With the raise in digital healthcare transformation and data quality improvements, IT systems in healthcare are becoming an increasingly attractive goal for malicious entities. Cyber attack may mutilate the institution, cause disturbances to the provision of services and cause damage to patients.
The main threats to the organization of healthcare include ransomware software, violations caused by cloud gaps and incorrect configurations, the movement of evil bot and phishing. Ransomware Accounts for 54% of All Breaches in Healthcare, Costing Healthcare Organisations an Average of EUR 300,000 per IncIDENT, Accord to the European Union Agency for Cybersecurity (Enisa). Along with the inclusion of medical devices for the care of the patient, the threat of attack goes beyond time-honored IT systems.
“Combined medical devices, such as infusion pumps, pacemakers and imaging systems, often work on outdated software, lack encryption or are incorrectly configured,” said Nana Odyom, head of clinical engineering at Cleveland Clinic London. “It creates very sensitive entry points for attackers.”
The appearance of AI powered attacks increased the risk.
Up-to-date era Defensive training
“You once had to worry about phishing attacks. Now you have to worry about deep cabinets and vocal fakes created by A-A-Uponzone, David Wall, CIO from the Tallaght University Hospital in Ireland, who experienced a cyber attack in 2021, pointed out in an interview for Himss TV. “You think you’re talking to a friend, but you don’t really talk to a friend.” This creates the need for updated staff training in the field of information security.
“The training and awareness of employees on an ongoing basis is really important,” said Wall. “It is important that employees are not disconnected, so carrying out simulated phishing attacks is really, very important. This should take place every week, every day or every month, and organizations should coordinate different types of simulation-may be a direct attack on the financial department or hospital test, such as a false free coupon for a local supermarket. “
Some healthcare organizations are already implementing funds to meet these challenges. He explained that in Cleveland Clinic London security assessments are carried out as part of the order process, moving the focus from reactive corrections to proactive prevention.
Despite this, the ENISA report shows Universal deficiencies of cybernetic safety In healthcare organizations: 95% fight risk assessments, and 46% never carried out one. What’s more, 40% have no training for safety awareness for staff from outside IT, and only 27% of the organization has a dedicated ransomware defense program. These deficiencies often result from basic misunderstandings about healthcare technology.
“Many think that after the implementation of the medical device, it works in insulation without the need for update,” he said. “However, these devices often operate in commercial operating systems that require regular patching to determine the gaps in security. Healthcare technology management teams (HTM) encounter resistance when implementing the update of firmware or safety patches due to fear of disruption of clinical work flows or warranty on elation. Steadfast devices are a significant risk of security. ”
Protection plan
In response to universal gaps and escalation threats, the European Commission presented a comprehensive action plan in January 2025. The Commission Strategy Center is to establish a pan-European cyber security support center under ENISA. The center will provide healthcare institutions with adapted guidelines, tools, training and services, including the best cybersecurity practices, regulatory mapping tools, early warning services and incident response textbooks.
The plan introduces several funds:
- Compulsory Ransomware reporting: Member States may require healthcare providers to disclose the ransom payments as part of the reporting of cybersecurity incidents, based on the NIS2 Directive.
- Supply chain safety: The risk of safety of medical equipment supply chains will be carried out. The Support Center will provide order guidelines for risk management related to cloud services and third -party providers.
- Cyber security of medical devices: Manufacturers are encouraged to report cybernetic incidents and loopes in security via the ENISA reporting platform.
- Industry cooperation: The European Ciso Health network will facilitate sharing knowledge between cyber security specialists, while European ISAC health will improve coordination between suppliers and producers. The Cybersecurity Advisory Council will conduct the implementation of the plan.
Based on existing regulations regarding cyber security – including the NIS2 Directive, the Act on Cybernetic Safety, the Act on cyber resistance and the Act on cybercrime – the Plan also introduces stronger requirements for involvement in management, and the NIS2 Directive introduces executive liability for readiness to cybernetic security.
In order for the implementation to be effective, Enisa emphasizes the importance of collective activity, recommending the necessary checks of cyber security, such as encrypted backups, comprehensive care training, robust sensitivity management and solid incident reaction plans. This shift towards collective responsibility is a fundamental change in the approach to healthcare in the field of cyber security.
“Cybernetic security will no longer be seen as an IT function,” he predicted Opan. “Instead, this will transform into the entire organization of responsibility as part of a uniform management framework, supporting a positive cyber security culture. Patients also play a more active role, demanding safe platforms and responsibility before the healthcare providers. “