The European Commission has published an EU action plan developed to guide hospitals and healthcare providers in increasing their cyber security. Referring to the plan as “an important step in shielding the healthcare sector from cyber threats”, the commission focuses on enhancing threat detection, preparedness and response capabilities of hospitals and health providers.
Recognising “mounting threats” to hospitals and healthcare systems from cyber criminals and particularly “ransomware gangs targeting them for financial gain, driven by the high value of patient data”; the plan notes the impact of digital transformation and new digital tools in expanding potential targets for attacks. It adds that disruption to services caused by a cyber incident “can result in serious damage and harm to patients even in small-scale healthcare facilities”.
To put in place a “unified, strategic approach” to these challenges, and ensure hospitals and healthcare providers have the resources, expertise, and tools required to effectively tackle cyber threats, the commission calls upon the European Union Agency for Cybersecurity (ENISA) to establish a dedicated European Cybersecurity Support Centre “as part of its mandate to safeguard and support the EU’s critical infrastructure”. The Centre, according to the plan, would help outline available services for preparedness, detection and response, and offer a “user-friendly, easy-access repository of all available instruments at European, national and regional levels”.
“Simple actions” that hospitals and healthcare providers can take to help increase their protection against cyberattacks include keeping systems up to date, managing backups, implementing multi-factor authentication and reducing the reliance on “weak identification mechanisms, such as passwords”, the plan states. It points to the forthcoming European Digital Identity Wallets, which offer “a harmonised, EU-wide approach to electronic identification for healthcare professionals, providing a robust and unified solution as of end of 2026”. It adds “all online health information systems required to implement strong user authentication will be obliged to accept the wallet for identification purposes as of the end of 2027.”
The plan also highlights preparedness testing as “a cornerstone of effective cybersecurity”, sharing that the commission has allocated funding to ENISA to pilot preparedness initiatives, and is looking to the European Cybersecurity Support Centre to develop a tailored framework for cybersecurity maturity assessments “specific to healthcare”. It adds to “carry out an annual Health Cyber Maturity Assessment” to establish an overview of health sector cybersecurity maturity at national and EU levels. Given the reliance of the health sector on external contractors for cybersecurity, the commission aims to support member states in supplying cybersecurity vouchers to small and medium-sized hospitals and healthcare providers to offer financial assistance for cybersecurity measures.
New procurement guidelines covering recent trends including the move to cloud and practical tools to allow organisations to maintain visibility of their supply chains, as well as the creation of a European Health CISOs Network to share best practices on recruiting and retaining cybersecurity professionals, are other actions outlined in the plan. Targeted training and awareness for healthcare professionals “can significantly reduce risks”, it continues, and the support centre should work with member states to create online training modules and courses to address sector-specific issues such as patient data protection and medical device security.
Noting the importance of sharing information EU-wide to help prevent and detect cyberattacks, the plan encourages member states to share all reports of cyber incidents with the ENISA Support Centre “to allow for EU situational awareness”, with manufacturers also to be encouraged to report voluntarily via a single reporting platform run through ENISA. This would allow for the development of a “known exploited vulnerabilities” catalogue, the plan states, to address significant challenges of threat detection. Recommendations also include for the support centre to introduce an EU-wide early warning subscription service for the health sector, delivering near-real-time alerts. This service would draw on processed data from CSIRTs, healthcare entities and manufacturers, Open-Source Intelligence (OSINT), and other relevant actors such as Cyber Hubs, Information Sharing and Analysis Centres (ISACs) and law enforcement authorities.”
To read the European Commission’s action plan on cybersecurity in full, please click here.
Cyber security from across the NHS
We asked our LinkedIn audience what the biggest priority should be for health and care cyber security – board level buy-in, workforce education, funding and resources, or mandating supplier compliance? The top spot was an even split between funding and resources and mandating supplier compliance, with each option attracting 34 percent of the vote. Coming in second was workforce education with 26 percent of votes, whilst in last place was board level buy-in, which six percent of voters selected as a priority for health and care cyber security.
NHS England opened market engagement for an NHS Cyber Risk Rating Platform, designed to support NHS organisations to “better understand their security posture” and their management of threats that could impact on operations and organisational data.
Earlier this month, we shared Somerset ICS’s latest board papers, which highlighted key updates on their cyber security strategy, with the aim to fulfil five objectives surrounding the reduction of cyber risks within digital healthcare. The strategy aims to ensure all organisations within the ICS are “compliant with the Network and Information Security Regulations by prioritising the protection of the operation of its essential healthcare functions”, while also trying to reduce the potential for any cyber-attacks. Five objectives are outlined in order to achieve this: developing and embedding a cyber aware culture; improving cyber risk visibility and management; building robust third-party assurance; prioritising collaboration; and ensuring ongoing resilience.
Join us on 26 February, 10:00 – 11:00, for a webinar looking at best practices for cybersecurity in healthcare. To learn more and register, please click here.
