European Commission Unveils Action Plan to Strengthen Healthcare Cybersecurity


Published: 27 Jan 2025

Author: Precedence Research

Share : linkedin twitter facebook

The European Commission will establish an action plan to better secure hospitals and other medical facilities against the ever-rising danger of cyberattacks and improve the level of cybersecurity in the healthcare sector. This plan also specifies a center within the EU Cybersecurity Agency, ENISA, which will protect the healthcare sector from cyberattacks. According to Commissioner for Health and Food Safety Oliver Várhelyi, the challenge is urgent; one in two hospitals in Europe has been a victim of cyberattacks. ENISA's data makes it clear that the healthcare sector is vulnerable: it shows that between January 2021 and March 2023, nearly 54% of all cyberattacks involved ransomware and that hospitals were targeted in 42%. It outlines specific goals for cybersecurity to combat the challenges posed by such malicious ransomware attacks.

Healthcare Cybersecurity

Key Components of the Action Plan

The plan outlines a Cybersecurity Support Center within ENISA to support healthcare organizations in building robust cybersecurity defenses against cyber threats. Health professionals will also undergo specialized cybersecurity training programs, along with an EU-wide threat detection alert service that will be operational by 2026. An EU Cybersecurity Reserve under the Cyber Solidarity Act (CSA) is created to establish a dedicated healthcare response mechanism to assist EU countries in responding effectively in case of major cyber incidents. There has been no more specific funding provided, and the Commission calls on the member states of the EU to fill this gap with Cybersecurity Vouchers, similar to innovation vouchers for SMEs, which support small healthcare organizations in their endeavor to strengthen cybersecurity. The program also foresees using the Cyber Diplomacy Toolbox as a tool against harmful cyber activity and demands the reporting of payments made with ransoms to healthcare organizations. However, this remains a very controversial issue, as most public institutions refrain from paying ransoms in secret to regain control of their systems.

Existing EU Cyber Regulations

The EU has announced a public consultation on the action plan for strengthening cybersecurity within the healthcare sector. The NIS2 Directive, which addresses harmonizing high standards for all major entities regarding cybersecurity, has been delayed in various member states. The Cyber Resilience Act (CRA) safeguards health-related products, including software components. The consultation will involve healthcare organizations, cybersecurity experts, and the member states of the EU. The healthcare sector is vulnerable due to low cyber preparedness. Hospital administrators tend to spend more on medical equipment than on IT systems and cybersecurity. It is also a high-risk sector, making it a preferred target for cybercriminals. This initiative aims to coordinate training and resource allocation to overcome these challenges.

Presentation of the Action Plan

Henna Virkkunen, Executive Vice President for Technology Sovereignty, and Commissioner Oliver Várhelyi announced an initiative to protect Europe's healthcare systems from cyber threats. The European Commission's action plan, which includes a dedicated Cybersecurity Support Center, enhanced training, and existing EU mechanisms, aims to create a secure environment for healthcare organizations. However, there are challenges: funding and implementation. That said, the initiative falls under the commitment that the EU and the European Commission have made to their healthcare infrastructure and the millions of patients who rely on it.

Latest News