The NIS 2 Directive: A wake-up call for health care disaster recovery strategies

The NIS 2 Directive is in full swing, with profound implications across multiple sectors, especially in those industries that the standard designates as “essential,” a category that includes energy, transportation, banking and critical infrastructure. Health care is also one of them, and ransomware attacks on hospitals consistently make headlines in the news. With 309 health care incidents reported in the EU in 2023 alone, it's a stark reminder that cybercriminals are vying to get valuable personally identifiable information (PII) and the rest of the health care data trove.  

In addition to patients, it’s estimated that 14.3 million people are employed in the European health care sector with their personal information also on the line. Failure to comply with NIS 2 can result in fines of up to €10 million or 2% of annual turnover. The common challenge with protecting this data? Resilience. It's no longer enough to simply defend; health care organizations must also be able to recover from data loss and downtime swiftly and effectively. Combining defense and disaster recovery is becoming nonnegotiable. 

White paper

Overcoming the 7 critical challenges facing health care IT today

Explore the white paper

The NIS 2 Directive brings specific concerns that health care leaders and IT professionals must address: 

1. Expanded scope and obligations: NIS 2 significantly broadens the range of entities considered “essential” and “important.” This means that more health care providers and related organizations will fall under its stricter requirements, demanding a comprehensive review and potential overhaul of existing cybersecurity and resilience measures. 
2. Increased liability: NIS 2 places greater accountability on management bodies. Executives can be held financially and even criminally liable for noncompliance, making cybersecurity a top-tier business risk that demands immediate and ongoing attention. 
3. Operational disruptions and patient safety: The directive's emphasis on business continuity prioritizes the need to minimize disruptions to health care services during a cyber incident. Failure to do so can directly endanger patient safety, a risk no health care leader can afford to take. 
4. Supply chain vulnerabilities: NIS 2 mandates addressing security risks within the supply chain. Health care organizations must rigorously assess the cybersecurity posture of their vendors and partners, a complex task given the interconnected nature of the health care ecosystem. 
5. Stringent reporting requirements: NIS 2 imposes strict incident reporting obligations with tight deadlines, including an early warning notification to authorities within 24 hours of an incident. Health care organizations must have robust internal processes for detecting, analyzing, and reporting incidents to avoid penalties and maintain transparency. 

Adding to the concern, health care is one of the most prized targets of cyberattacks, with 92% of health care organizations reporting at least one cyberattack in the last year. What’s worse is that the disruption caused by these attacks is upending patient care and putting lives at risk. Organizations under attack reported 56% of poor patient outcomes were due to care delays and 28% said that mortality rates increased.

With disaster recovery, it's not just about restoring data; it's about ensuring the continuity of critical patient care. Effective disaster recovery planning, technology and execution enable health care organizations to: 

• Minimize downtime: Rapid post-incident failover to replicas of applications and data in the cloud minimizes disruptions to patient services, ensuring that doctors and nurses have access to essential systems when they need them most. 

• Protect patient data: Secure encryption of data and application replicas is necessary to safeguard sensitive patient information and ensure compliance with NIS 2’s privacy requirements. 

• Maintain operational integrity: Comprehensive disaster recovery plans address a wide range of potential disruptions, from ransomware attacks to natural disasters, ensuring the organization's ability to function under duress. 

To achieve this level of resilience, health care organizations should: 

• Invest in robust backup and disaster recovery solutions: Implement solutions that provide fast, reliable recovery of critical systems and data. Consider solutions with features like self-service recovery for remote workers so they can get back online quickly after an incident without the intervention of IT staff. 

• Develop detailed incident response plans: Create comprehensive plans that outline procedures for responding to various cyber incidents, including roles and responsibilities, communication protocols and recovery steps. 

• Enhance detection and response: Endpoint detection and response (EDR) and extended detection and response (XDR) with behavioral-based detection are requirements now as threats grow increasingly sophisticated, thanks in part to the malicious use of generative AI tools. 

• Conduct regular drills and testing: Regularly test disaster recovery plans to identify weaknesses and ensure that recovery procedures are effective, especially in the wake of an incident. 

• Adopt a layered security approach: Implement a defense-in-depth strategy, aligning with frameworks like NIST CSF 2.0 and CIS Critical Security Controls, to take advantage of industry best practices and minimize the likelihood and impact of cyberattacks.  

The NIS 2 Directive, coupled with the ever-present threat of cyberattacks and stringent insurance requirements, demands a transformation in how health care organizations approach cybersecurity and data protection. Disaster recovery must be a component of the health care resilience discussion if these organizations want to keep their patients safe both in the digital world and on the stretcher. 

Strengthening resilience in health care with Acronis Disaster Recovery 

Acronis Cyber Protect natively integrates cybersecurity and data protection to help health care organizations achieve the resilience required in the NIS 2 era. Award-winning, comprehensive data protection gives health care providers peace of mind, enabling them to securely maintain the availability and integrity of valuable health data and applications, and to rapidly restore them in the wake of unforeseen events.  

One of the capabilities valuable to health care IT departments is the Acronis One-Click Recovery capability. In scenarios when time is of the essence, quality patient care may hang in the balance of a health care organization’s readiness to bring operations back to normalcy, including work-from-home employees. Acronis One-Click Recovery enables any employee, regardless of their IT skill level, to restore their work PC from the latest backup. 

To learn more about this feature and the impact it has on health care, watch our on-demand webinar. 

• Lessons learned from the UnitedHealthcare cyberattack 
• HIPAA compliant disaster recovery: The future of health care data protection

• Six benefits of cloud disaster recovery in health care

White paper

Is your business ready for NIS 2 compliance?

Explore the white paper