NIS2 Cybersecurity Rules Approaching: Is Your Organization Prepared?
The EU NIS cybersecurity regulations are evolving for 2024, and if you’re not currently aware of how they’ll apply to your organization, now is the time to get up to speed with the desired requirements. Not only is the directive being tightened, but an extended range of healthcare and related organizations will be added to the list of ‘critical entities’ that must comply. These include certain medical device manufacturers, pharmaceutical companies, and organizations that carry out R&D.
The Network and Information Systems (NIS) standards were set up in 2016 to protect essential services – such as water, energy, healthcare, transport, and digital infrastructure – from online cyberattacks. The updated legislation, NIS2, will have stricter rules,reporting requirements, and higher penalties for non-compliance.
They will apply to medium-sized and large businesses that operate within one or more EU countries. Those based only in the UK can’t sit back; however, the original NIS regulations will still apply as part of British law. What’s more, a UK version of the rules is coming very soon, and it’s likely that the framework will closely resemble the EU’s.
What will the requirements cover?
There are a number of cyber risk management measures that all organizations that come under the scope of NIS2 will be required to put in place. For instance, they will need to conduct regular security assessments and risk analyses, adopt incident response and handling plans, and appoint a chief information security officer (CISO), among other obligations.
The new directive will streamline and strengthen incident reporting requirements. Entities must notify regulators of any incident that has compromised data or had a significant impact on the provision of their services, such as causing severe operational disruption or financial loss.
Applying information system security policies and business continuity plans will form part of the obligations, as will conducting cybersecurity testing and training for all staff. The use of multi-factor authentication (MFA) and encryption, wherever appropriate, will also be mandated.
There is plenty of focus within the directive on the cornerstones of cybersecurity best practices particularly, the proper control of administrator-level account credentials, privileged access, and endpoints, all of which are prime targets for attackers.
Under NIS2, organizations are being separated into ‘critical’ and ‘important’ entities. It’s important to determine which category yours’ will fall under, as each has different requirements.
The third-party threat will also be addressed in NIS2 by pulling in managed service providers (MSPs) to the list of ‘critical entities’, with the aim of keeping digital supply chains secure. MSPs are often granted privileged access to clients’ corporate systems and networks, which creates security risks.
What are the consequences of non-compliance?
Organizations that come under the regulations’ purview will be subject to random checks, regular security audits, on-site inspections, and off-site supervision.
For those found to be in breach, sanctions could include warnings, temporary suspension of certain activities, and temporary prohibition to exercise certain managerial functions. Financial penalties could be as high as 10 million Euros or 2% of an organization’s global turnover, whichever is higher.
What steps should healthcare organizations take now?
Organizations should take action to establish whether the EU or UK NIS2 regulations will apply to them and what their responsibilities will be. Having identified any gaps in existing cybersecurity processes, policies, and practices, they must determine what changes need to be made to address them.
As a priority, they must review their incident response plans and incident management and reporting procedures. It’s also a good idea to begin assessing the security posture of partners and third parties in the supply chain and incorporating relevant security requirements into contracts.
Given the framework’s focus on protecting privileged admin accounts, organizations should implement controls limiting the number of staff members with these robust credentials. Implementing privileged access management (PAM) will allow IT to control who is granted access to which systems, applications, and services, for how long, and what they can do while using them.
Preparing for the introduction of the EU NIS2 regulations should be considered more than just a compliance exercise. By meeting the strengthened requirements, healthcare organizations will be building a foundation of resilience that protects them, their customers, and the essential services they provide.