How the EU Plans to Strengthen Cybersecurity in Healthcare
Citing an alarming rise in cyber-attacks against healthcare providers and suppliers, the EC, a European Union (EU) entity that proposes laws and manages EU policies, recently unveiled a first-of-its-kind “action plan” to help hospitals, clinics, and others in the industry prevent, detect, and respond to cyber threats.
The EU “Action Plan on the cybersecurity of hospitals and healthcare providers” calls for the establishment of a pan-European Cybersecurity Support Centre, financial aid for hospitals, and coordinated incident response strategies, among other measures.
“Prevention is better than cure, so we need to prevent cyber-attacks from happening,” Henna Virkkunen, EC Executive Vice-President for Tech Sovereignty, Security and Democracy, stated in the action plan’s announcement. “But if they happen, we need to have everything in place to detect them and to quickly respond and recover.”
A long-standing issue
Officials throughout the West have recognized for years the need to address escalating cyberthreats to medical systems. When a cyberattack disrupts care, lives can be at stake, and patients risk having their most personal information exposed.
“Issues of life and death” as well as a serious threat to international security is how the head of the United Nations health agency characterized the healthcare cyber challenge in a speech before the UN Security Council last fall.
Healthcare cyber events globally nearly quadrupled in 2023 over the previous year, the European Repository of Cyber Incidents has found. EU Member States reported 309 significant cybersecurity incidents affecting the healthcare sector in 2023 – more than in any other critical sector.
Hostile nation-states attack healthcare providers daily, according to testimony before a US House of Representatives subcommittee in the wake of 2024’s devastating Change Healthcare attack.
“There is no time to waste,” Luigi Rebuffi, Secretary General of the European Cyber Security Organization, echoed in a statement supporting the EU action plan for healthcare.
Cyber Threats Facing the Healthcare Sector
Ransomware ‘particularly disruptive’
Ransomware, in particular, is wreaking havoc on the sector, the action plan notes: “Ransomware attacks can have a particularly disruptive effect on the provision of healthcare services, putting patient safety at risk.”
The list of deleterious effects caused by these attacks is long, and includes:
- Medical procedure delays,
- Emergency room gridlock, and
- Harmful or even life-threatening service disruptions.
And the more the sector digitizes, the more ways there are for attackers to get in. Health care relies increasingly on digital technologies including electronic health records (EHR), telemedicine, and AI diagnostics.
More than three-quarters of EU citizens, on average, can access their EHRs online, according to the Report on the State of the Digital Decade 2024.
Other digital healthcare technologies include:
- Clinical information systems,
- Hospital workflow systems,
- Treatment reimbursement systems,
- Medical imaging,
- Diagnostic devices, and
- Patient monitoring devices.
Intensive care, radiological imaging, oncology, cardiology, and other specialized services are highly dependent on digitally enabled devices, and so face a particularly high risk of cyberattack, the European action plan states. Healthcare supply chain security is a concern, as well.
A rapidly escalating threat
Indeed, 2023 proved a landmark year for healthcare breaches, with more than 133 million records exposed or disclosed in 725 reported breaches, HIPAA Journal reports. These breaches only increased in size and scale in 2024.
Some of the biggest attacks facing the Healthcare Sector in 2024:
- Change Healthcare ransomware attack. In February 2024, Change Healthcare, a subsidiary of United States health insurer UnitedHealth, experienced a massive ransomware attack that compromised the personal, financial, and health care records of approximately 100 million Americans, the largest breach of protected health information in history. The attack shut down medical claims and payment processing for more than a month.
- National Public Data (NPD) breach. Exposing up to 2.9 billion records and affecting 170 million people, this early 2024 data breach is also one of the biggest in history. Compromised data included full names, Social Security numbers, mailing addresses, email addresses, and phone numbers. The breach occurred when a malicious actor gained access to the company’s systems in December 2023. They published the data on the dark web from April into the summer of 2024.
- The blood test firm Synnovis was attacked by the Russian Qilin ransomware crew. The impact across hospitals and patient care in the UK was devastating, with over 1000 operations and appointments postponed, and almost 400 GB of private information leaked on the darknet.
Breaking Down the EU Cybersecurity Action Plan
The EU cybersecurity action plan for healthcare’s provisions include the following:
- Prevention guidance, education, and resources. The plan suggests guidance on cybersecurity practices and how to put them in place; cybersecurity vouchers for financial assistance to medium-sized and smaller hospitals and medical providers; and security awareness resources for healthcare professionals – something studies suggest may be lacking today.
- Threat detection and identification. The plan proposes an EU-wide early warning service with cyber-threat alerts, a project for the Cybersecurity Support Centre for hospitals and healthcare providers to complete by 2026.
- Rapid response. The EU Cybersecurity Reserve, which provides incident response services from private service providers, would expand its scope to include health care providers.
National cybersecurity exercises and playbooks would guide healthcare organizations on how to respond rapidly to threats including ransomware as well as cyberattacks, in the interest of limiting damage.
It suggests that member states request reporting of ransom payments so they can provide support as well as to facilitate follow-up by law enforcement. - Deterrence. To deter cyber threat actors’ attacks, the action plan calls for using the Cyber Diplomacy Toolbox, a joint EU diplomatic response that uses international cooperation and diplomatic measures to discourage malicious cyber activities, including nation-state attacks.
The Action Plan and Existing EU Regulations
The action plan isn’t a major departure from existing EU directives but builds on them. It’s an added layer aimed at improving security specifically in the highly targeted medical industry.
- Healthcare is already listed as a “high criticality” sector under the EU’s NIS2 Directive, which mandates that each member state adopt a national cybersecurity strategy.
- The NIS2 cybersecurity framework works hand-in-hand with the Cyber Resilience Act, the first-ever EU legislation mandating that all products with digital elements – including medical devices for diagnostics, treatment, and monitoring, have cyber “baked in.”
- The Commission has also put in place a Cyber Emergency Mechanism under the Cyber Solidarity Act which reinforces the EU’s solidarity and coordinated actions to detect, prepare and effectively respond to growing cybersecurity threats and incidents.
In combination with the action plan, these mandates are designed to augment the resilience and security of the digital healthcare infrastructure amid deployment of the European Health Data Space, which took effect March 26 and gives EU citizens control over their medical data.
What It All Means for Hospitals and Patients
As the EU action plan for healthcare cybersecurity’s 1-2-3-4 punch makes clear, the medical sector needs help protecting its devices and data from relentless, and always escalating, cyberattacks. It calls for proactive measures to boost cybersecurity, from detection to prevention to rapid response.
Taking action before threats arise is the best way to safeguard the data, health, and even lives of your patients. Mortality rates rise at nearly one-quarter of organizations after suffering a cyber breach, the May 16 hearing on the Change Healthcare attack found.
Security awareness training, in particular, can really take a scalpel to these risks. Several studies recommend instilling a culture of security in healthcare facilities, including comprehensive employee-awareness cybersecurity programs.
“Training employees plays important role in improving … cybersecurity,” a U.S. National Center for Biotechnology Information report states.
Introducing cybersecurity measures in orientation and training of new employees is essential, the report states, and should cover topics handling personal health information, using e-mail systems security, and safe web browsing.
Where To Find Training
Instituting cyber awareness training for all employees is easier said than done, however. Finding needed materials can be a chore – and how do you know you’re covering the bases relevant to your industry or facility? And then, you’ll need to present the training and follow up to ensure that everyone understands it well enough to engage in safe practices at work.
Hornetsecurity’s Security Awareness Service helps healthcare organizations of every size and stripe strengthen cyber defenses by training employees to recognize and respond to cyber threats. Our comprehensive training program can play a major role in:
- Protecting your hospital from ransomware and phishing attacks;
- Ensuring compliance with EU cybersecurity regulations; and
- Reduce human error—the leading cause of cyber incidents.
Stay Ahead of Healthcare Cyber Threats with Security Awareness Service
Cybercriminals are increasingly targeting hospitals, putting sensitive patient data and even lives at risk. The EU’s new cybersecurity action plan for healthcare is a step forward, but hospitals must also take proactive measures to secure their systems.
Hornetsecurity’s Security Awareness Service is an easy and effective way to educate employees, your first line of defense, on safe and secure practices. Schedule a demo today and safeguard your healthcare organization.
