The European Commission has presented an action plan to improve the cyber security of hospitals and healthcare providers and create a safer and more secure environment for patients. The new action plan builds on existing legislation, such as that on cybersecurity, and extends the scope to general practices.
The new action plan should lead to hospitals and other healthcare facilities becoming less likely to be successfully victimized by hackers, data thefts and other cyber threats. The need for this grows as the use of digital systems, such as the EHR, increases. By 2023, healthcare was the most threatened critical sector within the EU, with 309 significant cybersecurity incidents. More than half of those incidents (54%) appeared to involve ransomware attacks. Such threats can endanger not only patient care, but also lives.
Four-point action plan
The action plan now prepared by the European Commission describes four priorities: Improving prevention to reduce cyber attacks and threats and improving the detection and identification of cyber threats. There is also a need for faster and better response to cyber threats to minimize their impact. Finally, action must also be taken by the EU to deter and thus stop cybercriminals.
Improved prevention. The plan helps healthcare facilities build capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as guidance on implementing critical cybersecurity practices. In addition, member states may also introduce cybersecurity vouchers to provide financial assistance to micro, small and medium-sized hospitals and healthcare providers. Finally, the EU will also develop cybersecurity educational resources for healthcare professionals.
Better detection and identification of threats. To this end, the Cybersecurity Support Center for Hospitals and Healthcare Providers will develop an EU-wide early warning service by 2026 that will issue near-real-time alerts on potential cyber threats.
Response to cyber attacks to minimize impact. The plan proposes a rapid response service for the health sector under the EU Cybersecurity Reserve. The Reserve, established by the Cyber Solidarity Act, provides incident response services from trusted private service providers. As part of the plan, national cybersecurity exercises can be held and playbooks developed to help healthcare organizations respond to specific cybersecurity threats, including ransomware. Member states are encouraged to require reporting of ransomware payments from entities to give them the support they need and enable follow-up by law enforcement.
Deterrence: Protect Europe's healthcare systems by deterring cyber threat actors from attacking them. This includes the use of the Cyber Diplomacy Toolbox, a joint EU diplomatic response to malicious cyber activities.
Substantial increase in cyber threats since 'Corona'
The number of cyber threats in healthcare increased sharply especially during and around the COVID-19 pandemic, when hospitals, general practitioners and other healthcare institutions were forced - and therefore often “rushed” - to implement more digital solutions in order to maintain some level of patient care.
That increase was also evident in the European Cyber Security Agency's (ENISA) first analysis of the cyber threat landscape for the healthcare sector published in 2023. Between January 2021 and March 2023, the EU was hit by frequent cyber attacks. More than half of these (53%) affected healthcare providers and 42 percent specifically targeted hospitals.
When the new EU Commission took office in 2024, it was already announced that the commission intended to tighten the mandate for healthcare cybersecurity. A day after announcing that ambition, the world was hit by the “Crowdstrike IT outage. This also affected many healthcare institutions, further underscoring the need for the action plan now presented.
