An intense debate on the European Action Plan on Cybersecurity for Hospitals and Healthcare Providers unfolded before the European Parliament’s Public Health Committee (SANT). MEPs expressed concern over the lack of clarity on the funding of the plan; European Commission representatives provided nebulous answers.

Marco Marsella, Director for EU4Health Digitalisation and Health Systems Modernisation at the Directorate-General for Health and Food Safety (DG SANTE), opened the 19 February exchange by highlighting the seriousness of cyberattacks on healthcare facilities. “Cyberattacks on hospitals can directly threaten people’s lives and safety,” he warned.

Mr Marsella sought to assure the Committee that the proposed action plan did not impose any additional regulatory burden on member states, and stressed the need for full attention from all stakeholders. “We are witnessing the evolution of digital technologies, but what is essential for the digitalisation of healthcare is trust. That is what will help us achieve our goals,” he said, adding that cybersecurity is also a driving force for the successful implementation of the European Health Data Space (EHDS).

After Mr Marsella, Christiane Kirketerp de Viron took the floor. The acting director for digital society, trust and cybersecurity at the European Commission’s Directorate General for Communications Networks, Content and Technology (DG CONNECT) pointed to the current lack of awareness of cybersecurity among hospital staff. “We are addressing the issue of low to moderate awareness of hospital staff about cybersecurity,” she assessed.

You might be interested

Ms Kirketerp de Viron also pointed out that the number of ransomware attacks on hospitals is increasing and accounts for about 43 percent of all recent cyberattacks. “This is a trend that we know is on the rise, which is why we want to take decisive action,” she added.

Vague answers

While not going into minute detail, the DG CONNECT acting director described that support for hospitals to raise awareness and improve protection against cyber threats would work in the form of some sort of vouchers. “Prevention is better than cure. We need to work with individual entities, provide them with guidance and tools so that they can increase their level of awareness,” she said.

However, during the following exchange of views, MEPs expressed dissatisfaction with the lack of clarity on the funding of the action plan. Tomislav Sokol of the EPP group said he supported the plan, but warned in the same breath: “There is plenty for us to implement, but no concrete figures on funding are available. How much money will be spent by the member states and how much by the EU? Which budget will the money come from? These are very important things.” Vytenis Andriukaitis of the S&D group also demanded details on funding, as did non-attached MEP Kateřina Konečná.

In response to these questions, Ms Kirketerp de Viron had little clear information to offer. She resorted to saying that member states will contribute to the financing of the plan as part of a joint effort, as it is a “shared responsibility”. On the issue of European funds, she said that the Digital Europe programme was to be tapped into.

Crippling vital processes

The European Commission presented an action plan for the cybersecurity of hospitals and healthcare providers in mid-January this year. The plan focuses on more effective detection and identification of cyber threats, minimising the negative impact of cyberattacks as well as deterring cyberattackers, and is to be implemented jointly with healthcare providers, member states and the cybersecurity community.

The European Commission’s plan seeks to respond to the growing threat cyberattacks pose to hospitals. Such attacks may delay medical procedures, grind emergency rooms into a halt, or disrupt vital services. In 2023, 309 major cybersecurity incidents were reported in European Union member states, more than in any other critical sector. This is why the fight against cyber-attacks is one of the EU’s priorities; the European Commission President Ursula von der Leyen announced the Action Plan as one of her top priorities after her re-election.

The plan proposes, inter alia, that the EU cybersecurity agency ENISA should set up a pan-European cyber security support centre for hospitals and healthcare providers, providing them with bespoke guidance, tools, services and training. The initiative builds on a broader EU framework for strengthening cybersecurity across critical infrastructure. The inititative makes healtcare the first sector to introduce a full range of EU cybersecurity measures.