The European Commission has presented a new action plan to enhance the cybersecurity of the healthcare sector amid a rise in ransomware attacks.
ADVERTISEMENTThe plan aims to improve the security of hospitals and other digital providers by strengthening capacity to prevent and respond to cybersecurity incidents.
“As the sector undergoes a critical transformation it must address significant challenges such as securing electronic healthcare records and integrating AI into the healthcare workforce,” said Henna Virkkunen, commissioner for Tech Sovereignty, Security and Democracy, during the presentation of the plan.
The proposal is the first of a series of measures envisioned for the first 100 days of the new mandate and seeks to raise the healthcare sector’s awareness of cybercrime risks and provide on-the-ground solutions, Health Commissioner Oliver Várhelyi said.
“They (healthcare providers) need to invest as much in this as they do in equipment related to treatments to patients,” he added.
To this end, a new European Cybersecurity Support Centre for the healthcare sector, part of the EU Agency for Cybersecurity (ENISA), will lead the work and implement the proposed measures.
The plan is based on four priorities: prevention, detection, response and recovery and deterrence.
In the next two years a new Health Cybersecurity Advisory Board will be established to offer help to healthcare providers seeking to avoid paying ransoms, and to set up rapid response services.
Healthcare comes under frequent cyberattacks with most of the incidents involving ransomware due to the high sensitivity of the data.
During and following the COVID-19 pandemic there was an increase in cyberattacks on healthcare providers, as demonstrated by the European Union Agency for Cybersecurity’s (ENISA) first analysis of the cyber threat landscape for the health sector published last year.
The analysis showed that between January 2021 and March 2023, the EU health sector witnessed frequent cyberattacks, with 53% affecting healthcare providers and 42% hospitals.
“Digitalisation is only as strong as the trust it inspires,” said Virkunnen.
Building on existing tools
Shared health data, now regulated by the European Health Data Space (EHDS), will complement the cybersecurity action plan.
The plan expands on the existing legislative framework in the field of cybersecurity such as the NIS2 Directive, the Cybersecurity Act and the Medical Devices Regulation.
However, some of these directives are facing challenges in implementation. The NIS2, aiming to protect critical entities against major cyber incidents, has yet to be adopted by most member states, who missed the deadline set for 17 October 2024.
Similarly, the Medical Devices Regulation, after repeated extensions of the transition period for certifying medical devices under the new rules, will most likely be revised this year.
