najnowsze typy ataków, takie jak ransomware czy phishing ukierunkowany na placówki medyczne, oraz pokazali, jak cyberprzestępcy wykorzystują pandemię i inne kryzysy do zwiększenia skuteczności swoich działań. Zaprezentowali również praktyczne strategie i narzędzia do ochrony przed tymi zagrożeniami, w tym systemy detekcji intruzów, rozwiązania do zarządzania tożsamością i dostępem oraz znaczenie regularnych aktualizacji i szkoleń personelu. Podkreślili, że skuteczna obrona wymaga nie tylko technologii, ale także świadomości i zaangażowania całej organizacji.

• Adam Pośpiech, Jan Palic, and Piotr Rajski presented a case study entitled “Can the cloud strengthen hospital cybersecurity?” They discussed the benefits of implementing cloud solutions and shared their experiences with their practical implementation. They showed how migration to the cloud can improve data security through the use of advanced protection mechanisms offered by cloud service providers, such as data encryption, multi-level authentication, and continuous security monitoring. They also shared the challenges they faced during the migration process, such as regulatory compliance and integration with existing systems. Their case study showed that a properly planned and executed cloud implementation can bring significant benefits in terms of cybersecurity, flexibility, and operational efficiency for medical facilities.

• Longin Mikołajczyk presented the topic “Implementation of NIS2 technological requirements,” pointing to specific tools and technologies that can help medical facilities meet new legal requirements. He discussed key elements of the NIS2 directive related to technology, such as risk management, business continuity, incident reporting, and supply chain security. He presented technical solutions that can support these areas, including information security management systems (ISMS), network and system monitoring tools, and authentication and access control mechanisms. He also emphasized the importance of working with trusted suppliers and integrators who can help adapt IT infrastructure to NIS2 requirements. He highlighted the need to regularly assess and update the technologies used to keep pace with the rapidly changing threat landscape.

• Michał P. Dybowski discussed the possibilities of financing digital projects in healthcare, presenting “Funds from the National Reconstruction Plan for digital projects.” He referred to a study by Michał Czarnuch and his team on the use of available funds and competition models under the National Reconstruction Plan (KPO). He emphasized that new competitions are expected to be announced as early as October 17, which creates real opportunities for medical facilities to obtain funds for modernization and infrastructure security. Dybowski drew attention to the need to prepare properly for submitting applications. He emphasized that hospitals and organizations should be ready even before the calls for proposals are announced, due to the required approval of authorities and the need to complete the necessary documentation. He pointed out that early preparation will allow for the efficient submission of applications and increase the chances of obtaining funding. He also discussed how medical facilities can use the available templates and guidelines to properly prepare their projects. He noted that cooperation with experts and consultation with the authorities responsible for awarding funds can be crucial to the success of applications.