The new EU healthcare cybersecurity plan

Much like the United States, Europe has a vast and varied healthcare landscape with organizations at very different levels of digital maturity, all of which are under constant threat from a huge range of cyberattacks. 

And like in the US, government officials in Europe have recognized that is crucial to protect these organizations from phishing, ransomware, and other nefarious methods of accessing sensitive patient data. 

However, Europe has somewhat different regulatory mechanisms for developing and implementing best practices for cybersecurity. The majority of countries on the continent are part of the European Union, whose member states both contribute to and benefit from shared actions around protecting critical infrastructure from cyber threats. 

Recently, EU officials released the organization’s latest roadmap for strengthening the region’s cybersecurity defenses, the Cybersecurity Action Plan, which contains a number of proposals that could spark some good ideas for their compatriots across the pond.  

“Modern healthcare has made incredible advances through digital transformation, which has meant citizens have benefited from better healthcare,” said Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, in a press release. “Unfortunately, health systems are also subject to cybersecurity incidents and threats.”  

“That is why we are launching an Action Plan to ensure that healthcare systems, institutions and connected medical devices are resilient. Prevention is better than cure, so we need to prevent cyber-attacks from happening. But if they happen, we need to have everything in place to detect them and to quickly respond and recover.” 

The plan centers on a directive for ENISA, the EU agency for cybersecurity, to establish a pan-European Cybersecurity Support Centre that would oversee defense and resilience efforts for the healthcare sector. Some of the key proposals include: 

• Launching pilots across the EU to develop best practices for cyber hygiene and security risk assessments.  

• Leveraging the forthcoming European Digital Identity Wallet (a single digital identify for both online and offline transactions) to reduce reliance on passwords and other weaker ID mechanisms and catalyze a shift toward single sign-on solutions. 

• Developing a tailored framework for healthcare-specific cybersecurity maturity assessments at the organizational level, as well as an annual Health Cyber Maturity Assessment to provide an overview of the sector’s preparedness at the national and EU levels. 

• Encouraging member states to implement targeted measures, like financial vouchers to help smaller entities bulk up their cybersecurity defenses, with priority given to the least mature and most vulnerable organizations.  

• Creating a European Health CISO Network so experts can share best practices, including talent retention strategies and solutions for attracting cybersecurity professionals to the healthcare industry. 

• Introducing an EU-wide early warning subscription service that delivers near-real time alerts about new cybersecurity risks and events. 

• Developing cybersecurity incident response playbooks and facilitating national cybersecurity exercises that build on previous experiences to strengthen incident response activities. 

• Offering a ransomware recovery subscription service that would help healthcare providers prepare recovery plans in advance. 

• Expanding resources for access to decryption tools that can reduce the impact of ransomware and help organizations avoid making decisions around paying off attackers. 

• Establishing a joint Health Cybersecurity Advisory Board with high-level representatives from both the healthcare and cybersecurity fields to advise the Support Centre on meaningful actions and encourage public-private partnerships. 

These and other potential proposals will be rolled out incrementally over the next two years as the European Commission, the EU’s main executive body, works with member states to expand and enhance existing cybersecurity practices. 

“Digital technologies and health data-driven solutions have opened unparalleled opportunities in healthcare. They enable precision medicine, real-time patient monitoring, and seamless communication between healthcare providers across borders,” said Olivér Várhelyi, Commissioner for Health and Animal Welfare.  

“But digitalization is only as strong as the trust it inspires and resilient from cyberattacks. Patients must feel confident that their most sensitive information is secure. Healthcare professionals must have faith in the systems they use daily to save lives. Today’s Action Plan is an important step towards securing that trust and safeguarding a more resilient health ecosystem for the future.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].