Legislation within cybersecurity: preparing for NIS2 – a detailed framework in the healthcare sector in the Netherlands
van Welie, Alwin (2024-07-29)
Legislation within cybersecurity: preparing for NIS2 – a detailed framework in the healthcare sector in the Netherlands
(29.07.2024)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2024081965472
https://urn.fi/URN:NBN:fi-fe2024081965472
Tiivistelmä
Cybersecurity is becoming increasingly important for organizations, particularly in the healthcare
sector. In 2023, the healthcare sector was the third most attacked sector of all sectors. Preventing
and preparing for cybersecurity incidents is critical in the current digital landscape. The NIS2
Directive is the EU9s answer to a more cyber resilient Europe. Preparing to become compliant is
not only difficult since the directive has not officially been published yet, but also because
compliance is mandatory with the set deadline of the 17th of October, 2024. Non-compliance
means big fines which can reach heights as big as 2% of the annual revenue of organizations, or
€10 million alternatively. Preventing and preparing for cybersecurity risks is key for the
continuation of daily operations. Healthcare organizations do not know how to properly prepare
for the NIS2 Directive, nor is there a detailed framework or overview available which specifically
addresses the gaps between currently taken measures and yet to be taken measures. This asks for
an in-depth gap review of the currently available information regarding the NIS2 Directive to
come up with specific controls to prepare for compliance for the healthcare sector, which is what
this thesis aimed to do.
By using the Design Science approach, a framework for the Dutch healthcare sector was
developed. The framework is created based on a gap analysis. Six gaps were found: incident
management, standardized reporting, contact with the CSIRT, standardized impact assessment,
mandatory cybersecurity education for management and supply chain cybersecurity assessment.
The framework is created based on three iterations, where IT audit, cybersecurity and healthcare
experts were interviewed. A NIS2 research involving a thorough understanding of the NIS2
Directive was done to understand the NIS2 Directive9s context. A literature review and analysis
of frameworks which are often used in IT auditing was then conducted. These frameworks
provide the baseline for the created controls for the gaps which were found in a gap analysis
between the Dutch healthcare cybersecurity standard NEN 7510 and the NIS2 Directive. The
developed framework is verified by ten expert interviews and later validated with two interviews.
Required controls in the framework are based on maturity levels to reflect the current level of
cybersecurity measures combined with different risk levels within different healthcare
organizations.
sector. In 2023, the healthcare sector was the third most attacked sector of all sectors. Preventing
and preparing for cybersecurity incidents is critical in the current digital landscape. The NIS2
Directive is the EU9s answer to a more cyber resilient Europe. Preparing to become compliant is
not only difficult since the directive has not officially been published yet, but also because
compliance is mandatory with the set deadline of the 17th of October, 2024. Non-compliance
means big fines which can reach heights as big as 2% of the annual revenue of organizations, or
€10 million alternatively. Preventing and preparing for cybersecurity risks is key for the
continuation of daily operations. Healthcare organizations do not know how to properly prepare
for the NIS2 Directive, nor is there a detailed framework or overview available which specifically
addresses the gaps between currently taken measures and yet to be taken measures. This asks for
an in-depth gap review of the currently available information regarding the NIS2 Directive to
come up with specific controls to prepare for compliance for the healthcare sector, which is what
this thesis aimed to do.
By using the Design Science approach, a framework for the Dutch healthcare sector was
developed. The framework is created based on a gap analysis. Six gaps were found: incident
management, standardized reporting, contact with the CSIRT, standardized impact assessment,
mandatory cybersecurity education for management and supply chain cybersecurity assessment.
The framework is created based on three iterations, where IT audit, cybersecurity and healthcare
experts were interviewed. A NIS2 research involving a thorough understanding of the NIS2
Directive was done to understand the NIS2 Directive9s context. A literature review and analysis
of frameworks which are often used in IT auditing was then conducted. These frameworks
provide the baseline for the created controls for the gaps which were found in a gap analysis
between the Dutch healthcare cybersecurity standard NEN 7510 and the NIS2 Directive. The
developed framework is verified by ten expert interviews and later validated with two interviews.
Required controls in the framework are based on maturity levels to reflect the current level of
cybersecurity measures combined with different risk levels within different healthcare
organizations.