Full Report
One of the priorities of the newly-approved Von der Leyen Commission II will be to strengthen the healthcare sector’s cyber resilience
Analysis Summary
This summary is based on the anticipated focus of the next European Commission regarding cybersecurity enhancements specifically for the healthcare sector.
# Regulation/Compliance: EU Healthcare Cybersecurity Action Plan (Anticipated)
## Overview
This anticipated plan stems from the prioritization by the newly elected European Commission (under Ursula von der Leyen) to significantly enhance the cyber resilience of the European healthcare sector, which is frequently targeted and suffers the highest average cost for data breaches. The focus will shift from creating new regulations (like NIS2, CRA, DORA, AI Act) to ensuring the *implementation* of existing frameworks within hospitals and healthcare providers.
## Key Details
- Issuing Authority: European Commission (DG Connect), potentially involving the European Union Agency for Cybersecurity (ENISA).
- Effective Date (Action Plan Announcement): Within the first 100 days of the new mandate (post-December 1, 2024).
- Jurisdiction: European Union member states, specifically targeting their national healthcare systems.
- Status: Anticipated/Proposed Action Plan (following the establishment of major legislative frameworks).
## Requirements
### Mandatory Requirements
*Note: Specific mandates for the new action plan are not detailed, but are expected to drive compliance with existing EU frameworks.*
1. **Security Risk Assessment:** A large majority of hospitals currently lack security risk assessments; performing these will likely be a mandatory prerequisite or focal point.
2. **Implementation of Established Frameworks:** Adherence to security measures mandated or guided by NIS2, DORA, etc., within the context of healthcare operations.
3. **Focus on Diverse Systems:** Addressing cybersecurity risks across IT, IoT, and Operational Technology (OT) systems prevalent in healthcare.
### Recommended Practices
1. **Adoption of ENISA Guidelines:** Utilizing ENISA toolkits and guidelines specifically developed for healthcare cybersecurity across Europe.
2. **Cross-Border Cooperation:** Fostering knowledge sharing and collaboration on cybersecurity resilience among member states and healthcare providers.
3. **Adoption of Basic Security Best Practices:** Implementing fundamental security measures recommended for stakeholders spanning government agencies, hospitals, providers, and potentially patients.
## Affected Organizations
- Industries: Healthcare Sector (Hospitals, healthcare providers, health-related government agencies).
- Organization Size: Implied to cover all entities within the healthcare sector, regardless of public, private, or hybrid structuring.
- Geographic Scope: European Union Member States.
## Compliance Timeline
- **December 1, 2024:** Start of the new European Commission legislative cycle.
- **Within the first 100 days (Approx. Q1 2025):** Presentation of the new Action Plan on cybersecurity for hospitals and healthcare providers.
- **Ongoing (Five-Year Cycle):** Implementation and operationalizing of guidance derived from the Action Plan, building upon existing compliance timelines for NIS2, DORA, etc.
## Implementation Guidance
### Assessment Phase
- **Conduct Security Risk Assessments:** Immediately assess current security posture, focusing on IT, IoT, and OT environments, as this has been identified as a common failure point.
### Implementation Phase
- **Leverage Existing Legislation:** Integrate the Action Plan's direction with the requirements already established by NIS2 and DORA obligations.
- **Consult ENISA Resources:** Adopt recommended security best practices and toolkits provided by ENISA for the sector.
### Validation Phase
- **Reporting/Oversight:** Compliance validation will likely be managed by national competent authorities, tied to existing reporting structures established under recent EU cybersecurity legislation.
## Technical Requirements
Specific technical details are forthcoming in the Action Plan. However, the focus implies requirements covering:
- Robust security for **Internet-of-Things (IoT)** medical devices.
- Security controls for **Operational Technology (OT)** systems managing critical infrastructure.
- Standardized data protection and breach reporting mechanisms aligned with EU regulatory norms.
## Penalties & Enforcement
- Fines: Given that the initial effort is focused on *implementation* rather than new primary legislation, enforcement might initially rely on existing penalty structures associated with frameworks like NIS2 if non-compliance results in security failures. Specific penalties for failure to adopt the new Action Plan's guidance are TBD.
- Other Consequences: Increased scrutiny from national regulators; significant reputational harm due to high average breach costs (€8.4m for health data).
- Enforcement: Likely enforced by national competent authorities within each Member State, who oversee the implementation of EU directives and regulations in their national jurisdictions.
## Related Standards
- **NIS2 Directive:** Providing the foundational regulatory backbone for critical infrastructure cybersecurity.
- **DORA (Digital Operational Resilience Act):** Highly relevant given the financial impact of breaches, applying resilience requirements to health entities that fall under its scope (e.g., certain digital service providers supporting health).
- **AI Act:** Relevant for the integration and security of AI systems used in healthcare.
- **ENISA Guidance:** Expected to serve as the primary, sector-specific technical standard reference.
## Resources
- Official Documentation: _Political Guidelines 2024-2029_ (for context on mandate focus).
- Guidance Documents: ENISA toolkits and subsequent official guidance documents released following the action plan announcement.
- Tools: Security risk assessment methodologies appropriate for OT/IoT environments.
## Practical Recommendations
1. **Prioritize Risk Assessment:** Hospitals must immediately initiate or accelerate comprehensive security risk assessments across all connected systems (IT/IoT/OT).
2. **Monitor Q1 2025 Outputs:** Actively track the publication date and content of the EU Commission’s Action Plan to prepare for immediate shifts in operational requirements.
3. **Align with Existing Law:** Ensure current compliance programs meet the foundational requirements of NIS2 and DORA, as the new guidance will build upon these established compliance baselines.