Brussels, 15 January 2024
Today, the EU Commission presented an EU action plan aimed at bolstering the cybersecurity of hospitals and healthcare providers. This Action Plan was announced in President von der Leyen’s political guidelines as a key priority within the first 100 days of the new mandate.
The initiative is an important step in shielding the healthcare sector from cyber threats. By enhancing threat detection, preparedness and response capabilities of hospitals and health providers, it will create a safer and more secure environment for patients and health professionals.
Digitalisation is bringing a revolution to healthcare, enabling better services to the patients through innovations such as electronic health records, telemedicine, and AI-driven diagnostics. However, cyberattacks can delay medical procedures, create gridlocks in emergency rooms, and disrupt vital services which, in severe cases, could have a direct impact on the lives of Europeans. Member States reported 309 significant cybersecurity incidents affecting the healthcare sector in 2023 – more than in any other critical sector.
The action plan proposes, among others, for ENISA, the EU agency for cybersecurity, to establish a pan-European Cybersecurity Support Centre for hospitals and healthcare providers, providing them with tailored guidance, tools, services, and training. The initiative builds on the broader EU framework to strengthen cybersecurity across critical infrastructure and marks the first sector-specific initiative to deploy the full range of EU cybersecurity measures.In a nutshell, the action plan focuses on four priorities:
- Enhanced Prevention. The plan helps to build the healthcare sector’s capacities to prevent cybersecurity incidents through enhanced preparedness measures such as guidance on implementing critical cybersecurity practices. Secondly, the Member States may also introduce Cybersecurity Vouchers to provide financial assistance to micro, small, and medium-sized hospitals and healthcare providers. Finally, EU will also develop cybersecurity learning resources for healthcare professionals.
- Better detection and identification of threats. The Cybersecurity Support Centre for hospitals and healthcare providers will develop an EU-wide early warning service, delivering near-real-time alerts on potential cyber threats, by 2026.
- Response to Cyberattacks to minimise impact. The plan proposes a rapid response service for the health sector under the EU Cybersecurity Reserve. Established in the Cyber Solidarity Act, the Reserve provides incident response services from trusted private service providers. As part of the plan, national cybersecurity exercises can take place along with the development of playbooks to guide healthcare organisations to respond to specific cybersecurity threats, including ransomware. Member States are encouraged to request reporting of ransom payments from entities, to be able to provide them the support they need and allow follow-up by law enforcement authorities.
- Deterrence: Protecting European healthcare systems by deterring cyber threat actors from attacking them. This includes the use of the Cyber Diplomacy Toolbox, a joint EU diplomatic response to malicious cyber activities.
The Action Plan will be implemented hand in hand with healthcare providers, Member States, and the cybersecurity community. To further refine the most impactful actions so that patients and healthcare providers can benefit from them, the Commission will soon launch a public consultation on this plan, open to all citizens and stakeholders.
Next Steps
The action plan is the start of a process to improve cybersecurity in the healthcare sector. Specific actions will be rolled out progressively in 2025 and 2026. The results of the consultation will feed into further recommendations by the end of the year.
Background
The EU works on various fronts to promote cyber resilience and protect its citizens and businesses from cyber threats in an increasingly digital and connected Europe. This action plan responds to the urgency of the situation and the unique threats facing the sector. It builds on the existing legislative framework in the field of cybersecurity. Hospitals and other healthcare providers are established as a sector of high criticality under the NIS2 Directive. The NIS2 cybersecurity framework works hand in hand with the Cyber Resilience Act, the first-ever EU legislation placing mandatory cybersecurity requirements for products that include digital elements, which entered into force on 10 December 2024. The Commission has also put in place a Cyber Emergency Mechanism under the Cyber Solidarity Act which reinforces the EU’s solidarity and coordinated actions to detect, prepare and effectively respond to growing cybersecurity threats and incidents.Ensuring a resilient and secure digital infrastructure is essential for the full deployment of the European Health Data Space which will place citizens at the centre of their healthcare, granting them full control over their data.
More Information
Action plan on the cybersecurity of hospitals and healthcare providersQuestions and answersFactsheet
Quote(s)
Modern healthcare has made incredible advances through digital transformation, which has meant citizens have benefited from better healthcare. Unfortunately, health systems are also subject to cybersecurity incidents and threats. That is why we are launching an Action Plan to ensure that healthcare systems, institutions and connected medical devices are resilient. Prevention is better than cure, so we need to prevent cyber-attacks from happening. But if they happen, we need to have everything in place to detect them and to quickly respond and recover.
Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy
Digital technologies and health data-driven solutions have opened unparalleled opportunities in healthcare. They enable precision medicine, real-time patient monitoring, and seamless communication between healthcare providers across borders. But digitalisation is only as strong as the trust it inspires and resilient from cyberattacks. Patients must feel confident that their most sensitive information is secure. Healthcare professionals must have faith in the systems they use daily to save lives. Today’s Action Plan is an important step towards securing that trust and safeguarding a more resilient health ecosystem for the future.
Olivér Várhelyi, Commissioner for Health and Animal Welfare
Source – EU Commission
EU Commission Q&A on cybersecurity of hospitals and healthcare providers
Brussels, 15 January 2025
Why has the European Commission proposed an Action Plan on cybersecurity in healthcare?
Cyber threats to healthcare systems are increasing, both in frequency and sophistication. Hospitals and healthcare providers, which are critical infrastructures of our health systems, are particularly vulnerable to cyberattacks, such as ransomware or data breaches. These incidents can disrupt vital medical services and compromise patients’ safety and their data.
The Commission is acting with urgency to address these challenges, ensuring that the digital transformation of healthcare is both secure and trustworthy.
How does the Action Plan foster trust among patients and health professionals?
Trust is a cornerstone of digital healthcare. By ensuring that systems are secure and resilient, the Action Plan reassures patients that their data is safe and their care will not be disrupted.
For health professionals, the plan provides tools and training to help them navigate digital platforms confidently. This dual approach — protecting both patients and professionals — creates a healthcare environment where digital tools are embraced and trusted.
How does this Action Plan complement existing EU legislation, such as the NIS2 Directive?
The Action Plan builds on the existing legislative framework in the field of cybersecurity – in particular the NIS2 Directive, the Cyber Solidarity Act (including the Cybersecurity Emergency Mechanism), the Cybersecurity Act (including the European cybersecurity certification), the Medical Devices Regulation and the Cyber Resilience Act. These provide a high common level of cybersecurity across the EU.
The NIS2 Directive, which sets out obligations for critical sectors including healthcare, expands the scope of cybersecurity requirements to essential services covering EU reference laboratories, entities conducting research and development activities of medicinal products, manufacturers of basic pharmaceutical products and preparations (including vaccines), manufacturers of medical devices considered as critical during a public health emergency.
On the Action Plan’s side, the focus is specifically on the unique vulnerabilities and needs of hospitals and healthcare sites.
The Action Plan is first and foremost about supporting the sector to take the basic cybersecurity measures that we know will shift the odds of a cyber incident. It ensures that healthcare systems are equipped to handle the specific risks they face. It pays particular attention to capacity building, investments and to helping hospitals and health care providers take the necessary cybersecurity preparedness measures. It also establishes ways to help such entities if an incident strikes, to make sure that response and recovery are as swift and efficient as possible, so normal operations can be reinstated quickly.
What will be the role of the new European Cybersecurity Support Centre for hospitals and healthcare providers?
The Action Plan proposes, among others, to establish a pan-EuropeanCybersecurity Support Centrefor hospitals and healthcare providers to provide them with tailored guidance, tools and services. ENISA, the EU agency for Cybersecurity, will establish the Centre within its own structures. It will ensure the implementation of the Action Plan in a coherent and streamlined manner, while avoiding the creation of new administrative structures.
The Support Centre will develop a comprehensive service catalogue of concrete solutions that strengthen the cybersecurity of the sector. It will work with Member States and draw from practical experiences of healthcare organisations.
How does this Action Plan support the European Health Data Space?
The European Health Data Space (EHDS) is the EU’s flagship project to digitalise healthcare, which establishes clear rules for the use of health data for better healthcare delivery, research, innovation, and policymaking.
Resilient and secure infrastructure is essential for the implementation of the EHDS. This Action Plan sets out concrete actions for securing data processing in hospitals and healthcare providers, which act as both providers and users of health data in the EHDS.
In addition to this Action Plan and the cybersecurity legislation, the forthcoming EHDS Regulation also provides specific safeguards for the processing of personal health data. For example, it contains safeguards in relation to log-in and identification management in electronic health record systems or the reuse of data in secure processing environments.
How will the Action Plan ensure that patient care is not disrupted by cyber incidents?
One of the core pillars of the Action Plan is rapid response and recovery.
This includes:
- Developing a ransomware recovery subscription service and expanding the repository of available ransomware decryption tools
- Encouraging hospitals to adopt robust backup systems to protect critical data.
- Enhancing crisis response capabilities through training and cooperation at the EU level.
These measures aim to minimise the impact of cyber incidents on healthcare services, ensuring that patients receive uninterrupted care.
What role do Member States play in the implementation of this Action Plan?
Member States will play a critical role in implementing the Action Plan by:
- Coordinating national cybersecurity strategies for healthcare.
- Sharing threat intelligence and best practices across borders.
- Supporting hospitals and healthcare providers in adopting the necessary measures.
Member States are encouraged to create national action plans focused on cybersecurity within the healthcare sector. These plans would outline the specific cybersecurity risks faced by healthcare systems and the national actions being taken to address them, while also ensuring that European-level resources and practices are effectively deployed.
How will the success of the Action Plan be measured?
To measure the success of this plan, ENISA, in consultation with the Commission, will regularly report on its progress to the relevant groups and organisations. These reports will include data from the EU Cybersecurity Index, which will help assess how well the healthcare sector is doing in terms of cybersecurity. This information will show whether the plan is working and making a positive impact.
What can patients do to support the goals of the Action Plan?
Patients can contribute by staying informed about cybersecurity and taking steps to protect their own digital health data. For example:
- Using reliable authentication mechanisms (e.g., the EU Digital Identity Wallet) for online health portals.
- Reporting suspicious activities, such as phishing attempts.
- Trusting healthcare providers that follow EU-recommended cybersecurity measures.
A secure healthcare ecosystem depends on active participation from everyone.
What is the timeline for implementing the Action Plan?
This Communication sets out a clear plan to make the European healthcare sector safer from cyber threats. The plan creates a central hub for cybersecurity support, making it easier for hospitals and healthcare providers to work together to stay safe online.
This plan is just the beginning. The Commission is starting a wider conversation with all stakeholders, including healthcare providers, governments, and experts, to hear their ideas and feedback. The Commission will use this input to make the plan more detailed and targeted to the needs of hospitals and other healthcare providers. These recommendations will be shared by the end of 2025.
To achieve this goal, the Commission is calling on all Member States and stakeholders to work together to make the healthcare sector more cybersecure.
More Information
Source – EU Commission