Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

As the recent HSE ransomware attack demonstrated, data security breaches can have catastrophic consequences in the healthcare sector. Essential medical treatments have been disrupted and delayed as the efforts to restore thousands of IT systems continue. The attack might act as a wake-up call to nursing homes, private hospitals, and other healthcare providers to examine their own data security practices. We outline the key actions any healthcare provider should take in conducting a data security review.

1. Conduct a risk assessment

Article 32 of the General Data Protection Regulation (GDPR) requires data controllers and processors to implement appropriate technical and organisation measures to ensure a level of security appropriate to the risk. This means asking questions about who might be affected by a data breach and the ways it might affect them. The HSE ransomware attack shows that many healthcare providers could have high risk processing activities, in particular due to the vulnerability of data subjects. The risk assessment should also include a review of third party data processors, including cloud computing service providers.

The European Union Agency for Cybersecurity (ENISA) published a Handbook on Security of Personal Data Processing which includes a risk assessment framework specifically for the healthcare sector.

2. Implement technical and organisational protection measures

This means implementing security measures which are proportionate to the risk and are, as far as possible, in line with the current state of the art.

Technical measures include keeping systems up to date, ensuring that firewalls and anti-virus software is in place and using multi-factor user authentication. It seems basic, but many information security breaches are caused by human error or by stolen credentials. Multi-factor authentication requires two of the following factors for identity verification:

  • Something you have (for example, a phone app or a token card)

  • Something you know (for example a PIN or password)

  • Something you are (for example, biometric data)

By combining these factors, this reduces the likelihood of weak or stolen passwords being used by hackers to wrongfully access systems.

Organisational measures include having a robust information security policy, staff security training and allocating responsibility for information security to someone within your practice. Article 32 of the GDPR also makes clear that your protection measures should be regularly tested and assessed to evaluate its effectiveness.

3. Ensure an Incident Response plan is in place

Every organisation should have a data security incident response plan. The plan should cover how an incident is detected, contained, and eradicated; how it is recovered from; and reviewed to ensure the same issue doesn’t happen again. The IT department should not have sole responsibility for handling an incident – HR, facilities management, operations, legal and PR should all contribute.

Crucially, the plan should involve an assessment to determine whether a breach is likely to result in a risk to the rights and freedoms of natural persons. If so, Article 33 GDPR requires that the Data Protection Commission be notified of the breach within 72 hours. The clock starts ticking when the controller becomes aware of the breach.


Attaining a position of total protection against a possible data breach may seem impossible, but by following these tips you can ensure that your organisation is in the best possible position to prevent or handle a cybersecurity incident and ultimately protect your patients.

For more information, please contact a member of our Public, Regulatory & Investigations or Privacy & Data Security teams.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Share this: