KSC for hospitals, or how to ensure security and protection against cyberattacks
Cyberattacks on public and private medical facilities in Poland are a fact, as evidenced by media reports and statistics. However, it’s not the numbers that matter here, but the consequences of these attacks. Lack of access to IT systems not only causes significant disruptions in patient care and access to services but also poses serious threats to the protection of personal data. How can this be prevented? The answer lies in the National Cybersecurity System Act, which imposes specific obligations on hospitals.
A lot is said about the so-called “patient-friendly hospital,” which aims to meet the needs of patients and ensure their comfort. However, it’s worth mentioning another aspect – security. Security here not only refers to ensuring that the facility takes good care of the patient and provides easy access to high-quality services, but also ensures that the patient’s data is safe. This makes the technical infrastructure and the security management system crucial, especially in the face of cyber threats. This is precisely what is regulated by the National Cybersecurity System (KSC) Act. It aims to support the implementation of actions that detect, prevent, and minimize the impact of cybercriminal attacks.
What does the National Cybersecurity System (KSC) Act require from hospitals?
Technological progress is undoubtedly a promising trend, as it brings significant improvements and modernization of services. However, we cannot forget the associated risks. The lack of proper security for telecommunication networks makes them easy targets for hackers, who are increasingly using sophisticated methods, and new variants of malware emerge every day. Hospitals, in particular, are at a heightened risk because medical data is highly valuable on the black market, making its protection crucial.
Moreover, although hospitals have long been vulnerable to cyberattacks, incidents have intensified following Russia’s invasion of Ukraine. Statistics and reports from experts, the National Health Fund (NFZ) representatives, and the media all point to this increase. A few notable incidents highlight the gravity of the situation.
One such case was the hacking attack on the “Budzik” clinic at the Children’s Health Centre in Warsaw. In late 2019, cybercriminals attacked the IT system, which was blocked, paralyzing the hospital’s operations. For example, it became impossible to prepare the mandatory report for the NFZ, risking the loss of monthly funding. Fortunately, specialists were able to limit the effects of the cyberattack, but it’s worth noting that the facility could have been paralyzed for at least a month, not to mention the risk of losing NFZ funds. The attackers were aided by outdated IT infrastructure, which was based on systems from 2012.
In late October 2022, the Institute of the Mother and Child Health Centre in Łódź fell victim to a cyberattack that led to a data breach. The facility had to shut down all its IT systems. While patients were still accepted, their care was significantly delayed and hindered, and diagnostic procedures were slower. Most tasks had to be done manually, and results were delivered on physical storage devices. There were considerable delays in issuing test results and discharge paperwork. Following the attack, the hospital decided to build a new network, a process that took several weeks and caused significant disruptions for patients, such as rescheduled hospitalizations.
On a more positive note, in February 2023, the Central Clinical Hospital of the Medical University of Łódź also suffered an attack, but thanks to an effective cybersecurity management system, the problem was quickly identified and the hospital’s IT systems were proactively shut down. This prevented any data breaches and allowed the hospital to continue operations with minimal disruption.
In March 2023, cybersecurity experts drew attention to the increased activity of the hacker group Killnet, which targeted medical facilities. This pro-Russian group specializes in DDoS attacks, which render systems inaccessible. Their victims included the European Parliament, government organizations, and even the Polish police. This is particularly concerning because Killnet officially declared “cyber war” against several European countries, including Poland. According to the Cybersecurity and Infrastructure Security Agency (CISA), by November 2022, there were about 10-20 daily attacks, which increased to 40-60 in February 2023, with 26% of these attacks targeting hospitals. In April, media reported that “Poland is being bombarded by hackers,” with over 500 daily attacks on Polish strategic companies.
Importantly, the NASK response team registered 43 security incidents in the healthcare sector in 2022 alone, a threefold increase in cyberattacks compared to 2021.
While it’s not always possible to prevent a cyberattack, it is possible to minimize its impact. How can hospitals prepare? The answer lies in the National Cybersecurity System (KSC) Act, which sets concrete requirements that healthcare providers must meet.
What does the KSC Act require from hospitals?
The Act on the National Cybersecurity System was published on August 13, 2018 (Journal of Laws 2018, item 1560). It implements regulations of the so-called EU NIS Directive, which was a response to the rapid development of digitalization and the increasing threats in this area. We now have the NIS 2 Directive, which came into force in the second half of 2022, tightening some of the requirements and penalties for businesses and critical entities, including healthcare facilities. For example, for critical entities, penalties can reach up to €10 million or 2% of the total global turnover from the previous year.
The Act on the National Cybersecurity System (and NIS) imposes obligations on operators of essential services (OES) in the healthcare sector. It is worth noting that these obligations apply to entities that have an Emergency Department or belong to the Basic Hospital Security System for Healthcare Services, which may affect around 130 hospitals.
In short, the operator of a critical service should:
- Appoint a contact person for entities in the national cybersecurity system.
- Conduct activities including detecting, recording, analyzing, and appropriately classifying incidents.
- Report incidents to the relevant CSIRT (Computer Security Incident Response Team) within 24 hours.
- Provide access to information, especially about incidents classified as critical, to the relevant CSIRT.
- Establish sectoral cybersecurity teams for security and incident response related to critical services.
- Maintain cybersecurity documentation for the information system, which should be updated and stored for at least 2 years.
- Conduct audits in accordance with the deadlines specified in the act.
Healthcare IT issues
To ensure the required level of security and protection against various attacks, Polish hospitals face many challenges. The computational power required in IT systems is rapidly changing, and the facilities lack dedicated IT tools. Rising IT costs, a shortage of qualified IT staff, and a lack of reliable knowledge among hospital staff regarding the provision of OUK services only make matters worse.
With the implementation of the KSC Act, issues related to the development of a security system, necessary documentation, and the selection of technology also arise. Moreover, there is little time to adjust to the requirements of the law, which is further hindered by insufficient funding and the effects of the COVID-19 pandemic.
Solution? Significant support comes from companies like PBSG.
Solution: support from external experts
Our specialists not only help Polish hospitals create a security system concept, implement it, and train employees, but they also ensure that all the provisions of the KSC Act are properly considered and implemented. We assist in KSC audits: the first audit should be completed within a year of receiving the decision to become a key operator, and subsequently, at least every two years. We offer this as a separate service, as according to best practices, audits should be conducted by a different unit than the one that implemented the security management system.
We provide support in fulfilling the tasks set forth in the Act, including:
- 8 – Support in risk assessment
- 9 and 14 – Appointing the person responsible for cybersecurity within the organization
- 10 – Developing and updating documentation
- 15 – KSC audit one year after the decision and at least every two years thereafter
Moreover, we conduct regular training and provide full advisory services to help hospitals ensure due diligence in implementing the legal cybersecurity requirements. We understand that with regulatory changes and an increasing list of obligations, fulfilling these requirements can seem problematic, but we reassure you – with the right consultant, achieving an optimal level of cybersecurity is within reach.
The implementation of the KSC Act requirements is based on 4 stages:
- Gap Analysis, a preliminary audit to check if and how the organization meets the requirements of the Act. We identify missing elements and those that need improvement. We examine systems, programs, and other components to identify weaknesses and plan subsequent stages of work, along with an indication of their time-consuming nature.
- Impact Analysis and Risk Assessment help identify the IT systems necessary to provide the key service without disruption. Impact analysis identifies potential threats and their impact on various situations, including people, the environment, and the economy. Risk assessment helps determine the likelihood of threats, assess their impact, and identify the best countermeasures. This allows us to define the actions that should be taken to minimize the negative consequences of potential threats.
- Documentation Development involves writing procedures related to the cybersecurity of the information system used to provide the key service and protect associated infrastructure. It may include access control to buildings or key management systems. It is important that the procedures are effective, tailored to the organization, and clear and understandable – this is guaranteed by PBSG.
- System Implementation and Training are essential to ensure the system is properly designed, enabling the organization to better manage risks and continuously improve security. We help define security goals, identify threats, analyze risks, and implement effective procedures to minimize these threats. The system includes various elements such as policies, procedures, instructions, risk assessment criteria, monitoring, and reporting. Finally, we conduct training, including for management, IT teams, and the cybersecurity team.
Additionally, we provide support for one year after project completion as part of the Cyber Support service. We are flexible – we set the scope of the service and the number of hours according to the facility’s needs. The work scope may concern information security, continuity of operations, cybersecurity, and KNF recommendations. Moreover, within ISO 31000, ISO 22301, and ISO 27001, we provide assistance within our competencies, such as audits, training, documentation improvement, penetration testing, social engineering tests, infrastructure configuration analysis.
Why choose PBSG?
In 2022 alone, we completed around 30 cybersecurity projects in hospitals.
We understand how critical continuity of operations is for hospitals, which is why we offer flexible cooperation (remotely and on-site with an agreed number of hours) without interruptions or service downtimes.
Check how we can support you: