On Wednesday 15 January, the European Commission proposed a plan for Member States to combat the growing number of cyber attacks targeting hospitals and the entire healthcare sector.
For the Commission, the main danger facing healthcare professionals lies in ‘ransomware’, a form of digital blackmail in which hackers steal, block and encrypt recovered data, demanding payment of a certain sum in order to regain access.
Particularly harmful to the hospital environment, these types of attack are on the increase, according to the World Health Organization. In 2023, “309 large-scale cyber attacks” targeting healthcare establishments were reported by EU Member States, according to the Commission, which puts the financial loss at €8 million.
According to data published by the cybersecurity firm Check Point Software Technologies in July 2024, there are an average of 2,783 attacks per week against the medical sector in Belgium alone.
The Commission therefore wants to help Member States and their medical services to better protect themselves against this type of attack, by building on existing legislation relating to cybersecurity (see EUROPE 13536/18) and through the creation of a pan-European support centre, linked to the EU Cybersecurity Agency (ENISA), which would provide “tailored tools, services and training”.
Hospitals and other healthcare providers are considered “critical” sectors under the NIS2 Network and Information Security Directive (see EUROPE 12952/1) and the Cyber Resilience Act, which imposes mandatory cyber security requirements for products with digital elements (see EUROPE 13305/1).
An EU-wide real-time alert system should also be in place by 2026. According to several sources, the “moderate state of maturity of security” in the various strata of the medical sector and its “highly diversified landscape” make it all the more difficult to employ the means of action at present.
This plan should serve as a basis for dialogue and information gathering with the parties concerned over the coming months. The Commission also hopes to be able to encourage hospitals to back up their data more effectively, to train and employ people with cybersecurity skills and to help victim services not to pay ransoms.
However, Henna Virkkunen, Vice-President of the European Commission responsible for Technological Sovereignty, admitted that one of the “challenges” for the EU was the lack of qualified and trained staff, at a time when pay packages are larger in the private sector and elsewhere in the world.
A more detailed plan should be presented by the end of the year. (Original version in French by Isalia Stieffatre)