Luxembourg's hospitals are not at all prepared to deal with cyber threats. and it's still true today. One of the easiest ways to--temporarily--solve the problem is to look at what's happening elsewhere.
From that point of view, the plan presented by the European Commission on 15 January 2025 is a godsend. Not only does it cruelly highlight the general state of unpreparedness in Europe, but its solutions also point to all the problems that cybercriminals have not already seen.
The figures, all taken from the 26 pages of the plan? 54% of cyber incidents between 2021 and 2023 involved healthcare players. 71% of attacks had an impact on patient care--such as delays in treatment and diagnosis and limited access to emergency services--involved ransomware. The annual global cost of ransomware will exceed €250bn by 2031. Half of healthcare organisations have never carried out a cybersecurity risk analysis. 66% of cybersecurity roles in the education, health and social work sectors are filled by employees in transition from non-cybersecurity roles. 98% of cyber attacks could be prevented if simple measures such as updating systems and implementing multi-factor authentication were applied.
There is one figure missing, which makes the problem even more spectacular: 79% of Europeans have access to their health data online. In other words, the nightmare is only going to get worse, because the value of medical data is constantly increasing, and other players are cashing in. Imagine if an insurer or banker knew your state of health, do you think you would have the same answer when it came to taking out an insurance policy or obtaining a mortgage?
Seeking to share solutions and experiences
The European Commission is proposing a multi-level plan, including the formation of a committee at the European Union Agency for Cyber Security (Enisa). The aim is to provide a catalogue of solutions, targeted advice, a regulatory mapping tool, a maturity assessment framework (evaluated annually), a network of information systems security managers, training and an alert system. The plan deploys everything that is possible in terms of pooling capabilities, knowledge and networks.
It also includes the strengthening of public-private cooperation, with the creation of a joint advisory council on health cybersecurity made up of high-level representatives from the health and cybersecurity sectors; and the launch of a call to action for cybersecurity companies, foundations, educational establishments and players in the sector to commit to taking action to meet the challenges facing the sector.
The plan additionally calls for developing the art of deterring cyber actors in association with strengthening international cooperation, whether at the G7 or Europol level, and nationally, with the designation of national cybersecurity support centres for hospitals and healthcare providers; the creation of national action plans focused on cybersecurity in the healthcare sector; the facilitation of resource sharing between healthcare providers; and the setting of non-binding benchmarks and monitoring of funding targets specifically for cybersecurity.
All this already has a name in the European ecosystem: the European Nis2 Directive. And there's a problem: how to finance this transition to greater cybersecurity when many hospitals in Europe have both cash flow and human resources problems. And this plan does not address this issue. This issue has been on the negotiating table at European level for almost nine years.
Read the original French-language version of this news report /