The European Commission will step up its cybersecurity action in an increasingly digitalised health sector already experiencing threats and poses new challenges.
ADVERTISEMENTPolitical Guidelines 2024-2029 published before Von der Leyen’s reappointment as president of the EU executive last week included suggested a new action plan on cybersecurity of hospitals and healthcare providers will be presented in the first 100 days of the new mandate.
The Guidelines were published a day before a massive IT outagebrought hospitals and other businesses to a halt worldwide, highlighting the reliance of health institutions on digital infrastructure.
With the rapid development of digital health alongside rising awareness of data privacy and security, the EU is keen to bolster independence from reliance on third-party digital infrastructure.
The next Commission will put forward a European Data Union Strategy, building on existing data rules to ensure a “simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards”, according to the guidelines.
Alongside this data strategy Von der Leyen announced an 'Apply AI Strategy' to boost industrial uses of AI and improve the delivery of a variety of public services, including healthcare.
During and following the COVID-19 pandemic there was an increase in cyberattacks on healthcare providers, as demonstrated by the European Union Agency for Cybersecurity's (ENISA) first analysis of the cyber threat landscape for the health sector published last year.
The analysis showed that between January 2021 and March 2023, the EU health sector witnessed frequent cyberattacks, with 53% affecting healthcare providers and 42% hospitals.
The cybersecurity agency warned in its report that these attacks are likely to continue and flagged risks posed by vulnerabilities in healthcare systems and medical devices.
The EU executive has vowed to strengthen the bloc’s cyber defence capabilities, coordinating national cyber efforts and securing critical infrastructures.
“We will strengthen our strategic approach to sanctions to ensure that we can react flexibly to new threats,” the new guidelines claimed.
“Data related threats continue to be one of the main threats in the sector, not only for Europe but also globally,” the ENISA report found, identifying ransomware - a type of malware that locks and encrypts data, devices or systems until the attacker receives a payment- as one of the prime threats affecting the health sector.
Despite the threat, the agency revealed that only 27% of health sector organisations surveyed for the study had dedicated ransomware defence programs.
Several EU initiatives at implementation phase could benefit from the cyber action plan including the European Health Data Space (EHDS) and the medical devices regulation.
The EHDS, approved by EU Institutions earlier this year, sets a common European framework for the sharing of health data across the EU for research, innovation, public health, policy-making and regulatory purposes.
In a recently published analysis of vulnerabilities of an increasingly digital healthcare system, the European Policy Centre (EPC) reported that there is “no innovative technology where the benefits are not balanced by equally serious risks”.
ADVERTISEMENTThe think tank's analysis added that citizens will not use digital health tools if they fear threat of cyberattacks and data theft, especially given the sensitive nature of health data, unless trust is fostered in the system security.
