Why cybersecurity in healthcare matters more than ever
208. This is the number of cyberattacks on the health sector reported to ENISA, the European Union Agency for Cybersecurity, between January 2021 and March 2023. During and after the COVID-19 pandemic, cyberattacks on healthcare providers—such as public hospitals, clinics, or general practitioners—have drastically increased. The practical consequences of such attacks, notably when carried out on hospitals, are alarming: delaying medical procedures, causing gridlocks in emergency rooms, and, in extreme cases, leading to the loss of life. The economic cost of such attacks is also staggering: ENISA estimates the average data breach costs to be €8.4 million in the health sector. Ransomware, malicious software that encrypts a victim’s data or locks their system, demanding a ransom payment to restore access, represents the majority of cyberattacks against the health sector. This proves that cybercriminals’ primary motive is financial gain.
In light of this dire situation, the European Commission has released on 15th of January 2025 its Action Plan on the cybersecurity of hospitals and healthcare providers. The Plan aims to enhance prevention, improve preparedness, and foster a more coordinated approach to solidarity while leveraging the expertise of the European cybersecurity industry. It revolves around 4 goals: prevent cyberattacks, detect cyberattacks, respond to and recover to incidents, and deter cyberattacks. In parallel to the publication of the Action Plan, the Commission is launching a stakeholder consultation to further refine the Plan. This consultation is an opportunity for cybersecurity companies to showcase their expertise and ensure that the plan is applicable and delivers genuine results for healthcare facilities.
Existing EU legislations
While securing health systems is primarily a national competence, the EU adopted in 2022 the NIS2 Directive which establishes a unified legal framework to uphold cybersecurity in 18 critical sectors, including health. Under the NIS2 Directive, hospitals and other entities in the healthcare sector have several obligations: cybersecurity risk management measures, incident reporting, plans to ensure the continuity of critical services and awareness raising and training of employees on cybersecurity.
The need for data cybersecurity is amplified by the adoption in 2024 of the European Health Data Space which sets health-specific data sharing framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes. Without confidence in the security of health data, which is particularly sensitive for patients, the EHDS cannot materialize.
ENISA’s Cybersecurity Support Centre: a hub of opportunity
A key announcement of the Plan is the establishment in 2025, under ENISA, of a European Cybersecurity Support Centre for hospitals and healthcare providers. The Support Centre will:
- develop a comprehensive service catalogue, outlining the range of available services for preparedness, prevention, detection and response. It will develop a user-friendly, easy-access repository of all available instruments at European, national and regional levels.
- launch pilots across the EU to develop best practices for cyber hygiene and security risk assessment.
- develop clear, targeted guidance that highlights the most critical cybersecurity practices and aids healthcare providers in implementing them.
- create extensive, easy-to-access online training modules and courses.
- introduce a ransomware recovery subscription service, helping hospitals and healthcare providers prepare recovery plans in advance.
If you are a cybersecurity company, such as a network or endpoint security, a threat intelligence or an identity and access management company, it will be important to engage with the Support Centre to ensure that your products or services are included in its service catalogue, and to be part of the different materials the Support Centre will develop in 2025 and 2026.
Key actions and how cybersecurity companies can engage
The Action Plan details more actions for the Commission, ENISA and Member States to improve cybersecurity of the health sector. The table below outlines a number of actions in which cybersecurity companies can play an active role.
ACTIONS | DATE | WHAT CAN CYBERSECURITY COMPANIES DO? |
Ensure the EU Cybersecurity Reserve includes a Rapid Response Service specifically for the health sector | Q4 2025 | The EU Cybersecurity Reserve provides incident response services from private service providers. You can get some of your experts in the Reserve and specifically in the Rapid Response Service. |
Set up a joint Health Cybersecurity Advisory Board which will advise the Commission and the Support Centre | Q1 2025 | The Board will consist of high-level representatives in both fields, healthcare and cybersecurity. You can get some of your experts on the Board. |
Launch a call for action for cybersecurity companies, foundations, educational institutions, and industry stakeholders to pledge actions to address the challenges in the health sector | Q2 2025 | Your company can sign the pledge, this will reinforce your visibility towards EU policymakers. |
ENISA will develop a framework for cybersecurity maturity assessments specific to healthcare | Q3 2025 | Your company can engage with ENISA to help develop the framework. |
ENISA will develop new procurement guidelines for cybersecurity of hospitals and healthcare providers | Q3 2025 | Your company can engage with ENISA to help develop the procurement guidelines. |
Creation of a European Health Chief Information Security Officers Network | Q1 2026 | Your company can get some of your experts in the network, this will reinforce your visibility at the EU level. |
ENISA will introduce an EU-wide early warning subscription service for the health sector | As of 2026 | Your company can engage with ENISA to help develop the subscription service. |
Member States will create national action plans focused on cybersecurity in the health sector | Q4 2025 | Your company can engage with the Member States authorities of the country you are based in or operate in to help develop the national plans. |
Financing options
Regarding funding, which is a major challenge for healthcare providers to be able to implement cybersecurity, the Action Plan suggests Member States to create Cybersecurity Vouchers for micro, small, and medium-sized hospitals and healthcare providers to put in place specific cybersecurity measures. The European Regional Development Fund is seen as a possible vehicle to develop these vouchers. Other existing EU funds such as the Digital Europe Programme could be put into contribution to finance outcomes of pilots on best practices and security risk assessment as well as Horizon Europe and Erasmus+.
Lykke Advice specializes in helping SMEs engage at the EU level. If you are a cybersecurity company, we can help you implement all the actions mentioned in this article and raise your company profile towards EU policymakers. Please contact us if you wish to learn more about the opportunities offered by the Action Plan.