EU goes in to bat on health sector cybersecurity
The EU Commission has launched a targeted consultation following the recent adoption of its action plan on the cybersecurity of hospitals and healthcare providers, write Louisa Muldowney and Nessa Boland of William Fry.
The plan was identified as a priority of the 2024-29 commission.
Swift advancements
This is the first sector-specific move to enhance cybersecurity and resilience across the healthcare sector as it evolves to reflect a rapidly digitising society and swift technological advancements.
Healthcare reported more cyber incidents than any other sector in 2023, with 309 attacks with 54% involving ransomware
Such incidents can severely disrupt healthcare delivery, compromise patient safety, and expose sensitive data, leading to significant operational, financial, and reputational consequences for healthcare providers.
The consultation welcomes responses from healthcare professionals and authorities and cybersecurity industry players on key areas – including the prevention of incidents, capabilities for detecting cyber threats against the health sector, and plans for rapid response and recovery.
The deadline for contributions is 30 June.
Cyber diplomacy toolbox
The plan has four key pillars:
- Prevention – strengthening the healthcare sector’s capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as issuing guidance on critical cybersecurity practices and supporting healthcare providers in their implementation,
- Detection – establishing an EU-wide early warning subscription service for the health sector through the ENISA Cybersecurity Support Centre for hospitals and healthcare providers,
- Response – ensuring that the EU Cybersecurity Reserve includes a Rapid Response Service specifically tailored to the needs of the health sector, and
- Deterrence – discouraging malicious cyber activities against health systems by applying measures from the Cyber Diplomacy Toolbox to deter threat actors.
Broader legal context
The European Health Data Space Regulation (EHDS), which entered into force on 26 March, establishes a common EU framework for accessing, sharing, and reusing electronic health data.
It supports both primary use – such as direct patient care – and secondary use for research, innovation, policymaking, and public health purposes.
Paramount
For the EHDS to function effectively, cybersecurity is paramount.
The secure exchange of sensitive health data across borders and systems depends on robust digital infrastructure and trust in data protection mechanisms.
The plan’s focus on strengthening hospital cybersecurity directly supports the EHDS’s objectives by helping ensure that health data can be shared safely and reliably across the EU.
The plan comes amid other developments in the EU cybersecurity landscape.
The NIS 2 Directive (NIS 2), which came into effect in October 2024, marks a significant overhaul of the EU’s cybersecurity rules.
It expands the scope of regulated entities to include a wider range of healthcare providers, including hospitals, clinics, and even outpatient and rehabilitation centres.
It imposes stricter obligations around risk management, incident reporting, and governance.
Under NIS2, healthcare organisations must adopt comprehensive cybersecurity risk management measures and may face substantial penalties for non-compliance, including fines and personal liability for management.
'Pivotal step'
The plan marks a pivotal step in the EU’s efforts to strengthen cybersecurity in the healthcare sector, addressing the growing threat landscape with targeted, sector-specific measures.
By aligning with broader legislative initiatives such as the EHDS and NIS2, it reinforces the EU’s commitment to building a secure digital health ecosystem.
The consultation allows participants to contribute to the recommendations the Commission is adopting to further refine the plan by the fourth quarter this year.