CYBER RISK MANAGEMENT IN THE BUSINESS STRATEGIES OF HEALTHCARE INSTITUTIONS AND COMPLIANCE WITH DIGITAL PATIENTS' RIGHTS: EU EXPERIENCE AND PROPOSALS FOR UKRAINE IN WARTIME

##plugins.themes.bootstrap3.article.main##

##plugins.themes.bootstrap3.article.sidebar##

Published: Mar 13, 2025

  Oleh Zaiarnyi

Abstract

The article examines the issues of cyber risk management in the business strategies of healthcare institutions operating in the European Union, in order to ensure the digital protection of patients and reduce potential negative economic losses. The relevance of the study stems from the rapid development of digital technologies in the healthcare sector and the increasing incidence of cyber threats that compromise the confidentiality of patient data, disrupt the operations of healthcare institutions and pose significant economic risks. The purpose of the article is to study the existing approaches to cyber risk management in the business strategies of healthcare institutions in order to reduce economic losses and ensure compliance with patients' digital rights, and on this basis to formulate proposals for improving the legislation of Ukraine and medical practice, taking into account the challenges of war. The research methods employed encompass the dialectical method, analysis and synthesis techniques to examine the interrelationships between cyber threats and patients' digital rights, statistical analysis to evaluate the prevalence of cyber threats within the European Union, modelling to formulate recommendations, and a comparative legal approach to identify common and distinct approaches in the European Union and Ukrainian legislation concerning the regulation of cyber security in healthcare facilities. The study's primary findings indicate that the most prevalent cyber threats within the digital healthcare sector encompass phishing attacks, malware, disruptions to artificial intelligence algorithms, and insider threats. The European Union has adopted contemporary methodologies in the realm of cyber security, underpinned by the principles of secure design of information systems and data protection in accordance with the rule of secure processing. At the same time, as proved in the article, it is necessary to improve the legislation of Ukraine, in particular by introducing provisions on the processing of medical data in accordance with the principles of the GDPR, strengthening the influence of international ISO standards on the business strategies of healthcare institutions for managing cyber risks and overcoming the consequences of their manifestation. A number of recommendations for Ukraine are proposed, namely ensuring cyber hygiene of medical personnel, integrating data encryption and cyber incident response plans, using artificial intelligence technologies to monitor risks, and adapting European experience to Ukrainian realities. The conclusions emphasise the necessity of implementing the most effective European practices in the realm of cyber risk management within the business strategy of medical institutions in Ukraine. This approach is expected to enhance the level of cyber security, mitigate the risks of violating patients' digital rights, and ensure the economic sustainability of healthcare facilities in the context of the ongoing war against Ukraine.

How to Cite

Zaiarnyi, O. (2025). CYBER RISK MANAGEMENT IN THE BUSINESS STRATEGIES OF HEALTHCARE INSTITUTIONS AND COMPLIANCE WITH DIGITAL PATIENTS’ RIGHTS: EU EXPERIENCE AND PROPOSALS FOR UKRAINE IN WARTIME. Baltic Journal of Economic Studies, 11(1), 95-103. https://doi.org/10.30525/2256-0742/2025-11-1-95-103
Article views: 123 | PDF Downloads: 60

##plugins.themes.bootstrap3.article.details##

Keywords

business strategy of a healthcare institution, challenges of the war against Ukraine, European Union, economic security, healthcare institution, cyber risks, Patient Digital Rights

References

Almashaqbeh, G., & Jansen, N. (2022). A Comprehensive Study of Security and Cyber-Security Risk Management in e-Healthcare Environments. Mobile Networks and Applications.

Directive (EU) 2022/2555 on measures for a high common level of cyber security in the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555

European Parliament and Council (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 March 2024 laying down harmonised rules on artificial intelligence and amending certain Union legislative acts (Artificial Intelligence Act). Available at: http://data.europa.eu/eli/reg/2024/1689/oj

European Union Agency for Cyber security (ENISA) (2023). Cyber security and privacy in AI – Medical imaging diagnosis. European Union Agency for Cyber security. Available at: https://www.enisa.europa.eu/publications/cybersecurity-and-privacy-in-ai-medical-imaging-diagnosis

European Union Agency for Cyber security (ENISA) (2023). ENISA Threat Landscape: Health Sector (January 2021 to March 2023). European Union Agency for Cyber security. Available at: https://www.enisa.europa.eu/publications/enisa-threat-landscape-health-sector

Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cyber security in healthcare: A systematic review of modern threats and trends. Technology and Health Care, Vol. 25(1), p. 1–10. DOI: https://doi.org/10.3233/THC-161263

Ksibi, S., Jaidi, F., & Bouhoula, A. (2023). IoMT Applications Perspectives: From Opportunities and Security Challenges to Cyber-Risk Management. In Decision Making and Security Risk Management for IoT Environments (pp. 21–37). Springer.

Kumar, N., & Tripathi, R. (2022). Healthcare Chatbots with NLP and Cyber security: Safeguarding Patient Rights and Privacy. Paper presented at the 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud).

Niemiec, M., Pappalardo, S. M., Bozhilova, M., Stoianov, N., Dziech, A., & Stiller, B. (2022). Multi-sector Risk Management Framework for Analysis Cyber security Challenges and Opportunities. In Multimedia Communications, Services and Security (pp. 49–65). Springer.

Pleskach, M., Zaiarnyi, O., & Pleskach, V. (2020). Respect for Information Rights of a Person as a Condition for Cyber security of Smart Cities Residents. 10th International Conference on Advanced Computer Information Technologies (ACIT), 759–764. Available at: https://ieeexplore.ieee.org/document/9208977

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Available at: https://zakon.rada.gov.ua/laws/show/984_008-16#Text

Regulation 2019/881 of the European Parliament and of the Council of 17 April 2019 on the European Union Agency for Cyber security (ENISA) and on information and communications technology cyber security certification and repealing Regulation (EU) No 526/2013 (Cyber security Act). Available at: https://zakon.rada.gov.ua/laws/show/984_024-19#Text

Schmittner, C., Veledar, O., Faschang, T., Macher, G., & Brenner, E. (2024). Fostering Cyber Resilience in Europe: An In-Depth Exploration of the Cyber Resilience Act. In Systems, Software and Services Process Improvement (pp. 390–404). Springer.

Semenchenko, A., Pleskach, V., Zaiarnyi, O., & Pleskach, M. (2020). Cyber security and cyber protection: The current state of public administration in Ukraine. In Proceedings of the 12th International Scientific and Practical Conference of Programming (UkrPROG 2020) (pp. 280–289), September 15–16, 2020, Kyiv, Ukraine. CEUR Workshop Proceedings. Available at: https://ceur-ws.org/Vol-2866/ceur_276_283_pleskach.pdf

The Law of Ukraine "On Personal Data Protection" of June 1, 2010, No. 2297-VI. Available at: https://zakon.rada.gov.ua/laws/show/2297-17

The Law of Ukraine "On Information Protection in Information Communication Systems" of July 5, 1994, No. 80/94-BP. Available at: https://zakon2.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80

The Law of Ukraine “On the Basic Principles of Cyber security in Ukraine” of October 5, 2017, No. 2147-VIII. Available at: https://zakon.rada.gov.ua/laws/show/2163-19#Text

Zaiarnyi, O. A. (2019). Assessment criteria for the lawfulness of artificial intelligence technologies application in health care. Wiadomości Lekarskie, 72(12, Pt. II), 2568–2572. Available at: https://www.researchgate.net/publication/339723357_Assessment_criteria_for_the_lawfulness_of_artificial_intelligence_technologies_application_in_health_care