A conference at the UV Science Park warns about low awareness of cybersecurity in health and biotechnology

29/08/2025

Specialists warn of system fragmentation, lack of awareness and the rise of connected devices as major threats to data protection and patient safety

The accelerated digitization of the health and biotechnology sector has multiplied vulnerabilities to cyber attacks. The growing interconnection of devices, the absence of governance structures, widespread ignorance of good security practices and the perception of cybersecurity as an exclusively technical issue constitute a risk scenario that directly affects the quality of care and the integrity of clinical data.

This was one of the main conclusions of the I Conference on Cybersecurity in the Health and Biotechnology Sector, organized jointly by the INCIBE-UPV Chair of Cybersecurity and the University of Valencia Science Park Foundation (FPCUV). The meeting was held on 4 July at the Marie Curie auditorium of the University of Valencia Science Park, within the framework of the Cybersecurity Chairs program in Spain, promoted by the National Institute of Cybersecurity (INCIBE) with funding from European Next Generation-EU funds through the Recovery, Transformation and Resilience Plan.

See again the session "I Conference on Cybersecurity in the Health and Biotechnology Sector" that we hosted last July 4th at the PCUV

A shared responsibility beyond technology

In the institutional opening, the director of the Science Park, Pedro Carrasco, noted that "cybersecurity is no longer a technological option, but a shared responsibility that crosses the organizational, ethical and strategic". He also claimed the key role of cooperation between administrations, research centres, hospitals, start-ups, technology organisations and universities. He also announced that the PCUV is already working on the first call of IAtecUV, an incubator specialized in artificial intelligence, and invited the participating entities to join the project.

pedro carrasco jornada ciberseg Pedro Carrasco, director of the UV Science Park, at the opening of the 1st Conference on Cybersecurity in the Health and Biotechnology sector. Photo: FPCUV

The director of the INCIBE-UPV Chair, Santiago Escobar, reviewed the pillars that structure the chair and focused on the need for a transversal involvement in health environments: "Cyber security goes with people, but technology generates new risk situations. We are only seeing the tip of the iceberg; organizations in the health and biotechnology sector must invest more and adopt a preventive culture". Escobar warned about the dangers of assuming that digital security is the sole responsibility of the systems area, when in reality it is a risk shared by the entire organization.

Structural and regulatory gaps as a maturity tool

The first round table, entitled "Frameworks and good cybersecurity practices applied to the health and biotech sector", was attended by professionals from Mobiliza Consulting, ISACA Valencia, UPV, Kiwa, Qualliance, S2 Group and the Chair itself. Common shortcomings were identified throughout the discussion, such as fragmentation of security by department, lack of overview and poor training of staff in basic protocols.

María José González, managing partner at Qualliance, stressed that many of the incidents originate from human errors and a weak organizational culture around digital security. Fernando Seco, director of the Security Governance Division at S2 Group, warned of the lack of governance and planning structures from the management teams, which prevents the deployment of sustained protection strategies, and stressed that liability in this area may even have legal implications.

foto jornada ciberseg 7 First panel discussion entitled "Cybersecurity frameworks and good practices applied to the health and biotec sector". Photo: FPCUV

In this context, regulatory frameworks such as the ENS, the ISO 27001 standard or the NIS2 directive were highlighted as useful tools for ordering and improving systems. According to Francisco Javier Peiró, auditor at Kiwa, these frameworks "do not bring anything radically new, but they allow to normalize processes and reinforce operational maturity". He also insisted that certification is not mandatory but recommended, and that continuity plans should be tested in real scenarios. "They often fail because they have never been tested," he said.

Jorge Edo, director of Mobiliza Consulting and responsible for certifications at ISACA Valencia, was forceful: "Good security in information systems is also good security for the patient. Just as we control the doses of a drug, we must ensure that its clinical data is protected. A leak may have fatal consequences".

"Good information system security is also good patient security. Just as we control the doses of a drug, we must ensure that its clinical data is protected. A leak can have fatal consequences", Jorge Edo, director of Mobililiza Consulting

Real cases and solutions from the field

The second round-table, focused on "Business experiences in the health and biotec sector", brought together representatives from the Institute of Corpuscular Physics (IFIC), Dawako, Francesc de Borja Hospital , NTT DATA, ADM Biopolis and the Valencian Institute of Oncology Foundation (IVO). The interventions focused on how cybersecurity policies are implemented in organizations with very different realities, and which strategies work to involve all teams.

Albert Martínez, head of the IT Service at Francesc de Borja Hospital, explained that one of the main challenges of the health system has been adapting to new technologies due to lack of investment. He detailed that his team maintains direct contact with clinical services to anticipate problems and that the peninsular blackout of April 28 was a real test of resilience for their systems. "Internal mechanisms worked, but common applications to other centres failed. We are still far from the level that we want to reach," he said.

From the IVO Foundation, Fernando Zapatero shared that their infrastructure avoids the use of cloud storage and they have developed an architecture that could operate even without internet connection, Including in-house power supply systems and processing centres protected from flooding, such as those experienced during the October DANA.

foto jornada ciberseg 16 Second panel discussion "Business experiences in the health and biotec sector". Photo: FPCUV

Kiko Albiol, IFIC researcher, explained how his team works on the design and testing of software for clinical devices, especially those based on artificial intelligence. Although they collaborate with health facilities, he noted that data governance remains a major obstacle to reaching agreements with hospitals.

From the business sector, Javier Navarro, OT manager at ADM Biopolis, described a multi-layer approach to protection, with up to three levels of network to protect highly sensitive industrial environments, such as those managing unique bacterial strains in probiotic development. Marta Ruiz Server, of NTT DATA, explained its internal training system through gamified and mandatory courses every three months, which seek to involve staff without resorting to long or bureaucratic formats.

"If we had not made a rapid adaptation, we would not have been able to approach the US market. In Europe there are very diverse and more flexible safety cultures, so it is essential to know the regulatory environment of each country", Lucas Sanjuan, responsible for Regulatory Affairs and Quality Assurance at Dawako

Lucas Sanjuan, responsible for quality and regulation at Dawako, stressed the need to adapt safety practices to international requirements: "If we had not made a rapid adaptation, we would not have been able to approach the US market. There are very diverse and more flexible safety cultures in Europe, so it is essential to know the regulatory environment of each country".

Closing the gap between security and people

The day ended with an intervention by Silvia Rueda, second vice president of the College of Computer Engineering of the Valencian Community, who appealed to the scientific and technological community to promote realistic solutions, with empathy and human focus. "Security is also about people and the planet. We need awareness, but also commitment to integrate these practices into everyday life", she concluded.

foto jornada ciberseg 24 Silvia Rueda, second vice president of the College of Computer Engineering of the Valencian Community, in charge of closing the I Conference on Cybersecurity in the Health and Biotechnology Sector. Photo: FPCUV

Thanks to:

photo_6007828605180169632_y

https://valencianews.es/tendencias/el-sector-salud-y-biotecnologia-en-alerta-por-falta-de-concienciacion-en-ciberseguridad/

https://fotos.europapress.es/fotonoticia/f6850768

https://www.valenciaextra.com/societat/incibe-posa-focus-en-ciberseguretat-sector-salut-repte-urgent-compartit_574757_102.html

https://www.thesmartcityjournal.com/es/eventos/jornada-de-la-catedra-de-ciberseguridad-incibe-upv-y-la-fundacio-parc-cientific-uv-apunta-a-la-falta-de-concienciacion-y-dispositivos-conectados-como-brechas-de-seguridad-en-el-sector-salud

https://valenciaplaza.com/valenciaplaza/tierra-de-empresas/una-jornada-de-la-catedra-de-ciberseguridad-incibe-upv-y-la-fundacio-parc-cientific-uv-apunta-a-la-falta-de-concienciacion-y-dispositivos-conectados-como-brechas-de-seguridad-en-el-sector-salud

https://incibeupv.webs.upv.es/la-catedra-de-ciberseguridad-incibe-upv-junto-a-la-fundacio-parc-cientific-uv-organizan-una-jornada-sobre-ciberseguridad-en-el-sector-salud-y-biotecnologia/

https://incibeupv.webs.upv.es/una-jornada-de-la-catedra-de-ciberseguridad-incibe-upv-y-la-fpcuv-apunta-a-la-falta-de-concienciacion-y-dispositivos-conectados-como-brechas-de-seguridad-en-el-sector-salud/