February Edition 2023

46 incident has enhanced public discussions on cybersecurity in the health sector, and what lessons could be learnt. In May 2022, the State Comptroller’s Office released a detailed report, examining cyber defences in the health sector3. The findings in the report pointed out several elements in health organizations’ preparedness, highlighting the need to maintain cyber hygiene and data protection procedures throughout the lifecycle of medical devices (e.g. requiring cybersecurity checks and approvals before the pursache of new medical equipment; conducting periodic penetration tests and cyber risks surveys). The report also stressed the need that health organizations allocate sufficient resources for cybersecurity in terms of governance and budgets, as well as put in place detailed incident response and recovery plans. The report has also examined the steps taken by state authorities, and urged the Ministry of Health to issue complete cybersecurity regulations. The Ministry of Health has issued a new comprehensive regulation on the Fundamentals for Cybersecurity of the Health Sector4 during March 2022, updating and supplementing previous regulations it had issued before. The new regulation addresses a range of responsibilities and duties of health organizations, starting with designing corporate governance mechanisms and cybersecurity strategies and policies, as well as risk management frameworks, to ensure that cybersecurity risks get the proper resources and atteneion. It lists cyber hygiene demands both at the management and the technological levels. Those include also cybersecurity requirements in relation to outsourcing or purchasing from external suppliers, with references to cybersecurity standards ISO 27001 and ISO 27799 required from certain suppliers. This new regulation also stipulates mandatory breach notifications by health organizations in relation to cyber incidents. The regulation on the Use of Cloud Computing in the Israeli HealthcareSystem (hereinafter“theHealthSystems’CloudRegulation”) is another contemporary regulation the Ministry of Health had issued earlier (February 2021)5. The Health Systems’ Cloud Regulation requires that health organizations conduct a risk assessment survey prior to taking a desicsion to use Cloud Computing, with the involvement of the 3 https://www.mevaker.gov.il/sites/DigitalLibrary/Documents/2022/2022.5/2022.5-204-MedicalCyber-Taktzir.pdf 4 https://www.health.gov.il/hozer/mk06_2022.pdf 5 mk02_2021-en.pdf (health.gov.il) https://www.gov.il/en/departments/policies/mk02-2021