The European Commission proposed an action plan to improve cybersecurity of healthcare institutions on Wednesday. Among other areas, it plans to focus on threat detection and staff training.
The health sector is one of the biggest targets of cybercriminals. In 2023, EU Member States reported 309 major cybersecurity incidents in the health sector – more than any other critical sector.
Around 53% of healthcare providers, including 42% of hospitals, have already been hit by a cyberattack, according to Commission Vice-President for Technology Sovereignty, Henna Virkkunen. The cost of a major incident can be up to €300,000, said Virkkunen.
The action plan, which still needs further work with Member States, the industry and stakeholders, focuses on four priorities: better prevention of attacks, better detection and identification of threats, responding to threats to reduce impact and deterrence.
It proposes several measures, including the creation of a pan-European centre to support hospitals and healthcare providers within the European Cybersecurity Agency (ENISA) to provide guidance, tools, training and services. The centre will establish an early warning system to detect threats by 2026.
Member States can also offer financial support to small and medium-sized hospitals and healthcare providers, for example in the form of a voucher. Member States are also encouraged to list ransomware payments to get a better picture of the problem.
