The global COVID-19 pandemic continues to have significant and far-reaching consequences for individuals, as well as organisations and businesses around the world in a number of different ways. One impact has been an increase in cybersecurity and data protection-related concerns in various areas, some of which are likely to be a key area of focus in the coming months.

One significant issue is the fact that, reportedly, cyber criminals and suspected state-hackers alike are attacking health systems, a problem that is likely to be exacerbated by the implementation of large COVID-19 vaccination programmes across the globe.

The global supply chain in respect of such vaccines is complicated and often involves various elements in a number of different countries, with instances of cyber-criminals attempting to disrupt the vaccine supply chains in different ways already being noted in some jurisdictions.  This means that the distribution of COVID-19 vaccines may experience cybersecurity issues. 

Another area of concern is the targeting of vaccine research. Hackers targeting such research are not necessarily focused on acquiring personal data, but may be trying to advance developments in other jurisdictions, or obtain intellectual property for commercial advantage, among other things.  Other issues include discrediting a country’s testing and safety evidence and the dissemination of inaccurate vaccine-related information online.

However, ransomware attacks, especially on hospitals, apparently continue to be the most significant cybersecurity concern, particularly those that impede the ability to provide care for patients.  As this article notes, the digitisation of health has been expedited by COVID-19, with many more internet-connected tools and systems being used than previously.

This has led to fears that cyber-criminals may shift their focus from denying organisations access to their health information to actively interfering with it, which could create safety risks for patients.

To try to address these issues, relevant organisations in the UK should ensure that they comply with all applicable cybersecurity requirements, including (among other things) the obligations included in the UK General Data Protection Regulation, (UK GDPR) and the UK Data Protection Act 2018 regarding the security of personal data.

UK based organisations may also still need to comply with the requirements of the General Data Protection Regulation (EU) 2016/679, (EU GDPR) to the extent that they either offer goods or services to data subjects in the EU or monitor the behaviour of data subjects within the EU.

Relevant UK organisations should also ensure that they comply with the requirements of the Network and Information Systems Regulations 2018 (SI 2018/506), (NIS Regulations), which impose various cybersecurity and incident reporting obligations on relevant digital service providers and operators of essential services that operate in specific sectors (including health) and meet threshold operating requirements.  The NIS Regulations focus on the security of IT systems, rather than the security of the personal data processed by those systems.

All of these risks mean that, going forward, it will be more important than ever for organisations and businesses involved in the healthcare sector to take robust steps to ensure the security of their IT systems and devices to try to ensure that public health and individual patient safety is protected as far as possible.