EU Commission Urges Development of Cybersecurity ‘Action Plan’ for Health Sector

The European Commission has unveiled a comprehensive “action plan” aimed at reinforcing cybersecurity across healthcare institutions throughout the European Union. This initiative arrives in response to a sharp increase in cyberattacks targeting healthcare entities, which have now become the most frequently hit sector in Europe.

The action plan outlines the establishment of a “pan-European” cybersecurity support center, which will serve as a centralized repository for cybersecurity guidance and resources specifically tailored for healthcare professionals. This initiative is a direct attempt to mitigate the impact of disruptive ransomware attacks and to safeguard sensitive health data.

According to the Commission, 2023 saw a staggering 309 significant cybersecurity incidents reported by member states affecting healthcare—surpassing incidents across all other critical sectors. This new action plan marks the first sector-specific deployment of extensive EU cybersecurity measures, signifying a pivotal shift toward addressing the vulnerabilities inherent in the healthcare landscape.

To effectively implement the plan, the Commission will engage with member states and “relevant networks” to gather feedback on its proposals, with a goal of making recommendations by the fourth quarter of 2025. The rollout of the action plan is expected to occur gradually over the next two years, focusing on four key priorities.

Enhancing prevention efforts will involve providing organizations with guidance on essential cybersecurity practices, while member states will be encouraged to issue “cybersecurity vouchers” for small and medium-sized healthcare providers. Furthermore, the support center will work on creating an EU-wide early warning service that aims to alert hospitals and healthcare providers to potential cyber threats in near real-time by 2026.

To minimize the impact of cyberattacks, the plan includes a rapid response service for the healthcare sector. Developed under the EU Cybersecurity Reserve, this initiative offers detailed playbooks and guidance on how healthcare organizations can prepare for specific threats, including ransomware.

Moreover, the action plan emphasizes deterrence by advocating for the implementation of the “Cyber Diplomacy Toolbox,” which is designed to counteract malicious cyber activities targeting the EU healthcare sector. The Commission’s assertion that bolstering threat detection and response capabilities will enhance patient and provider security underlines the urgency of this initiative.

Furthermore, the Commission is urging member states to require healthcare entities subjected to the Network and Information Systems Directive 2 (NIS2) to report on ransom payments linked to significant incidents. The NIS2 Directive operates in conjunction with the recently enacted Cyber Resilience Act, creating a robust framework for cybersecurity requirements across the European Union.

The establishment of the new cybersecurity support center will be overseen by the European Union Agency for Cybersecurity (ENISA), which is also tasked with developing pertinent cybersecurity procurement guidelines for healthcare providers. This will address crucial considerations like the secure migration of electronic health data and the management of medical devices in increasingly digitized environments.

As the plan takes shape, EU member states are encouraged to enhance information sharing practices related to cyber incidents, fostering O2O (organization-to-organization) collaboration between public and private sectors. By promoting a robust network for shared threat intelligence, the initiative aims to bolster the collective security posture of the European healthcare landscape.

Errol Weiss, Chief Security Officer at the Health Information Sharing and Analysis Center in the U.S., highlighted that the timing of this initiative reflects widespread struggles within healthcare organizations to secure adequate funding for network protection. He emphasized the critical role of information sharing in safeguarding not just individual entities, but the resilience of the entire digital ecosystem.

The breadth of the action plan illustrates the ongoing efforts to address cybersecurity vulnerabilities in the healthcare sector, with a clear focus on collaboration, proactive measures, and comprehensive support to equip organizations against the evolving landscape of cyber threats.