Brussels – Building a cyber shield around EU hospitals and healthcare providers, the targets of 309 significant cyberattacks in 2023 alone. That’s the goal of the action plan presented today (Jan. 15) by the European Commission, which includes creating a dedicated support center for hospitals and a rapid response service to attacks. However, the call by Health Commissioner Olivér Várhelyi on member states and facilities to invest more in cybersecurity — “as much as they do in equipment to treat patients” — risks further unbalancing the level of performance between public and private facilities, especially in countries like Italy that have cut back on healthcare and thus leave the field open to private investment.
Ursula von der Leyen included the plan to strengthen cybersecurity in the health sector as one of the priorities in the first 100 days of her new term as head of the EU executive. The move is even more urgent due to the progressive digitization of the sector, which, while enabling better services for patients, also lends itself to increasingly frequent cyber attacks. According to European Commission Executive Vice President Henna Virkkunen, 79 percent of European citizens have access to an online medical record, and the average cost of data leaks caused by so-called ‘ransomware’ attacks amounts to 8 million euros.
However, in an environment where telemedicine and artificial intelligence-driven diagnostics are becoming increasingly prevalent, cyber attacks can primarily delay medical procedures, block emergency rooms, and disrupt vital services. “Patients must feel confident that their most sensitive information is secure. Healthcare professionals must have faith in the systems they use daily to save lives,” Várhelyi said in presenting the action plan.
Brussels identified four priorities: enhanced prevention, improved threat detection, immediate response to minimize impacts, and deterrence to protect health systems. The EU Cybersecurity Agency (ENISA) is being called upon to establish a Pan-European Cybersecurity Support Center for hospitals and healthcare providers, providing them with “tailored guidance, tools, services, and training.” The Commission’s idea is for this Center to develop by 2026 a European-wide early warning service that will provide “near real-time” alerts on potential cyber threats.
If “prevention is better than cure,” as Virkkunen stressed, in cases where attacks cannot be prevented, the EU would bring to the table a dedicated rapid response service for the health sector, available through the EU Cyber Security Reserve established on December 2 with the Cyber Solidarity Act.
According to Commissioner Várhelyi, this is just a first move through which Brussels wants to “define a framework to set collective action in motion.” It is not a legislative proposal but “the beginning of a dialogue and support on the ground.” However, the elephant in the room is the lack of cybersecurity specialists in hospitals, especially in public facilities, due to the lack of training and the unattractive salaries. A few days ago, the French Court of Auditors found that only 7 percent of employees in public hospitals are involved in security and earn half as much as their colleagues in the private sector.
Várhelyi called for hospitals to invest more in cybersecurity “as much as is being done to treat patients.” “If there is money for a physical security officer at the entrance, there should also be money to protect data,” the commissioner said. In Italy, where funding for the national health system has been declining for years, Brussels’ suggestions are likely to fall on deaf ears. Unless private investors seize them, with the risk of further widening the gap between public and private healthcare, or unless the EU allocates funds. “The Commission can offer technical support with ENISA, but there are also possibilities from structural funds to be used for these tasks,” Várhelyi kept the door open.
English version by the Translation Service of Withub
