Estonia's family medicine centers struggle to meet cybersecurity standards

State's Information System Authority (RIA).
State's Information System Authority (RIA). Source: Nelli Pello/RIA

A quarter of Estonia's family medical centers are experiencing cyberattacks and many more facilities are struggling to comply with the state's new cybersecurity requirements. So far, no funding has been allocated to the cause.

Cybersecurity checks by the Information System Authority (RIA) have left doctors with the impression they are more interested in sticks than carrots, said Reet Laidoja, a member of the board of the Society of Family Physicians (Eesti perearstide selts).

"A situation has emerged where GPs fear scrutiny more than cyber[attacks]. We actually want to be law-abiding, we want to be in control of our cyber affairs and we want our data to be protected, but we can't manage that at the moment. And then if we ask for help we get threatening letters, we get a procedural document with some kind of generic text that already contains the threat of very heavy fines," she told Monday's "Aktuaalne kaamera".

Ilmar Toom, head of RIA's supervision department, said two out of 27 centers have passed inspections so far without needing to fulfill additional requirements. He would not say how many flaws were found, but said he did not agree with Laidoja's description of the agency.

"This is definitely not true. RIA has done quite a lot on its own. It has done free training and information days for GPs and more broadly. There have also been a few individual consultations and advice sessions," Toom said.

Family doctors are hoping for more help with data protection from the Health Insurance Fund as implementing more than 200 cyber security measures is resource-intensive. Centers with 10 or more members also need to be audited.

Additional support depends on RIA's results, said Karl-Henrik Peterson, a member of the Health Insurance Fund's board.

"For RIA inspections, we have an agreement that we will know the results at the end of the year. On this basis, we can analyze, together with family doctors what changes need to be made and then take action," said Peterson.

Estonia's data protection legislation is based up on the European Union's 2016 directive. It came into law for family doctors on January 1, 2022.

Until now, centers have only needed to have basic security measures in place but this became more complicated after January 1, 2023 when a new information security standard was introduced in Estonia.

The transition deadline ended on July 1.

More than 900 family doctors work in Estonia.


Follow ERR News on Facebook and Twitter and never miss an update!

Editor: Helen Wright

Hea lugeja, näeme et kasutate vanemat brauseri versiooni või vähelevinud brauserit.

Parema ja terviklikuma kasutajakogemuse tagamiseks soovitame alla laadida uusim versioon mõnest meie toetatud brauserist: