The European Commission proposes an EU-wide action plan to protect the healthcare sector.
Part of this plan is to create a dedicated center within the EU cybersecurity agency ENISA to protect healthcare organizations from cyber threats.
According to Commissioner for Health and Food Safety Oliver Várhelyi, one in two hospitals in Europe is a victim of a cyber attack. Commission President Ursula von der Leyen promised to address this problem within 100 days of her second term.
Impact of ransomware
The plan announced Wednesday seeks to address several cyber problems affecting the health sector. Many of these problems are exacerbated by the high risk of ransomware, as refusing to do so can be life-threatening.
The plan provides for the creation of a Cybersecurity Support Center within ENISA. This will provide health organizations with tailored essential cybersecurity support.
It also develops cybersecurity training for health professionals. By 2026, an EU-wide threat detection alert service should be available.
No additional funding
Although the new plan places more responsibility on ENISA, no additional funding is planned. The action plan also envisages the creation of a specific healthcare response mechanism within the EU Cybersecurity Reserve, part of the Cyber Solidarity Act (CSA). This reserve supports EU countries in responding to large-scale cyber incidents with technical assistance, coordination and financial resources.
Furthermore, the Commission plans to use the Cyber Diplomacy Toolbox, an EU coordination mechanism for diplomatic statements and sanctions, to deter harmful cyber activities. This would also benefit the health sector.
Regarding funding, the Commission asks EU countries to contribute and recommends the development of Cybersecurity Vouchers. These vouchers would support small healthcare organizations in increasing their cybersecurity spending. This concept is similar to innovation vouchers that have previously supported funding for SMEs.
Report ransom payment
The Commission also encouraged countries to require healthcare organizations to report ransom payments. However, this is a complex issue as national governments often instruct public institutions not to pay ransoms, but many do so anyway to regain control of their systems. Paying ransom also makes it less likely to be reported.
Although healthcare is bound by EU cyber regulations, including the NIS2 Directive that sets standards for cybersecurity and reporting for major and critical entities, it is being transposed late in most EU member states.
The Cyber Resilience Act (CRA), EU regulations that protect products, including software components, also cover the health sector.
The Commission is expected to launch a public consultation on the action plan, which should result in a non-binding recommendation by the end of 2025.
Favored target for cybercriminals
Healthcare is one of the most affected sectors because of its high risk.
According to the latest ENISA data, nearly 54% of attacks on the healthcare sector between January 2021 and March 2023 were ransomware, with hospitals targeted 42% of cases.
Healthcare facilities tend to be less cyber-ready than other sectors. Executives often prioritize medical equipment over IT systems and cyber protection. Moreover, attracting cybersecurity professionals is a challenge for the sector, as the private sector offers more attractive opportunities.
The action plan was presented by Executive Vice President in charge of technology sovereignty Henna Virkkunen and Várhelyi.
Also read: Microsoft releases Cloud for Healthcare