EU Action Plan to Tackle Ransomware in Hospitals Lacks New Funding

The European Commission has unveiled an action plan aimed at bolstering the healthcare sector’s defences against ransomware and cyberattacks. However, the plan offers no new funding, instead pointing healthcare providers to existing EU funding programmes like Digital Europe and Horizon Europe.

 

The initiative comes in response to a surge in cyberattacks on hospitals across the EU over the past four years, which have disrupted medical procedures, caused emergency room delays, and jeopardised patient care. Commission President Ursula von der Leyen had pledged to prioritise this issue within the first 100 days of her second term.

 

Despite recognising the critical need for enhanced cybersecurity, the 23-page plan concedes that securing health systems is largely the responsibility of individual member states. Although the EU’s NIS2 directive requires critical infrastructure entities, including healthcare providers, to meet minimum cybersecurity standards, only six of the 27 member states have fully implemented the directive.

 

Key elements of the plan include guidance from the European Union Agency for Cybersecurity (ENISA), which will establish a European Cybersecurity Support Centre for hospitals. The centre will not provide direct support but will compile a catalogue of available services for improving preparedness, prevention, detection, and response to cyber threats.

 

Member states are encouraged to consider additional measures such as cybersecurity vouchers to assist healthcare providers. However, the financial burden of these initiatives would primarily fall on individual countries.

 

Critics have noted that the plan highlights systemic issues, such as limited funding and inadequate cloud service security in the healthcare sector, without proposing significant market interventions.

 

The action plan will undergo consultation, with stakeholders invited to provide input before a refined version is expected in late 2025.

 

For hospitals grappling with increasingly sophisticated ransomware threats, the lack of immediate, tangible support has raised concerns about the feasibility of achieving robust cybersecurity across the EU healthcare sector.