The EU Commission wants to strengthen the IT security of hospitals and healthcare providers. He presented an action plan for this purpose on Wednesday. The attacks sometimes have fatal consequences. The Commission is now proposing that ENISA (the European Union Agency for Cyber Security) establish a pan-European IT security support center for the healthcare sector. It aims to provide “tailored guidelines, tools, services and training” to operators.
Advertisement
there are four areas focus of planningThis includes increased prevention and better threat detection and response to reduce the impact of attacks. The topic of deterrence is also on the agenda: “cyber threat actors” should be prevented from attacking European health systems through the use of diplomacy and sanctions.
Health care systems are encouraged to take preventive measures. Member States may also introduce vouchers to provide financial support to small and medium-sized institutions. The planned center at ENISA aims to develop an EU-wide early warning service by 2026 that provides real-time information about potential threats. This initiative envisages a crisis response service for the health sector as part of the EU Cybersecurity Reserve. The aim of the exercise is to prepare healthcare organizations for attacks like ransomware. If relevant institutions receive a ransom demand, they must report it and involve law enforcement authorities.
Building trust in digital healthcare
Specific measures are to be gradually introduced in 2025 and 2026 in collaboration with healthcare providers, EU countries and the IT security community. In preparation, the Commission would like to hold a public consultation, the results of which will lead to further recommendations. Health Commissioner Oliver Varhelyi stressed, “Patients must be reassured that their most sensitive information is protected.” For example, digitalization in the healthcare system, with its “unprecedented opportunities” for precision medicine, is only robust with the confidence that it will remain immune to IT attacks.
According to the Commission, online attacks can delay diagnosis and treatment, cause blockages in emergency rooms and disrupt vital services. In 2023 alone, Member States reported 309 critical IT security incidents in the healthcare sector – more than any other critical infrastructure (CRIs). For Germany, data on hospitals covered by the CRISIS regulation shows a total of 61 cyberattacks in 2019. This was a significant increase compared to 2018. Since then, the federal government announced in April that the numbers were declining. In 2020, the attack on the Düsseldorf University Clinic made headlines. From 2022 onwards, all German hospitals below the critical threshold are also obliged to take appropriate precautions.
(ds)
