Laws and standards: who mandates and what guides

In the European Union, regulations are directly applicable, while directives must be transposed into national law; therefore, legislation is changing rapidly and affects healthcare as well. Particularly important are the Medical Device Regulation, the GDPR, eIDAS, the new NIS2 directive, and the planned or newly adopted acts on cyber resilience and artificial intelligence. In Slovakia, the framework is complemented by the Cybersecurity Act and related regulations, but the healthcare sector is still awaiting more detailed sector-specific requirements. While laws state what is mandatory, technical standards (e.g., ISO/IEC 27000 and healthcare-specific ones) explain how to implement it in practice.

Healthcare specifics and what matters most today

In healthcare, a wide range of technologies is involved: diagnostic and imaging systems, therapeutic and monitoring devices, laboratory technologies, and hospital information systems. Breaches of confidentiality mean an intrusion into a patient's privacy and can lead to sanctions as well as criminal consequences. System unavailability slows diagnostics, interrupts treatment, and can directly endanger health. Loss of data integrity, in turn, leads to incorrect results, wrong dosages, or a bad diagnosis—and thus unnecessary risk to the patient.

The current state of the sector shows that compliance with requirements is rather weak, although there is more documentation, security managers, and better network protection. Priorities should include risk management, business continuity (having a plan B), active monitoring, and mature vendor management. Measures need to combine technical, organizational, personnel, and physical elements—and be set up as preventive, detective, and corrective. Healthcare workers do not need to be cybersecurity specialists, but they should build their digital literacy and risk awareness, because the goal is resilience, not paper compliance.