On January 15, 2025, the European Commission unveiled an action plan focused on enhancing the cybersecurity of hospitals and healthcare providers. This Action Plan outlines a range of EU-level initiatives aimed at bolstering the healthcare sector’s defenses against cyber threats, prompted by a series of high-profile cyber-attacks on healthcare providers across the European Union in recent years. The plan addresses various aspects of cybersecurity within the healthcare sector, emphasizing the need for a comprehensive approach to protect sensitive health data and ensure the operational integrity of healthcare services.
Strengthening Cyber Resilience in Healthcare
The Action Plan places a significant emphasis on the Cyber Resilience Act, which introduces new cybersecurity requirements for nearly all software and hardware products sold in the EU. Although most medical devices in the EU are already regulated under the Medical Devices Regulation and the Regulation on in-vitro diagnostic medical devices, the Action Plan encourages manufacturers to voluntarily report actively exploited vulnerabilities or severe cyber incidents. This proactive approach aims to ensure advanced cybersecurity in the sector, even for those devices excluded from the Cyber Resilience Act.
The interconnectedness of healthcare providers and the broader healthcare industry is acknowledged, with some measures addressing risks impacting the wider healthcare supply chain. Since healthcare providers often rely on multiple interconnected systems and networks, any security breach in one part can have a cascading effect on the entire ecosystem. This includes pharmaceutical and biotechnology companies and medical device manufacturers, highlighting the comprehensive nature of the Action Plan. By addressing the broader supply chain and associated entities, the plan aims to create a more resilient and secure healthcare environment.
Enhancing Supply Chain Security
Managing ICT supply chains for products like connected medical devices and European health records systems presents a significant challenge, given the complexity and diversity of suppliers and technology involved. To address this, the Action Plan tasks the NIS Cooperation Group, in collaboration with the Medical Device Coordination Group, with conducting a coordinated security risk assessment of medical device supply chains. This assessment aims to identify both technical and strategic risks and propose mitigating measures. The comprehensive approach aims to safeguard the supply chain from vulnerabilities that could be exploited by cybercriminals.
The development of new Procurement Guidelines by the European Cybersecurity Support Centre for hospitals and healthcare providers is another critical element of the Action Plan. These guidelines will reflect trends such as the ‘cloudification’ of patient data and provide practical tools for supply chain tracking, including managing security service providers and conducting third-party risk assessments. By establishing clear procurement standards and practices, healthcare providers can better manage and mitigate risks associated with their supply chains. Practical tools and clear guidelines will empower healthcare organizations to make informed decisions and enhance their overall cybersecurity posture.
Reporting and Data Collection
A notable aspect of the Action Plan is the recommendation for Member States to mandate that entities subject to the NIS2 Directive, including healthcare organizations, report ransom payments when notifying significant incidents. This proposal aims to gather additional data to evaluate the effectiveness of measures against ransomware attacks and aid in incident investigations. Implementing this proposal would mark a significant change for applicable entities, as the NIS2 Directive does not currently require the reporting of ransomware payments. Collecting data on ransom payments would provide valuable insights into the nature and extent of ransomware attacks, facilitating better responses and preventative measures.
The Action Plan also encourages manufacturers of medical and in vitro diagnostic devices to voluntarily report actively exploited vulnerabilities or severe cyber incidents impacting a device’s security through the ENISA reporting platform. This initiative aims to enhance data collection and improve the overall cybersecurity landscape in the healthcare sector. Encouraging voluntary reporting from device manufacturers ensures that critical information about vulnerabilities and incidents is shared promptly, allowing for rapid responses and improvements to security measures. Such transparency and cooperation are vital in strengthening defenses against cyber threats.
Workforce Development and Information Sharing
Addressing the demand for qualified cybersecurity professionals across the healthcare sector, the Action Plan promotes reskilling and upskilling to build a robust workforce capable of addressing evolving threats. It advocates for active exchanges among cybersecurity professionals in the health sector, including creating a European Health CISOs Network to enable Chief Information Security Officers to share best practices. This initiative aims to build a robust cybersecurity workforce capable of addressing the evolving threats in the healthcare sector. By fostering a community of skilled professionals, the healthcare sector can become better equipped to handle cybersecurity challenges.
The Support Centre is tasked with supporting the European Health Information Sharing and Analysis Centre (European Health ISAC). The Action Plan calls on the ISAC to unite healthcare providers and manufacturers to foster a joint understanding of cybersecurity threats and facilitate dialogue about secure product design. This collaborative approach aims to enhance information sharing and improve the overall cybersecurity posture of the healthcare sector. By creating platforms for collaboration and information exchange, the sector can benefit from shared knowledge and collective efforts to tackle cyber threats. Promoting a cohesive and informed community is essential for maintaining robust cybersecurity defenses.
Public-Private Cooperation
On January 15, 2025, the European Commission introduced a detailed action plan aimed at strengthening the cybersecurity measures of hospitals and healthcare providers. This initiative outlines various EU-level strategies intended to enhance the healthcare sector’s ability to defend against cyber threats. The commission’s decision comes in response to a series of high-profile cyber-attacks targeting healthcare providers within the European Union over the past few years.
The action plan includes a range of initiatives aimed at improving the sector’s cybersecurity defenses. It highlights the urgent need for a holistic approach to safeguard sensitive health information and ensure the ongoing functionality of healthcare services. The plan focuses on protecting critical health data from unauthorized access and ensuring that healthcare operations maintain their integrity even in the face of cyber threats. This comprehensive plan underscores the growing recognition of cybersecurity as an essential component of modern medical operations, given the rising threat landscape.
