Strengthening healthcare cybersecurity: Focus on implementation, not new legislation

Executive summary 

Europe’s healthcare sector faces an escalating cybersecurity crisis, with a sharp increase in ransomware and data-related attacks targeting hospitals and healthcare providers. A recent ENISA report revealed that 54 per cent of reported cyber incidents in healthcare involved ransomware, whilst 46 per cent pertained to breaches of patient data.1 These growing threats jeopardise patient safety, data integrity and the operational continuity of essential healthcare services. 

Despite the critical importance of cybersecurity, hospitals and healthcare providers face significant challenges in addressing these risks. Limited budgets, talent shortages and complex regulatory requirements hinder their ability to implement holistic, risk-based cybersecurity measures. Additionally, fragmented information-sharing practices within and across Member States exacerbate vulnerabilities, leaving healthcare systems ill-prepared to respond to emerging threats. 

To address these challenges, DIGITALEUROPE supports the EU Action Plan for the Cybersecurity of Hospitals and Healthcare Providers, as outlined in European Commission President Ursula von der Leyen’s political guidelines.2 This plan should strengthen public-private partnerships, particularly through information sharing and analysis centres (ISACs), and provide practical support to healthcare entities for regulatory compliance and threat management. It must focus on the effective implementation of existing regulations as opposed to new legislation. 

Key recommendations include: 

• Strengthen supply chain cyber resilience: Address vulnerabilities in outdated medical devices and legacy systems by conducting regular security assessments, upgrading critical systems and transitioning to secure, scalable cloud-based solutions that leverage advanced technologies like AI. 

• Enhance cybersecurity in procurement: Update procurement guidelines to require suppliers to meet stringent cybersecurity standards. 

• Invest in funding and skills development: Allocate national and EU-level funding for cybersecurity upgrades, training programmes and research initiatives, with specific budget thresholds for healthcare institutions. Promote cybersecurity careers through education, certifications and partnerships with academia and industry. 

• Strengthen ISACs: Expand ISACs’ role by increasing awareness, engaging ENISA, empowering ISACs to lead coordinated responses and integrating them into EU frameworks for critical infrastructure protection. 

• Establish rapid-response cybersecurity units: Require Member States to mandate rapid-response teams within healthcare systems to ensure service continuity and conduct annual cybersecurity exercises to enhance preparedness. 

• Clarify and streamline NIS2 implementation: Publish harmonised guidelines aligning NIS2 with other regulations to avoid duplication. 

By addressing these priorities, the action plan can unify Member States in creating a resilient healthcare cybersecurity framework, ensuring the safety and sustainability of Europe’s healthcare systems.