Health Care Organizations and Cloud Service Providers Receive Guidance on Cloud Security Measures

In Short

The Situation: The health care sector is currently going through a digital transformation phase with the promise of achieving improved patient care and higher efficiency—and the implementation of cloud-based services is a game-changer in this respect. It is therefore critical for health care organizations and cloud service providers to address the specific challenges in terms of cybersecurity and data protection when implementing cloud-based services.

The Result: The European Union Agency for Cybersecurity ("ENISA") published a report on Cloud Security for Healthcare Services ("Report"). The Report provides a set of 17 security measures for health care organizations—acting as cloud customers—and cloud service providers ("CSPs") to provide cybersecurity and data protection in accordance with applicable EU legislation (e.g., GDPR and NIS Directive). The Report also provides practical guidance for health care organizations and CSPs and sheds light on the stakeholders' respective responsibilities for implementing cloud services in accordance with good cybersecurity and data protection practices.

Looking Ahead: Both health care organizations and CSPs that are active in the European Union should follow ENISA's recommendations in order to secure the implementation of their cloud-related projects and provide an appropriate level of cybersecurity and data protection.

As the health care sector is going through a comprehensive digitalization process, the integration of cloud-based tools and services creates new challenges in terms of cybersecurity and data protection.

ENISA published its Report on January 18, 2021. The scope of the Report relates more specifically to the eHealth ecosystem (e.g., health care services and facilities, medical devices and equipment, remote care, etc.). It provides guidance to the health care sector and cloud service providers ("CSPs") on cloud security practices and on the identification of critical data security aspects.

To begin with, the Report outlines the applicable policy context (i.e., NIS Directive, GDPR, additional regulators' guidelines), recalls cloud computing basic elements and lists the key types of cloud services in the health care sector. The Report also summarizes the main security and data protection challenges faced by health care organizations when using cloud services, such as the lack of cybersecurity expertise and the complexity of proving regulatory compliance of the CSPs. While facing a wide range of cyber threats, such as natural disasters, supply chain or system failures, human errors and malicious actions, it can indeed be particularly complex for health care organizations to navigate the offerings of the CSPs to validate that sufficient data governance controls are in place, and that privacy by design, data management, and portability obligations are met. This is all the more important in view of national and European legislative efforts to introduce class actions also in relation to cyber breaches.

To help health care organizations and CSPs address cyber risks, ENISA presents three practical use case scenarios of cloud services applicable to the health care sector, namely electronic health record services, remote care services, and services involving a medical device—all available in the cloud. ENISA also identifies factors organizations should consider during the risk-assessment phase and provides risk-mitigation measures.

Against this background, the Report provides a set of cloud security measures and recommended practices for the health care sector, based on common frameworks for cloud security and the ongoing work on a cloud certification. Each suggested security measure is cross-referenced with recommended practices included in ENISA's existing Procurement Guidelines for Cybersecurity in Hospitals and with the different use case scenarios. In addition, the roles of both cloud customer and CSP are indicated for each cloud security measure, along with additional data protection considerations.

In total, 17 security measures are suggested in the Report, including identifying applicable cybersecurity and data protection legal requirements, conducting a risk assessment and a data protection impact assessment, establishing processes for security and data protection incident management and response, establishing business continuity and disaster recovery plans, and enabling data encryption for data at rest and data in transit.

As reminded by ENISA, the cloud security measures and the related responsibilities vary depending on the type of cloud service (e.g., SaaS, PaaS, or IaaS) and the deployment model (e.g., public, private or hybrid cloud). For instance, only the CSP would normally be responsible for establishing processes for security and data protection incident management in a typical case of remote care services—whereas, for the use case relating to the provision of services based on a medical device, the Report provides that both the CSP and the cloud customer would normally be responsible for implementing such a security measure.

As the conclusion of the Report highlights, health care organizations may still be reluctant to adopt cloud services beyond those relating to the management of administrative data. This is due to a number of factors, including the lack of cloud expertise and the extensive compliance requirements, in particular with respect to data protection and professional secrecy obligations. In addition, although not mentioned in the Report, health care organizations and CSPs should take into account the additional data protection challenges resulting from the recent "Schrems II" ruling of the European Court of Justice if they contemplate any transfers of personal data from the EU to third countries. See our previous Jones Day Commentary.

Although it is clear from the Report that further support is expected to facilitate the development and implementation of cloud services in the health care sector (e.g., specific guidance from national and EU authorities, industry standards for cloud security in the health care context, guidelines from data protection authorities on moving health care data to the cloud, etc.), the ENISA Report provides useful guidance for health care organizations and CSPs looking at implementing cloud services in compliance with the current cybersecurity and data protection legal constraints as well as recommended practices.

Three Key Takeaways  

  1. The procurement by health care organizations of cloud-based services is critical to achieve improved services for patients and higher efficiency.
  2. The integration of cloud-based services by health care organizations requires conducting detailed prior diligences and analysis to provide sufficient cybersecurity and data protection in accordance with regulatory constraints.
  3. As the ENISA Report clarifies the key responsibilities for implementing security measures in cloud-related projects, health care organizations and cloud service providers should use the Report as a checklist to draft and negotiate relevant provisions of their service agreements (e.g., service level agreements, limitation of liability clauses, data protection clauses, etc.) in order to mitigate data protection and cybersecurity compliance and business risks.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.