EU Acts to Boost Cybersecurity in Hospitals

The European Commission has introduced an action plan to strengthen the cybersecurity of hospitals and healthcare providers across the European Union (EU). The initiative includes creating a pan-European Cybersecurity Support Centre, managed by the European Network and Information Security Agency, to address the rising number of cyber threats targeting healthcare institutions. In 2023 alone, 309 significant incidents were reported in healthcare, more than in any other critical sector. 

“The healthcare sector faces the highest proportion of high-impact cybersecurity incidents,” Robin van Kessel, PhD, a Hoffmann fellow in health system financing and payment models at the London School of Economics, London, United Kingdom, and the World Economic Forum, told Medscape Medical News. 

This disproportionate impact reflects the fact that healthcare organizations store a large amount of sensitive patient data, including medical histories, diagnoses, and treatment information. Cyberattacks on healthcare systems can disrupt critical medical services, thus causing potentially severe consequences for patient care and safety. 

Stolen Medical Records

A cyber incident is an event where an attacker breaches or attempts to breach the security of a digital system, network, or service, potentially leading to unauthorized access, data theft, or service disruption. 

Common types of cyber incidents include malware attacks such as viruses and ransomware, phishing schemes designed to trick users into revealing sensitive information, denial-of-service and distributed denial-of-service attacks that overwhelm systems, man-in-the-middle attacks that intercept communications, code injection attacks that manipulate software, supply chain attacks targeting third-party vendors, and insider threats posed by individuals within an organization.

When medical records are stolen, the implications can be severe for individual patients and society at large. “There are ways in which those data can be weaponized,” van Kessel said.

Stolen data can not only lead to impersonation and identity theft but can also can create information asymmetry, he explained. If health data end up in the hands of insurance companies, for instance, the companies could discriminate against patients with preexisting conditions or chronic illnesses, resulting in higher insurance premiums or denial of coverage altogether. In Europe, great emphasis is placed on nondiscrimination, which is a fundamental principle, van Kessel said. “But when people know things that they are not supposed to know by law, this principle is threatened.”

The misuse of stolen healthcare data extends beyond individual harm. For instance, attackers can combine stolen health information with other data to create detailed profiles of individuals, which can then be exploited for targeted misinformation campaigns aimed at swaying public opinion or undermining trust in institutions.

Another concern is the potential use of stolen healthcare data to train artificial intelligence models. Even if the data are not directly disseminated, van Kessel said, they could inform predictive models that make inferences about individuals’ health status, potentially leading to exploitation for commercial gain. 

The legal landscape is evolving in response to these threats, Federica Casarosa, PhD, a professor of law at the European University Institute and at the Scuola Superiore Sant’Anna in Pisa, Italy, told Medscape Medical News. A recent ruling by the Court of Justice of the EU established that individuals could claim nonpecuniary damages for emotional distress caused by the fear of data misuse, even in the absence of direct financial harm. “Patients affected by healthcare data breaches can seek compensation for the anxiety and suffering resulting from such incidents,” she said.

While some cyberattacks focus on stealing data, many are not centered around this goal. The abundant availability of proxy data from sources like social media and apps enables attackers to infer sensitive details about an individual’s health without directly accessing their medical records, van Kessel explained.

The Irish Case

In May 2021, the Conti ransomware group launched a cyberattack on Ireland’s Health Service Executive (HSE) that affected around 4000 locations and 54 hospitals. The attack led to a nationwide shutdown of IT systems, severely disrupting access to electronic health records and delaying treatments for thousands of patients. 

The incident resulted in costs exceeding €80 million and forced healthcare providers to revert to paper records, thus increasing the risk for errors. Critical services, including cancer and stroke treatments, were particularly affected, with many hospital appointments canceled and access to laboratory results and imaging delayed.

“It was a very difficult time,” Seamus O’Reilly, MD, a medical oncologist at Cork University Hospital in Cork, Ireland, told the Policy Forum for Ireland keynote seminar Next steps for cancer services in Ireland. “Results were frozen on the computer. Our ways of communicating with people were compromised, and we had no access to old information. We had patients who had scans done, and the scans were trapped on the machine. Patients would turn up at clinics, and there would be no records of them coming there or needing to be there. We would have had to send patients home to their general practitioner [GP] to get their medical record details, get them printed out at their GP’s office and bring them back to us so we could look after them at the hospital.”

The recovery process was complex and lasted approximately 4 months. Initially, the attackers demanded a ransom of $20 million but later provided a decryption tool for free to aid recovery efforts. Despite this assistance, the HSE incurred substantial costs for infrastructure repairs and cybersecurity improvements.

New European Strategies

In response to the increasing threat of cyberattacks on healthcare systems, the European Commission has established a Cybersecurity Support Centre, which will provide tools, training, and resources to healthcare providers to improve their ability to manage cyber threats effectively. 

In addition, on January 21, the Council of the EU adopted regulations to enhance the European Health Data Space (EHDS). This framework aims to improve cross-border access to health data while ensuring compliance with data protection laws like the General Data Protection Regulation. The EHDS is designed to allow patients easy access to their electronic health data while permitting healthcare professionals to consult these records across borders with patient consent. It also includes provisions for opt-out mechanisms, allowing patients to control how their data are used. 

The EHDS will also enable the secondary use of data across Europe for research, innovation, and public health purposes. “The goal is to create a data space that is accessible to both patients and doctors across Europe,” said Casarosa. “It is intended to provide a more secure system for storing and sharing health data compared with the current fragmented approaches.”

In conjunction with these initiatives, the World Health Organization (WHO)/Europe is developing a guide focused on strengthening cybersecurity in digital health. A WHO/Europe spokesperson told Medscape Medical News this guide will include risk assessment strategies tailored to specific needs and regulatory requirements while emphasizing robust cybersecurity measures such as regular updates and backups, security audits, and employee training.

The WHO Headquarters is also developing a stepwise toolkit on implementing and budgeting for cybersecurity programs in the context of digital health.

Complete Protection?

Despite ongoing efforts, the healthcare sector remains particularly vulnerable to cyber threats. “It is not possible to ever be totally protected, as it is always a question of when a cyber-attack will happen, not if,” said a WHO/Europe spokesperson. “However, it is possible to better equip hospitals to prevent cybersecurity threats and mitigate attacks or consequences.” 

Many factors cybersecuring healthcare system challenging, said Casarosa. Complex administrative structures, increasingly interconnected and intricate systems, are difficult to secure. The rise of Internet-of-Things devices during the COVID-19 pandemic has further exacerbated cyber risks, because many of these devices lack robust security features, she explained.

Budget constraints in healthcare organizations hinder investments in comprehensive cybersecurity strategies. Hospitals often must prioritize limited resources between security and healthcare provision. “Patient care obviously takes precedence over security measures,” she said.

Human error is also a significant factor in data breaches, and one that is extremely hard to control, van Kessel said. “The rule of thumb is that 92% of malfunctions are due to human error, 6% are due to technological error, and 2% are auxiliary,” he said. Common examples of human error include falling for phishing scams, misconfiguring security settings, and failing to follow established protocols. “Training and risk awareness are big priority.”

Casarosa and van Kessel reported no relevant financial relationships. 

Manuela Callari is a freelance science journalist specializing in human and planetary health. Her words have been published in The Medical Republic,Rare Disease Advisor,The Guardian,MIT Technology Review, and elsewhere.