IT attacks: How the EU Commission wants to better protect the healthcare sector

The EU Commission wants to strengthen the IT security of hospitals and healthcare providers. To this end, it presented an action plan on Wednesday. Attacks can have fatal consequences. The Commission is now proposing that Enisa (the European Union Agency for Cybersecurity) set up a pan-European center to support IT security for the healthcare sector. This is to provide operators with "tailored guidelines, tools, services and training".

The plan focuses on four areas. These include increased prevention and better identification of threats and response to attacks in order to minimize their impact. The topic of deterrence is also on the agenda: "cyber threat actors" are to be deterred from attacking European healthcare systems by means of diplomacy and sanctions, for example.

The healthcare system is encouraged to take preventative measures. Member states could also introduce vouchers to help small and medium-sized institutions financially. The center planned at Enisa is to develop an EU-wide early warning service by 2026 that will provide near real-time indications of potential threats. The initiative envisages a crisis response service for the healthcare sector as part of the EU cybersecurity reserve. Exercises are intended to prepare healthcare organizations for attacks such as ransomware. If relevant institutions receive ransom demands, they would have to report this and involve law enforcement authorities.

Building trust in digital healthcare

Specific measures are to be introduced gradually in 2025 and 2026, hand in hand with healthcare providers, EU countries and the IT security community. In preparation, the Commission wants to carry out a public consultation, the results of which should lead to further recommendations. "Patients must be able to rely on their most sensitive information being secure," emphasized Health Commissioner Oliver Várhelyi. Digitalization in the healthcare system, with its "unprecedented possibilities" for precision medicine, for example, is only as strong as the trust that it remains resistant to IT attacks.

According to the Commission, online attacks can delay diagnosis and treatment, cause blockages in emergency rooms and disrupt vital services. For 2023 alone, Member States reported 309 serious IT security incidents in the healthcare sector – more than in any other critical infrastructure (Critical Infrastructure). For Germany, the statistics for hospitals covered by the Kritis Regulation show a total of 61 cyberattacks in 2019. This was a significant increase compared to 2018, but the figures have been declining since then, the German government announced in April. In 2020, an attack on Düsseldorf University Hospital made headlines. Since 2022, all German hospitals below the Kritis threshold have also been obliged to take appropriate precautions.

(ds)