Questions and answers on cybersecurity of hospitals and healthcare providers
Q&A on cybersecurity of hospitals and healthcare providers
Why has the European Commission proposed an Action Plan on cybersecurity in healthcare?
Cyber threats to healthcare systems are increasing, both in frequency and sophistication. Hospitals and healthcare providers, which are critical infrastructures of our health systems, are particularly vulnerable to cyberattacks, such as ransomware or data breaches. These incidents can disrupt vital medical services and compromise patients' safety and their data.
The Commission is acting with urgency to address these challenges, ensuring that the digital transformation of healthcare is both secure and trustworthy.
How does the Action Plan foster trust among patients and health professionals?
Trust is a cornerstone of digital healthcare. By ensuring that systems are secure and resilient, the Action Plan reassures patients that their data is safe and their care will not be disrupted.
For health professionals, the plan provides tools and training to help them navigate digital platforms confidently. This dual approach — protecting both patients and professionals — creates a healthcare environment where digital tools are embraced and trusted.
How does this Action Plan complement existing EU legislation, such as the NIS2 Directive?
The Action Plan builds on the existing legislative framework in the field of cybersecurity - in particular the NIS2 Directive, the Cyber Solidarity Act (including the Cybersecurity Emergency Mechanism), the Cybersecurity Act (including the European cybersecurity certification), the Medical Devices Regulation and the Cyber Resilience Act. These provide a high common level of cybersecurity across the EU.
The NIS2 Directive, which sets out obligations for critical sectors including healthcare, expands the scope of cybersecurity requirements to essential services covering EU reference laboratories, entities conducting research and development activities of medicinal products, manufacturers of basic pharmaceutical products and preparations (including vaccines), manufacturers of medical devices considered as critical during a public health emergency.
On the Action Plan's side, the focus is specifically on the unique vulnerabilities and needs of hospitals and healthcare sites.
The Action Plan is first and foremost about supporting the sector to take the basic cybersecurity measures that we know will shift the odds of a cyber incident. It ensures that healthcare systems are equipped to handle the specific risks they face. It pays particular attention to capacity building, investments and to helping hospitals and health care providers take the necessary cybersecurity preparedness measures. It also establishes ways to help such entities if an incident strikes, to make sure that response and recovery are as swift and efficient as possible, so normal operations can be reinstated quickly.
What will be the role of the new European Cybersecurity Support Centre for hospitals and healthcare providers?
The Action Plan proposes, among others, to establish a pan-European Cybersecurity Support Centre for hospitals and healthcare providers to provide them with tailored guidance, tools and services. ENISA, the EU agency for Cybersecurity, will establish the Centre within its own structures. It will ensure the implementation of the Action Plan in a coherent and streamlined manner, while avoiding the creation of new administrative structures.
The Support Centre will develop a comprehensive service catalogue of concrete solutions that strengthen the cybersecurity of the sector. It will work with Member States and draw from practical experiences of healthcare organisations.
How does this Action Plan support the European Health Data Space?
The European Health Data Space (EHDS) is the EU's flagship project to digitalise healthcare, which establishes clear rules for the use of health data for better healthcare delivery, research, innovation, and policymaking.
Resilient and secure infrastructure is essential for the implementation of the EHDS. This Action Plan sets out concrete actions for securing data processing in hospitals and healthcare providers, which act as both providers and users of health data in the EHDS.
In addition to this Action Plan and the cybersecurity legislation, the forthcoming EHDS Regulation also provides specific safeguards for the processing of personal health data. For example, it contains safeguards in relation to log-in and identification management in electronic health record systems or the reuse of data in secure processing environments.
How will the Action Plan ensure that patient care is not disrupted by cyber incidents?
One of the core pillars of the Action Plan is rapid response and recovery.
This includes:
- Developing a ransomware recovery subscription service and expanding the repository of available ransomware decryption tools
- Encouraging hospitals to adopt robust backup systems to protect critical data.
- Enhancing crisis response capabilities through training and cooperation at the EU level.
These measures aim to minimise the impact of cyber incidents on healthcare services, ensuring that patients receive uninterrupted care.
What role do Member States play in the implementation of this Action Plan?
Member States will play a critical role in implementing the Action Plan by:
- Coordinating national cybersecurity strategies for healthcare.
- Sharing threat intelligence and best practices across borders.
- Supporting hospitals and healthcare providers in adopting the necessary measures.
Member States are encouraged to create national action plans focused on cybersecurity within the healthcare sector. These plans would outline the specific cybersecurity risks faced by healthcare systems and the national actions being taken to address them, while also ensuring that European-level resources and practices are effectively deployed.
How will the success of the Action Plan be measured?
To measure the success of this plan, ENISA, in consultation with the Commission, will regularly report on its progress to the relevant groups and organisations. These reports will include data from the EU Cybersecurity Index, which will help assess how well the healthcare sector is doing in terms of cybersecurity. This information will show whether the plan is working and making a positive impact.
What can patients do to support the goals of the Action Plan?
Patients can contribute by staying informed about cybersecurity and taking steps to protect their own digital health data. For example:
- Using reliable authentication mechanisms (e.g., the EU Digital Identity Wallet) for online health portals.
- Reporting suspicious activities, such as phishing attempts.
- Trusting healthcare providers that follow EU-recommended cybersecurity measures.
A secure healthcare ecosystem depends on active participation from everyone.
What is the timeline for implementing the Action Plan?
This Communication sets out a clear plan to make the European healthcare sector safer from cyber threats. The plan creates a central hub for cybersecurity support, making it easier for hospitals and healthcare providers to work together to stay safe online.
This plan is just the beginning. The Commission is starting a wider conversation with all stakeholders, including healthcare providers, governments, and experts, to hear their ideas and feedback. The Commission will use this input to make the plan more detailed and targeted to the needs of hospitals and other healthcare providers. These recommendations will be shared by the end of 2025.
To achieve this goal, the Commission is calling on all Member States and stakeholders to work together to make the healthcare sector more cybersecure.
For More Information
Action plan on the cybersecurity of hospitals and healthcare providers
