A spate of devastating attacks on the health care sector prompts Brussels to ramp up funding and threat intelligence.
The European Union is coming to the aid of hospitals and health care providers to help fend off rising cyberattacks that have plagued the critical sector.
The European Commission will present an “action plan” on strengthening cybersecurity in the sector on Wednesday. It’s expected to include additional funding dedicated to testing and securing hospitals’ technical infrastructure, guidance on how to apply existing rules such as the EU’s NIS2 cybersecurity directive and better information-sharing.
The sector has been under heavy fire from cybercriminals, especially since the 2020 coronavirus pandemic put the sector under strain. Attacks in Ireland, France, the United Kingdom and Finland have caused widespread panic in recent years — and one attack in 2020 in Germany even prompted a murder investigation after a woman died while being transferred to another hospital, though those charges were later dropped.
The plan is part of the list of priorities that Commission President Ursula von der Leyen — a medical doctor by training — pledged to introduce in her first 100 days in office. It was due to be published next week but was brought forward because von der Leyen’s illness has delayed the EU’s new Competitiveness Compass.
Stavros Lambrinidis, the EU’s ambassador to the United Nations, described health care ransomware attacks as “a rapidly escalating threat with far-reaching consequences” at the U.N. Security Council briefing in November.
“Every 11 seconds a ransomware attack takes place, a rate expected to escalate to an attack every 2 seconds by 2031,” he said. These attacks put patients’ lives at risk, destabilize health care systems and undermine trust in essential public services, he said.
They also weigh heavily on hospitals’ budgets. According to the EU’s cyber agency ENISA, the median cost of a major security incident in the health sector is €300,000.
The core of the problem is that many hospitals are underfunded, and what cash they do have is funneled toward patient care. They are also chaotic and complex environments where it’s hard to keep a close eye on people and technology — the two key vulnerabilities that allow most cybercriminals to succeed.
For example, an EU-funded project to improve hospital cybersecurity found that, in the course of a single day, nurses often had to log in to computer systems more than 80 times. That led to bad practices like sharing passwords or writing them on a piece of paper next to the computer.
Money and information
The challenge is “mainly budgets, and a complex [technological] landscape,” said Wim Hafkamp, head of the computer emergency response team for the Dutch health care sector and chair of the European Health Information Sharing and Analysis Centre.
“The focus of resourcing and administration is always on the patient, as it should be, and IT systems have often historically tended to play second fiddle to that,” Richard Browne, head of Ireland’s cyber agency told POLITICO.
Technology and security issues “get pushed to the side to ensure that patient welfare is prioritized,” Browne said. That’s “great, until the day it’s not,” he said. For Ireland, that day came in May 2021 when it suffered a devastating cyberattack that Browne described as “very, very challenging.”
Browne pointed to existing European projects — on sharing financial information and mimicking cyber threats to better prepare — as examples the health care industry could emulate. Others, such as the EU’s cyber crisis liaison organization network, could be used as molds for a health care specific initiative.
With attacks ramping up across Europe, coordinating and sharing information may be key. An incident in one organization “is a warning for all the others,” Hafkamp said. “If now a hospital in Madrid is hit by a ransomware attack, we should immediately distribute the indicators of attack and indicators of compromise to all the other hospitals all over Europe.”
