BELGIUM – The European Commission has rolled out a comprehensive action plan to enhance cybersecurity in the healthcare sector, which has been disproportionately affected by cyberattacks compared to other industries.
With nearly half of Europe’s hospitals falling victim to cyber threats, Health Commissioner Oliver Varhelyi emphasized the urgent need for intervention.
This move aligns with Commission President Ursula von der Leyen’s commitment to address the issue within the first 100 days of her second term.
The newly proposed plan includes several measures to address the sector’s vulnerabilities. One of the key initiatives is the establishment of a Cybersecurity Support Centre within the EU Agency for Cybersecurity (ENISA).
This center will provide tailored cybersecurity support to health organizations and develop resources for training healthcare professionals.
By 2026, the plan also aims to implement an EU-wide threat warning system to detect and mitigate cyber risks.
No additional funding
Despite these ambitions, the plan does not allocate additional funding to ENISA. Instead, the European Commission proposes the creation of a healthcare-specific response mechanism within the EU Cybersecurity Reserve, a component of the Cyber Solidarity Act (CSA).
This reserve is designed to help EU countries manage large-scale cyber incidents by offering technical support, coordination, and financial assistance.
The Commission also intends to utilize the Cyber Diplomacy Toolbox, an EU mechanism for coordinating diplomatic responses and sanctions, to deter harmful cyber activities targeting healthcare organizations.
Additionally, it recommends the introduction of “Cybersecurity Vouchers,” which would help small healthcare organizations increase their cybersecurity spending.
These vouchers are modeled on innovation vouchers that have successfully supported funding for small and medium enterprises (SMEs).
Report ransom payments
One controversial aspect of the plan is the encouragement for healthcare organizations to report ransom payments.
Although national governments typically advise against paying ransoms, many institutions do so to regain control of their systems, often avoiding reporting the incidents.
This reluctance hinders transparency and complicates efforts to track and address cyber threats.
The healthcare sector is already subject to EU cyber regulations such as the NIS2 Directive, which establishes standards for cybersecurity and reporting for critical entities.
However, delays in transposing the directive in many EU member states have created gaps in implementation.
Similarly, the Cyber Resilience Act (CRA), which aims to protect products and software components, also applies to the healthcare sector.
Henna Virkkunen, the European Commission’s Executive Vice-President for Tech Sovereignty, and Health Commissioner Varhelyi presented the action plan.
“We need to have everything in place to detect [cyber threats] and to quickly respond and recover,” Virkkunen stated.
Favored target for cybercriminals
The plan also highlights the alarming prevalence of ransomware attacks in the healthcare industry.
ENISA data shows that between January 2021 and March 2023, 54% of attacks targeting the health sector were ransomware, with hospitals accounting for 42% of cases.
The high stakes in healthcare, where disruptions can have life-or-death consequences, make it a prime target for cybercriminals.
Unfortunately, the sector often lags in cybersecurity maturity, as investments are typically directed toward medical equipment rather than IT systems.
Hiring cybersecurity professionals remains another challenge, as the private sector offers more competitive opportunities.
The Commission’s action plan is expected to undergo public consultation, leading to a non-binding recommendation by the end of 2025.
XRP HEALTHCARE L.L.C | License Number: 2312867.01 | Dubai | © Copyright 2025 | All Rights Reserved