Why has the European Commission proposed an Action Plan on cybersecurity in healthcare?
Cyber threats to healthcare systems are growing both in frequency and complexity. Hospitals and healthcare providers are crucial to our health systems and are particularly at risk from cyberattacks, like ransomware and data breaches. These incidents can disrupt essential medical services and compromise patient safety and data.
The Commission is taking urgent steps to tackle these challenges, ensuring the digital transformation of healthcare is both secure and trustworthy.
How does the Action Plan foster trust among patients and health professionals?
Trust is central to digital healthcare. By ensuring systems are secure, the Action Plan assures patients their data is safe and their care remains uninterrupted.
For health professionals, the plan offers tools and training to confidently navigate digital platforms. This approach protects both patients and professionals, creating a trusted digital healthcare environment.
How does this Action Plan complement existing EU legislation, such as the NIS2 Directive?
The Action Plan builds on existing cybersecurity legislation like the NIS2 Directive, Cyber Solidarity Act, and Cyber Resilience Act. These laws ensure a high level of cybersecurity across the EU.
The NIS2 Directive expands cybersecurity requirements to essential services, including healthcare, while the Action Plan focuses on the specific vulnerabilities of hospitals and healthcare sites.
The Action Plan aims to support the sector by implementing basic cybersecurity measures to mitigate cyber incidents. It emphasizes capacity building, investments, and preparedness in hospitals and healthcare providers, offering support if incidents occur for swift and efficient recovery.
What will be the role of the new European Cybersecurity Support Centre for hospitals and healthcare providers?
The Action Plan proposes a pan-European Cybersecurity Support Centre for hospitals and healthcare providers, offering tailored guidance, tools, and services. ENISA will establish the Centre within its structures, ensuring coherent implementation of the Action Plan without creating new administrative entities.
The Centre will develop a comprehensive service catalogue of solutions to strengthen the sectors cybersecurity, working with Member States and healthcare organisations.
How does this Action Plan support the European Health Data Space?
The European Health Data Space (EHDS) aims to digitalise healthcare by setting clear rules for health data use, improving healthcare delivery, research, innovation, and policymaking.
Secure infrastructure is crucial for the EHDS. The Action Plan outlines actions for securing data processing in hospitals and healthcare providers, who act as both providers and users of health data in the EHDS.
Alongside this Action Plan and cybersecurity legislation, the forthcoming EHDS Regulation offers specific safeguards for personal health data processing, such as login and identification management in electronic health record systems.
How will the Action Plan ensure that patient care is not disrupted by cyber incidents?
A core pillar of the Action Plan is rapid response and recovery.
Measures include:
- Developing a ransomware recovery subscription service and expanding decryption tool repositories
- Encouraging robust backup systems for hospitals to protect critical data.
- Enhancing crisis response capabilities through EU-level training and cooperation.
These measures aim to minimise cyber incidents impact on healthcare services, ensuring uninterrupted patient care.
What role do Member States play in the implementation of this Action Plan?
Member States play a crucial role by:
- Coordinating national healthcare cybersecurity strategies.
- Sharing threat intelligence and best practices across borders.
- Supporting hospitals and healthcare providers in adopting necessary measures.
They are encouraged to create national action plans focused on healthcare cybersecurity, outlining specific risks and actions, ensuring effective deployment of European-level resources and practices.
How will the success of the Action Plan be measured?
ENISA will regularly report on the plans progress to relevant groups, using data from the EU Cybersecurity Index to assess the healthcare sectors cybersecurity performance, indicating the plans effectiveness.
What can patients do to support the goals of the Action Plan?
Patients can help by staying informed about cybersecurity and protecting their digital health data. For example:
- Using reliable authentication mechanisms like the EU Digital Identity Wallet for online health portals.
- Reporting suspicious activities like phishing attempts.
- Trusting healthcare providers that follow EU-recommended cybersecurity measures.
A secure healthcare ecosystem relies on everyones active participation.
What is the timeline for implementing the Action Plan?
This Communication outlines a plan to make the European healthcare sector safer from cyber threats. It establishes a central hub for cybersecurity support, facilitating collaboration among hospitals and healthcare providers to enhance online safety.
This plan marks the beginning. The Commission invites input from all stakeholders, including healthcare providers, governments, and experts, to refine and target the plan to hospitals and healthcare providers needs. Recommendations will be shared by the end of 2025.
The Commission calls on all Member States and stakeholders to work together for a more cybersecure healthcare sector.
For More Information
Action plan on the cybersecurity of hospitals and healthcare providers