By Oguzhan Yesiltuna, 13 March 2025
In 1884, Anton Chekhov wrote the following to his brother Alexander: “Don’t tell me the moon is shining; show me the glint of light on broken glass.” This phrase, emphasising demonstrating over stating in writing, has since been seen as the foundation for the established narrative technique of “show, don’t tell”. The escalating frequency and financial impact of threats against healthcare cybersecurity are undeniable. The establishment of resilient policies and strategies is, therefore, fundamental to safeguarding health and safety of individuals in the digital realm. The EU not only seems to be telling this, but also to be showing it through its intensified efforts, the most recent of which is the Action Plan on the Cybersecurity of Hospitals and Healthcare Providers (AP). This blogpost explores key considerations surrounding this initiative.
Healthcare Cybersecurity in the EU
Healthcare across the EU is undergoing a transformation, with the IoMT, medical AI, and health data usage becoming standard. While these advancements improve efficiency, they also expand the surface for cyberattacks. Indeed, the European healthcare sector is facing an increasing number and variety of cyber threats (particularly, ransomware attacks), making cybersecurity a high priority. Recognising healthcare cybersecurity is an essential component of EU’s social model, the relevant framework is evolving through both horizontal and sector-specific legislation. GDPR, MDR and IVDR, Cybersecurity Act, NIS2 Directive, AI Act, Cyber Resilience Act, Cyber Solidarity Act, and EHDS Regulation serve to ensure cybersecurity to the extent that they are applicable to healthcare (even though their greater coherence and synergies remain as a key issue). Moreover, improving threat detection, preparedness, and crisis response were among von der Leyen’s electoral promises. Accordingly, the Commission developed the AP and published on January 15.
Action Plan
The AP details a series of actions and a timeline for their implementation (see figure). While formally directed at the Commission, ENISA, and Member States (MSs), it promises substantial implications for all healthcare actors, including hospitals, clinics, care homes and rehabilitation centres, pharmaceutical, medical and biotechnology industry, MD manufacturers, and health research institutions. The AP’s main highlight is the establishment of a dedicated European Cybersecurity Support Centre within the ENISA’s organisation, which will serve as a hub for knowledge-sharing, training, and best practices in healthcare cybersecurity. Its service catalogue includes preventing cybersecurity incidents, European capabilities for detecting cyber threats against the health sector, and rapid response and recovery. (Figure) (315.86 KB) "File"
To secure healthcare supply chains, the AP tasks NIS Cooperation Group with conducting a security risk assessment in coordination with MDCG, encompassing both technical and strategic vulnerabilities. The findings of the risk assessment is expected to inform the formulation of mitigation strategies, and the development of new Procurement Guidelines reflecting the trends such as cloudification of patient data. While not explicitly addressed in the AP, the need to revise the MDCG 2019-16 remains a critical consideration. An earlier step that could be mentioned in this regard is the projects funded under the HORIZON call “Enhancing cybersecurity of connected medical devices”. Of these projects, CYMEDSEC, of which VUB HALL is a consortium partner, aims at enhanced cybersecurity for networked MDs through optimisation of guidelines, standards, risk management and security by design.
To enhance threat detection and situational awareness, the AP encourages MSs to share all cyber incident notifications from hospitals and healthcare providers with ENISA. Similarly it encourages MD manufacturers to voluntarily report vulnerabilities. ENISA is tasked with creating a European known exploited vulnerabilities (KEV) catalogue and introducing an EU-wide early warning subscription service for the health sector, leveraging data from various sources. Furthermore, strengthening the European Health Information Sharing and Analysis Centre (ISAC) and promoting national health ISACs is crucial for information sharing and collaboration between public and private sectors, including healthcare providers and manufacturers, to improve product security and supply chain resilience. Reconigising a shortage of cybersecurity professionals, the AP also promotes a collaboration with the Cybersecurity Skills Academy, including the potential creation of a European Health CISOs Network.
As for a swift and effective incident response, EU support is planned to be available via the Cybersecurity Reserve which should include a health-specific Rapid Response Service. The AP further emphasises the development of healthcare-tailored cyber incident response playbooks. It also provides specific measures for ransomware attacks, including mandatory reporting of ransom payments, secure backups for recovery, a ransomware recovery subscription service, ENISA and Europol’s expansion of decryption tool availability and guidance against ransom payments. International cooperation against ransomware threats through initiatives like the Counter Ransomware Initiative and the G7 Cybersecurity Working Group is underlined.
The AP’s success relies on MS commitment. To facilitate implementation, MSs are requested to establish National Cybersecurity Support Centres for hospitals and healthcare providers. They should also develop national APs. Resource sharing, through joint procurement or pooled resources, is encouraged to ease the financial burden on healthcare providers. MSs should address underinvestment in healthcare cybersecurity by setting non-binding benchmarks and monitoring funding targets, ensuring security is integrated into all digital investments without compromising patient care.
Moreover, the Commission will establish a joint Health Cybersecurity Advisory Board to ensure strong public-private cooperation. Additionally, a call for action will be launched, encouraging cybersecurity companies, educational institutions, and industry stakeholders to pledge actions to address the challenges. To deter cyber threat actors targeting the health sector, the EU will utilise its capabilities, including the Cyber Diplomacy Toolbox and cyber sanctions. MSs are also urged to integrate law enforcement into national APs, leveraging existing legal frameworks like the Directive 2013/40 and the Budapest Convention on Cybercrime.
Conclusion
While “show, don’t tell” is a well-established technique, it does not guarantee the overall success of a narrative. The efficacy of a narrative is also contingent upon its ability to sustain audience attention and to facilitate a dynamic engagement between the text and the readers’ efforts. The AP sets out an ambitious agenda by focusing on prevention, detection, response, and deterrence, aiming to ensure health sector is better prepared against cyber threats. How these actions are received and implemented by stakeholders will be decisive for the EU to build a more cybersecure health system that can withstand evolving cyber threats while continuing to provide high-quality patient care.
Image created by Dall-E. Figure created by the author.
Acknowledgement
This work was supported by the European Commission under the Horizon Europe Program, as part of the project CYMEDSEC (101094218). Views and opinions expressed are, however, those of the author only and do not necessarily reflect those of the European Union. Neither the European Union, nor the granting authorities, can be held responsible for them. Responsibility for the information and views expressed therein lies entirely with the authors.