MEPs seek financial coverage for a new vaunted Cybersecurity Center in healthcare

The members of the European Parliament’s Committee on Health Matters (SANT) seek details on funding sources to support the Action Plan on the cybersecurity of hospitals and healthcare providers that the European Commission proposed in January.

As part of a non-binding communication, the Action plan aims to develop a ransomware recovery subscription service and expand the repository of available ransomware decryption tools. It also encourages hospitals to adopt robust backup systems to protect critical data and enhances crisis response capabilities through training and cooperation at the EU level.

In an on-topic exchange, MEP raised a cross-party call to provide adequate financial resources for cybersecurity. The claims mainly revolve around the organization of the cybersecurity Support Center for hospitals and healthcare providers. It is expected to be established within the structures of the ENISA, the EU Agency for cybersecurity, and will be charged, as the EU Commission states, “to develop a comprehensive service catalog of concrete solutions that strengthen the cybersecurity of the sector.”
The European Commission is starting from the assumption that healthcare providers report more incidents than any other critical sector.

Ransomware attacks, which account for over 43% of reported incidents, are a key concern, and the EU’s response focuses on prevention, detection, response, and deterrence.

The Communication reports a number of actions, such as ensuring appropriate resources for the cybersecurity Support Center and a Rapid response service within its functioning by 2025, exploring the issuance of cybersecurity vouchers by 2026 at the latest, and developing an early warning system to alert healthcare providers to emerging threats.

The Commission is also ready to take action to use the full potential of the Cyber Solidarity Act to direct support to hospitals.

The EPP coordinator in the SANT committee, Tomislav Sokol, emphasized the need to build trust, particularly about the EHDS, ensuring healthcare professionals and patients feel secure about data protection. He raised the issue of funding to strengthen cybersecurity in healthcare with his party colleague, Ingeborg Ter Laak.

The Lithuanian MEP from the S&D group, Vytenis Andriukaitis, warned that data breaches could undermine trust in the European Health Data Space, which will come into force in a few weeks after the final vote of the EU Council.

Patriots for Europe’s, Marie-Luce Brasier-Clain, raised concerns about overburdened hospital staff, increasing interconnectivity, and unequal financial resources for cybersecurity and also noted that major corporations like Google and Microsoft play a growing role in health data security. Her party colleague Gerald Hauser showed his concerns about health data anonymization. Stine Bosse, a Danish deputy member of the Renew group, sought a clear risk assessment, including information on attack perpetrators.

The European Commission told MEPs during the debate that digital literacy and cybersecurity skills are essential in mitigating risks. It noted that 98% of cyberattacks could be prevented through basic digital hygiene.

The EU Executive recalls that NIS2 framework now fully applies to healthcare providers and that efforts are being made to simplify regulatory requirements through a mapping tool.

The ENISA support center is designed to become a single point of contact for healthcare providers. The EU Commission also stated that funding will be a shared responsibility involving EU programs, national budgets, and private investments. The Digital Europe Program will finance pilot projects for hospitals, while additional ENISA funding will enhance cybersecurity services.

The cybersecurity vouchers that the EU Commission is set to propose could be funded through regional funds, modeled after previous innovation voucher schemes. A broad consultation is ongoing to refine the action plan, ensuring that healthcare providers, cybersecurity companies, and policymakers contribute to shaping the next steps in strengthening healthcare cybersecurity across the EU.