With health systems increasingly subject to cybersecurity incidents, the EU Commission presented an EU action plan Wednesday to bolster the cybersecurity of hospitals and healthcare providers.
The initiative aims to create a safer, more secure environment for patients and health professionals by enhancing threat detection, preparedness and response capabilities of hospitals and health providers.
The EU Member States reported 309 significant cybersecurity incidents affecting the healthcare sector in 2023 – more than in any other critical sector. Digitalisation has enabled better services to the patients through innovations such as electronic health records, telemedicine, and AI-driven diagnostics. But cyberattacks can delay medical procedures, create gridlocks in emergency rooms, and disrupt vital services which, in severe cases, could have a direct impact on the lives of Europeans.
The action plan proposes the establishment of a pan-European Cybersecurity Support Centre for hospitals and healthcare providers, providing them with tailored guidance, tools, services, and training. There are four priorities:
- Enhanced preparedness measures such as guidance on implementing critical cybersecurity practices. EU states may also introduce Cybersecurity Vouchers to provide financial assistance to micro, small, and medium-sized hospitals and healthcare providers. Cybersecurity learning resources will be developed for healthcare professionals.
- The Cybersecurity Support Centre for hospitals and healthcare providers will develop an EU-wide early warning service, delivering near-real-time alerts on potential cyber threats, by 2026.
- The plan proposes a rapid response service for the health sector under the EU Cybersecurity Reserve, which provides incident response services from trusted private service providers. As part of the plan, national cybersecurity exercises can take place along with the development of playbooks to guide healthcare organisations to respond to specific cybersecurity threats, including ransomware. Member States are encouraged to request reporting of ransom payments from entities, to be able to provide them the support they need and allow follow-up by law enforcement authorities.
- Protecting European healthcare systems by deterring cyber threat actors from attacking them. This includes the use of a Cyber Diplomacy Toolbox, a joint EU diplomatic response to malicious cyber activities.
The Action Plan will be implemented hand in hand with healthcare providers, Member States, and the cybersecurity community. To further refine the most impactful actions so that patients and healthcare providers can benefit from them, the Commission says it is soon to launch a public consultation on this plan, open to all citizens and stakeholders.
Action plan on the cybersecurity of hospitals and healthcare providers
