NIS V2 chronicle - Episode 2
Introduction: Why NIS V2 is a game-changer for mid-sized healthcare companies
The year 2024 marks a decisive turning point for cybersecurity in critical sectors, particularly in healthcare. With the implementation of the NIS 2 Directive on October 17, 2024, companies, especially mid-sized enterprises (ETIs) operating in the healthcare sector, will need to comply with new security and risk management requirements.
These companies handle extremely sensitive data: medical records, clinical test results, and critical systems that ensure the continuity of healthcare services and pharmaceutical production. As cyber threats grow, ensuring the resilience of these systems is essential.
As mentioned in article 1 of this NIS V2 chronicle, in 2023, 581 cybersecurity incidents were reported in the healthcare sector, and 50% of these incidents were of malicious origin. These figures highlight the vulnerability of critical infrastructures. The NIS 2 Directive aims to strengthen the security of these infrastructures by imposing stricter measures on companies, including mid-sized enterprises.
Specific requirements for the healthcare and pharmaceutical industries
Companies in the healthcare and pharmaceutical sectors must not only protect critical systems like pharmaceutical production systems but also ensure the security of sensitive data they handle.
A major challenge lies in securing industrial systems (OT). These systems, which perform essential functions in the production of medicines and management of medical infrastructure, are increasingly interconnected with IT systems. This IT-OT integration, while offering efficiency gains, exposes OT systems to broader cyber threats.
Additionally, health data, such as medical records or clinical trial results, as well as intellectual property (such as drug formulas or patents), have become prime targets for cybercriminals. The leakage or theft of this information could compromise not only patient safety but also the company’s competitiveness.
The supply chain is another critical point. In the pharmaceutical field, companies rely on many subcontractors, who can create security vulnerabilities. Ensuring partner compliance is therefore essential to protect the entire chain.
Specific threats to the pharmaceutical industry and healthcare
Attacks targeting OT systems
OT systems in pharmaceutical companies and medical infrastructures play a fundamental role. These systems ensure the production of medicines, manage diagnostic equipment, and even handle hospital logistics. However, their growing interconnection with IT systems makes them a prime target for cyberattacks.
A typical attack on an OT system could aim to sabotage drug production by altering machine parameters or disrupting production lines. In some cases, this could result in significant financial losses, delays in the supply chain, or, worse, the distribution of compromised products, endangering public health.
Cybercriminals also exploit vulnerabilities in OT networks to penetrate critical systems. Unlike IT systems, OT environments are often older and less regularly updated, making them more vulnerable. For example, a ransomware attack on a pharmaceutical plant could not only interrupt production but also demand a large ransom to restore systems, potentially paralyzing the company for several days.
Theft of sensitive data and intellectual property
In the pharmaceutical sector, protecting sensitive data and intellectual property is paramount. Companies handle critical information such as drug formulas, clinical trial results, or patient data. The theft or leakage of this data could have disastrous consequences, both economically and reputationally.
Cybercriminals exploit this data for blackmail, resale, or industrial espionage.
Risks related to subcontracting
Subcontractors play an essential role in the pharmaceutical supply chain, but they also represent vulnerable targets for cyberattacks. An intrusion at a supplier can trigger a cascade of attacks throughout the supply chain. This can affect the availability of raw materials, disrupt manufacturing processes, and compromise the delivery of final products.
Regulation now imposes stricter standards to monitor and secure relationships with subcontractors, and NIS V2 places particular emphasis on this issue.
Security strategies for mid-sized healthcare and pharmaceutical companies
For mid-sized companies in this sector, adopting specific cybersecurity measures is essential to meet NIS V2 requirements. Strengthening IT and OT systems, as well as protecting data, must be at the heart of priorities.
Strengthening OT and IT system security
OT and IT systems, although different in their operation, must be protected in a complementary manner. OT systems, which manage industrial processes, are particularly vulnerable to cyberattacks due to their age and increasing interdependence with IT systems.
One strategy is to segment OT and IT networks to minimize the spread of an attack from one environment to another. This reduces the attack surface and isolates critical systems.
Moreover, it is essential to enhance the monitoring of OT systems. OT infrastructures require continuous monitoring and specific solutions, as they cannot be disrupted by intrusive security scans. Companies must also carefully plan system updates and patches to minimize interruptions. Furthermore, implementing a robust access control system (strong password policies, MFA), centralized if possible, following the principles of least privilege and need-to-know, is absolutely necessary.
Protecting sensitive data
ince medical and pharmaceutical data are prime targets, mid-sized companies must ensure that their data protection policies comply with the strictest standards. This includes rigorous access management and complete traceability of operations. For example in France the HDS:2024 certification (Health Data Security), in particular, imposes increased requirements for traceability and access management, reinforcing the protection of critical data.
Supply chain, the weak link
Protecting the supply chain is another major challenge. It is necessary to ensure strict compliance of all subcontractors with cybersecurity requirements. This involves regular audits, the inclusion of security clauses in contracts, and the implementation of supplier monitoring mechanisms.
Eunoia Security Hub to simplify NIS V2 compliance
Complying with NIS V2 can seem complex, especially for mid-sized companies. However, Eunoia Security Hub simplifies this task by automating several key compliance steps.
Eunoia Security Hub centralizes the management of governance, risks, and compliance. Its intuitive interface allows companies to model security strategies, identify and monitor risks through interactive dashboards. Continuous monitoring of IT and OT assets, coupled with the automation of NIS V2 requirements, lightens the workload of IT/OT teams.
Another major advantage is the mapping of standards: if the company is already compliant with standards like ISO 27001, Eunoia Security Hub avoids re-auditing already completed controls, focusing only on the elements specific to NIS V2. This optimizes the process and saves time.
In summary, Eunoia Security Hub offers a flexible, automated solution, ideal for ensuring NIS V2 compliance while simplifying risk management.
Conclusion
NIS V2 represents a unique opportunity for mid-sized companies in the healthcare and pharmaceutical sectors to modernize their cybersecurity practices. More than just a legal obligation, this directive strengthens the resilience of critical infrastructures and better protects sensitive data.
By adopting proactive cybersecurity strategies, reinforcing the protection of IT and OT systems, and leveraging an integrated solution like Eunoia Security Hub, companies can not only comply with NIS V2 requirements but also turn this compliance into a competitive advantage.
Commentaires