Digital Health Legal
Back to Contents

Volume: 5 Issue: 2
(February 2018)

cyber attack hits norwegian health services sykehuspartner parent company health south east rhf healthcare organisation manages hospitals south-east region norway


Share This Page

Cyber attack hits Norwegian health services

Sykehuspartner, the parent company of Health South East RHF, a healthcare organisation that manages hospitals in the South-East region of Norway, announced on the 15 January 2018 that it had been subject to a cyber attack on 8 January 2018. At the time of publication, the Police Security Service (‘PST’), who are investigating the attack, have not determined the extent of the attack or the damage caused with any certainty. Sykehuspartner has stated that “it is a very serious situation,” but so far there is no evidence to suggest that the cyber attack has had direct consequences for patient treatment, patient safety or patient data, but such outcomes cannot be excluded.

“Not many details are clear at this point other than that the PST started their investigation on 14 January,” said Arve Føyen, Partner at Advokatfirmaet Føyen Torkildsen AS. “They suspect that the attack was orchestrated by a foreign state and it is being regarded as a potential violation of Section 121 of the Penal Code as espionage directed at state secrets. So far, the response of the affected healthcare services seems to be adequate, since they immediately seem to have involved the police and taken precautions. At this stage the incident does not seem likely to damage public trust, but much will depend on the further development of the case.”

Due to the impending implementation of the General Data Protection Regulation (‘GDPR’), which requires notification to the affected individuals of a breach of their personal data within 72 hours, some commentators have scrutinised the period of time taken before the cyber attack was announced to the public. “Data security is considered a priority in Norwegian healthcare services, and there are already extensive regulations in place,” comments Føyen. “Following a heated discussion in the summer of 2017 regarding the outsourcing of IT services by Health South East RHF and Sykehuspartner, there has been an increased focus on compliance with data protection legislation. This will of course be strengthened with the incoming implementation of the GDPR on 25 May this year.”

Sykehuspartner stated in its press release that the response to the attack had been in accordance with established emergency preparedness routines, that a number of measures have been implemented to remove the threat, and further measures will be implemented in the future. The Norwegian National Security Authority (‘NSM’) in its statement on the matter published on 15 January 2018, sought to assure the Norwegian public that the cyber attack is being taken seriously. “We have invested considerable resources to assist the health authorities and handle the situation,” stated Kjetil Nilsen, Director of the NSM, in the press release. Nilsen also stressed that for the sake of incident management, further details on the attack could not be discussed at that time.

“Cyber attacks in general are increasing in number and severity in Norway, in line with what is happening in the rest of Western Europe,” concludes Føyen. “Last year the number of attacks increased by about 10%. The ongoing investigations into this particular cyber attack will give us the answer as to whether the health services are adequately prepared. I do not think this will impact the digitisation of healthcare services in Norway, apart from putting an even greater focus on security and the protection of information systems.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital health legal
Subscribe to digital health legal
Register for a Free Trial to digital health legal
digital health legal Pricing

Social Media

Follow digital health legal on TwitterView digital health legal LinkedIn Profiledigital health legal RSS Feed