The European Union is ramping up support, an early-warning system and rapid response teams to help its hospitals fight off cyberattacks from hacker groups, it said Wednesday.

The European Commission unveiled a new “action plan” on cybersecurity for hospitals and the health care sector, in response to a spate of devastating attacks that hit Ireland, France, the United Kingdom, Finland and other countries since the start of the coronavirus pandemic early 2020.

“This is one of our sectors where we can see that [there are] massive cyber attacks, and we have to support [so] they are better prepared,” European Commission tech and security czar Henna Virkkunen, who presented the plan Wednesday, told POLITICO ahead of the launch.

National governments reported 309 significant cybersecurity incidents affecting the health care sector in 2023 — more than in any other critical sector, the Commission said.

The plan is a key pledge of Commission President Ursula von der Leyen — a medical doctor herself — to be completed during the first 100 days of her second term.

The plan proposes setting up a European Cybersecurity Support Center for hospitals and the health care sector at the EU's cybersecurity agency ENISA. That support center will provide tools and services including an early warning system, testing and assessing hospitals’ cybersecurity standards, sharing information about vulnerabilities that hackers are exploiting and guidance on how to respond to incidents.

ENISA will get extra funding for this, an EU official granted anonimity to discuss details of the plan told reporters in Brussels. But exactly how much funding — like many other elements of the plan — is yet to be decided.

Asked whether the plan will involve new funding, Virkkunen said that “always more funding would be welcome,” adding this is something that will be discussed in upcoming consultations with EU countries.

The Commission also plans to set up a rapid response service specifically for the health sector, to be organized via the EU Cybersecurity Reserve, an emergency response mechanism that's part of another EU cyber law, the Cyber Solidarity Act.

The plan also introduces “cybersecurity vouchers,” which will allow EU countries to give cash to small hospitals and health care providers for cyber resilience. These will operate similarly to so-called innovation vouchers previously used by the EU, but no specific amount has been set aside yet, the EU official said.

The plan also suggested that EU governments request that health care entities tell authorities when they have paid or plan to pay a ransom to resolve a ransomware attack. Such an attack entails that hackers block computer systems and demand a ransom payment in exchange of handing back data. The Commission also plans to make decryption tools, which allow organizations to get their data back without paying the ransom, more readily available.

The EU executive will now consult on the action plan, most of which is expected to take place later this year.

Politico

More about: