The Belgian government neglected to include hospitals on a list of essential services targetted for extra protection against cyber-attacks, De Tijd reveals.
The list was a feature of a 2016 European Union directive – the so-called Network and Information Systems directive (NIS) – for the protection of essential services and businesses from the growing threat of cyber-attacks. Six sectors were involved: energy, transport, finance, drinking water, digital infrastructure and healthcare.
The directive obliges all providers of network and information systems to take all measures to avoid attacks, or to reduce the impact if they do occur.
According to De Tijd, the list of essential services is confidential, for obvious reasons. But the newspaper’s own investigation has revealed that there are no hospitals on the list, despite healthcare being one of the six top-level domains.
That finding was confirmed by Wendy Lee, spokesperson for the federal public health ministry.
“If a hospital is not operational for whatever reason, it can be taken care of by other hospitals. The sector will survive,” she told the paper.
“The legal framework for the protection of hospitals against cyber attacks is that of eHealth. This includes provisions on cybersecurity, emergency plans, an alert network. It is valid for all hospitals in Belgium, regardless of type. For these reasons, hospitals in our country were not included under the NIS directive.”
The Centre for Cyber-security Belgium (CCB) declined to comment.
“The health sector is indeed covered by the NIS Directive” said spokesperson Katrien Eggers. “But it was always up to the government department responsible for each sector – in this case the minister of health – to designate specific entities as providers of essential services. We cannot comment on that,” she said.
“The CCB respects the decisions and choices of those authorities. The negotiations were complicated within certain sectors for a wide variety of reasons.”
A report by the European Commission from December last year found that other members states also have few hospitals on their lists, although one other (none of them names in the report) lists not only all hospitals but also all doctors’ practices.
Nevertheless, the consensus seems to be that large hospitals ought to be listed at a minimum. In January, the Centre Hospitalier de Wallonie picarde (Chwapi) in Tournai suffered a cyber attack that locked up 80 computers and led to more than 100 appointments being cancelled. In the middle of the Covid-19 crisis, cyber experts had to be called in from Lille across the border in France to help solve the problem.
The office of federal health minister Frank Vandenbroucke responded to the paper’s findings.
“Following the recent cyber attacks, the government – including the public health ministry, Sciensano and the eHealth platform – has again entered into consultation with the hospital and laboratory sector, and a number of tools have been provided to increase cyber security. The NIS-2 guideline has been discussed since the beginning of this year. Within this framework, we want to arrive at an approach tailored to the hospital sector.”