The European Commission has unveiled an extensive plan to bolster the cybersecurity defenses of hospitals and healthcare providers throughout the EU. With the recognition of the escalating frequency of cyberattacks targeting healthcare systems, the EU Action Plan sets out to safeguard patient care, enhance response capabilities, and instill trust in digital healthcare solutions.
The healthcare industry has experienced a surge in cyberattacks in recent times, with EU Member States reporting 309 significant cybersecurity incidents directed at healthcare providers in 2023 alone—more than any other critical sector. These disruptions underscore the urgent need for robust cybersecurity strategies to prevent delays in medical procedures and protect lives.
The EU Action Plan is structured around a four-pronged approach: prevention, detection, response, and deterrence to address cybersecurity challenges in the healthcare sector effectively.
Enhanced Prevention measures under the plan include guidance on critical cybersecurity practices tailored for hospitals and healthcare providers, financial assistance in the form of cybersecurity vouchers for micro, small, and medium-sized healthcare providers, and the development of new educational tools and training programs to equip healthcare professionals with the necessary knowledge to navigate cybersecurity challenges.
Improved Threat Detection is another key focus of the EU Action Plan, which proposes the establishment of a Cybersecurity Support Centre for Hospitals and Healthcare Providers under the guidance of ENISA. By 2026, this Centre will provide an EU-wide early warning system, offering near-real-time alerts about potential cyber threats.
Effective Response to Cyberattacks includes the implementation of a rapid response service under the EU Cybersecurity Reserve, the development of response playbooks to guide healthcare organizations in handling specific threats such as ransomware, national cybersecurity exercises to strengthen incident response capabilities across Member States, and the encouragement for Member States to mandate the reporting of ransom payments.
In terms of Deterrence, the plan involves leveraging the Cyber Diplomacy Toolbox to discourage cyberattacks on European healthcare systems, thus holding cyber threat actors accountable and safeguarding critical healthcare infrastructure.
The success of the EU Action Plan hinges on collaboration among healthcare providers, Member States, and the cybersecurity community. To ensure effectiveness and address the needs of all stakeholders, the Commission will soon launch a public consultation open to citizens and industry experts, with specific actions scheduled for rollout in 2025 and 2026.
Building on existing EU legislation, the EU Action Plan aims to strengthen cyber resilience in the healthcare sector by identifying healthcare providers as a sector of high criticality under the NIS2 Directive and integrating with the Cyber Resilience Act and the Cyber Emergency Mechanism under the Cyber Solidarity Act to detect, prepare for, and respond to cybersecurity threats.
The initiative aligns with the broader objective of creating a European Health Data Space, empowering citizens with control over their health data while ensuring its security.
Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security, and Democracy, emphasized the importance of resilience in healthcare systems, highlighting the need for prevention, detection, and rapid response to cyber incidents.
Olivér Várhelyi, Commissioner for Health and Animal Welfare, emphasized the significance of trust in digital healthcare, underlining the importance of securing sensitive information to inspire trust among patients and healthcare professionals.
The EU Action Plan signals the Commission’s commitment to establishing a secure and resilient healthcare sector. By addressing cybersecurity challenges comprehensively, the plan lays the foundation for a safer healthcare environment where technology empowers patients, enhances care, and supports professionals.
As the healthcare sector continues its digital transformation, the EU remains dedicated to protecting its citizens and critical infrastructure from evolving cyber threats.