Privacy-Preserving Cyber Threat Intelligence Sharing in Healthcare: Automated Anonymisation Under EU Regulations

Abstract

Healthcare organisations face increasing cyber threats, making cyber threat intelligence (CTI) sharing an essential component of resilience. CTI sharing from hospitals often contains highly sensitive information such as patient identifiers, internal domains or IP addresses that can lead to re-identification if shared without proper protection. When this information is shared without protection, it can allow for re-identification or system mapping, exposing healthcare organisations to additional cyber and privacy risks. Under the emerging EU Cyber Resilience Act, ensuring secure and privacy-preserving cyber threat intelligence exchange becomes critical, requiring tools and processes that safeguard personal and organisational data while maintaining the analytical utility needed for threat detection. This study provides a theoretical framework for evaluating automated anonymisation in the sharing of healthcare cyber threat intelligence (CTI). It explains how to utilise tools such as ARX and DAT to execute privacy-preserving CTI exchange that is compliant with the EU Resilience Act (CRA) and the NIS2 Directive. The framework establishes evaluation criteria that balance anonymisation risk and analytical utility using synthetic CTI data (such as MISP feeds). The evaluation is intended to evaluate the efficiency of anonymisation by using re-identification risk metrics and retained CTI utility (such as Indicator of Compromise, IOC correlation). The model proposed follows European privacy and resilience rules and establishes the foundation for practical and compliant sharing of CTI in healthcare ecosystems.