In my work, I am currently working for two clients. At one client, we are working on the certification for NEN7510 (security standard for healthcare) and NIS2 (Network Information Security). The latter is legally required within the EU. However, we notice that governments are still struggling to incorporate this into law. In the Netherlands, the law would be active from October 2024 (now), but that did not work out and has been postponed until mid-2025.
The NIS2 is a follow-up/tightening of the NIS (which is already effective) to increase the cyber resilience of critical organizations. Compared to the NIS, more organizations have been added to the NIS2 that are considered critical, such as healthcare. A number of important aspects of the NIS2 are:
Chain liability
In principle, organizations are primarily responsible for their own information security and the measures they take. With NIS2, there is also chain liability. This means that if a supplier does not have its information security in order, the customer can also be held liable.liability of directors
One of the important aspects of the NIS2 is the liability of directors. Previously, they could not be held liable, but with the NIS2 they can. This can therefore mean significant (personal) fines. What I see is that this measure ensures that funding for cybersecurity projects is provided more quickly, which I think is always good.
That is an important, and in my opinion good, change. This does mean that during contract negotiations, information security and the measures that a supplier takes must be tested. And I notice that, certainly in healthcare, not all suppliers are that far along. Which I find strange because in healthcare, sensitive data is used and (in the case of a ransomware attack, for example) an already vulnerable group becomes even more vulnerable. It can mean life or death.
What I have noticed, and what we of course also know, is that you can set up all kinds of rules, processes and procedures, but the most important thing is the human aspect. Employees must adhere to the rules and agreements that apply, and this is still a difficult one, especially in healthcare. Sometimes it is ignorance but also consciously working in a different way. And how do you deal with that as an organization?
What we have done, and that is also mandatory, is a cybersecurity awareness training. Employees are required to follow this and the result is also stored in the personnel file. In addition, we regularly post tips and tricks on the intranet and we hold phishing mail campaigns. Here you can see that there are still employees who fall for it. With the arrival of Artificial Intelligence, this becomes an even bigger problem because the emails are almost indistinguishable from the real thing.
How are you doing with digital security and, if applicable, NIS2?
Have a great friday,
Peter