Ensuring the European healthcare sector is well-equipped to respond to cyber-attacks will be a top priority for the newly elected European Commission.
The Commission will start working to achieve this objective during Ursula von der Leyen’s first 100 days, said Christiane Kirketerp de Viron, Acting Director for Digital Security, Trust, and Cybersecurity at the EU Commission’s DG Connect, during the Financial Times Cyber Resilience Summit Europe, in London on November 27.
De Viron said that while the first Von der Leyen Commission was focused on establishing cyber regulation standards with the updated Network and Information Security Directive (NIS2), the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the AI Act, the new Commission’s efforts should be on implementation.
De Viron explained, “Because hospitals are increasingly targeted and the healthcare sector is such a diverse industry, we’re now going to zoom in on hospitals and healthcare providers particularly. A large majority of hospitals have never done a security risk assessment.”
The next European Commission, headed by Von der Leyen, is set to take office on December 1, 2024, and begin a five-year legislative cycle.
A new action plan on cybersecurity for hospitals and healthcare providers will be presented in the first 100 days of the new mandate, confirmed de Viron. This was originally suggested in the Political Guidelines 2024-2029 document published before Von der Leyen’s reappointment as president of the EU executive.
In a November NIS Investments 2024 report, the EU Agency for Cybersecurity (ENISA) found that the healthcare sector is the industry in which data breaches cost the most, with the average cost of a health data breach at around €8.4m ($8.9m) compared to €4.4m ($4.65m) across all sectors.
Healthcare Security Guidelines and Data-Sharing
Neither de Viron nor Von der Leyen’s Political Guidelines 2024-2029 have given any precise details on what this healthcare cyber action plan might be.
However, Michael Nicholls, VP for Cybersecurity Services at Bureau Veritas, told Infosecurity that it will probably not be translated into new regulations.
Alvaro Garcia-Delgado, from the EU Embassy in London, agreed. “Now that we’ve established many legislative frameworks, it’s time to put them into practice,” he told Infosecurity.
“Healthcare systems across Europe are very different and include a range of organizations from fully public to fully private ones, including hybrid public-private partnerships,” Garcia-Delgado added. “And don’t forget, healthcare is not part of the EU’s prerogatives but is member-states' responsibility. The EU has only timidly started to get involved since COVID-19.”
He said the action plan will likely “aim to explain some basic security best practices and measures to adopt to healthcare stakeholders, from health-related government agencies to hospitals, healthcare providers and patients.”
Specifically, Nicholls believes it could take the form of ENISA’s toolkits and guidelines dedicated to healthcare cybersecurity across Europe.
Speaking at the Financial Times’ event, Saira Ghafour, Digital Health Lead at Imperial College London’s Institute of Global Health Innovation, said, “While hospitals are very attractive targets, we are lucky that cyber threat actors do not actually understand how most IT, Internet-of-Things (IoT) and operational technologies (OT) systems the sector heavily rely on work. If they did, the impact would be much worse.”
The upcoming action plan represents a pivotal opportunity for the EU to enhance the healthcare sector's cyber resilience, focusing on implementing robust practices and fostering cross-border cooperation and knowledge sharing across the Union.