Simon Meier, a trauma and orthopedic surgeon, was off duty when a colleague called one evening. University Hospital Frankfurt was the target of a massive cyberattack which required an urgent response.
The next morning, Meier, who was also the hospital’s emergency planner, sat in a crisis meeting with hospital leadership. IT teams had worked through the night without success, and now, a critical decision loomed.
“We had to cut off the whole hospital network from the internet,” Meier recalled. “We didn’t want to give anyone the chance to tamper with the IT systems anymore.”
Internet access was severed, databases were frozen and hospital staff had to switch to pen and paper, as well as phone calls, to deliver care.
“It severely impaired the communication between our electronic systems,” Meier said. Accessing lab results or data from mobile X-ray machines became a headache, with systems unable to report to the hospital database.
“We had to reschedule appointments just to be able to have a look into the patient’s files and postpone some planned surgeries,” he said.
Now, over one-and-a-half years later, the system is not yet back to “normal,” Meier said. Internet and database access remain restricted, and a costly infrastructure rebuild is underway to plug long-exploited vulnerabilities.
This attack is just one of 309 cybersecurity incidents targeting the health care sector in the EU in 2023 alone — more than any other critical sector. The cost of a major incident typically reaches some €300,000.
Beyond the financial impact, cyberattacks pose a threat to patients’ lives. The stakes became clear in a recent case in the U.K., where the death of a patient was linked — among other contributing factors — to a delayed blood test result caused by a cyberattack that disrupted pathology services last summer.
World Health Organization (WHO) chief Tedros Adhanom Ghebreyesus called cyberattacks on health care “issues of life and death.”
While health care has become the primary target for cybercriminals in recent years, putting lives at risk, the sector paradoxically invests less in cybersecurity than any other industry, leaving high-value data vulnerable to attack.
Perfect target
For cybercriminals, targeting health data “is a perfect business plan,” said Christos Xenakis, professor at the department of digital systems at the University of Piraeus, Greece. “It’s easy to steal data, and what you steal, you can sell it at a high price.”
Ransomware attacks — where hackers lock data and demand a ransom — dominate the sector, an EU Agency for Cybersecurity (ENISA) report showed. “They achieve two targets: One is to get the data and sell (it), and the other is to encrypt the whole system, disrupt the whole system, and ask for money,” Xenakis said.
Stolen data can be sold on the dark web to criminals who use it to commit identity theft, insurance fraud or blackmail. To restore disrupted systems, criminals can demand millions of euros — hackers, for instance, wanted $4.5 million for the return of the stolen data after a cyberattack on Hospital Clínic in Barcelona. The hospital refused to pay.
However, other types of cyberattacks are also on the rise, including those by pro-Russian hacktivists aiming to disrupt health care operations, rather than for profit.
Despite the risks, only 27 percent of health care organizations have a dedicated ransomware defense program, and 40 percent don’t offer any security awareness training for non-IT staff, a separate ENISA report found.
Creating cybersecurity culture
Xenakis believes that the health care sector sees cybersecurity as “out of their business” scope and as a “luxury” rather than an essential. Health care staff are unaware of the risks, he believes, resulting in poor “cyber hygiene.”
He recalls being left alone in a doctor’s office with unsecured computers — an easy target for hackers. “If I wanted to do something, it [would have been] easy for me,” he said.
At the same time, he doubts that he would have been left in a room with critical medicines. Hospitals understand the risks if medicines got into the wrong hands, he said, “but they cannot understand cybersecurity.”
The task is to create a culture of good cybersecurity practices to protect data and the systems, Xenakis said. “Technology awareness education is … extremely low.”
Findings from the Finnish Innovation Fund Sitra back this up. While many health care organizations have cybersecurity policies in place, they are often not “clearly communicated or consistently understood by their staff.” High personnel turnover — not just among medics but also cybersecurity officers — further “exacerbates training gaps and the ability to enforce cybersecurity policies.”
Sabina Magalini, a former professor of surgery at the Catholic University of the Sacred Heart in Rome, who coordinated an EU-funded project PANACEA to improve hospital cybersecurity, believes that current laws overlook hospital-specific challenges. “Hospitals have different problems,” she said, listing high staff turnover, lack of training and overwork.
“The hospital is not a nuclear power plant … It’s like a port … with a harbor: people coming in, going out, and everything is open,” Magalini said.
She argued that hospitals need continuous cybersecurity drills and streamlined systems that don’t slow down care. Health care staff “don’t want to pass half of the day logging in and logging out,” she said.
Blame the system, not the staff
However, training hospital personnel, while beneficial, is insufficient to address security threats.
“If you have a hospital with 2,000 people working, the probability for someone to click the button (for a phishing link)” is unavoidable, Xenakis said. Especially as artificial intelligence is increasingly used by cybercriminals for automating attacks, such as phishing and deepfake-driven fraud, making the attacks “very sophisticated, very targeted,” Xenakis said.
“You cannot blame the people,” Xenakis said. There must be intelligent detection tools “to eliminate the damage … or counteract the attack,” he said.
Magalini also pointed out another shortcoming: cybersecurity consultancies that assist hospitals often originate from outside Europe. “They are either from the United States or Canada … also from Russia,” she said, adding that there should be a “European way of doing cybersecurity.”
Investment gaps
While the risks are clear, national governments are skimping on prevention, Xenakis believes, saying that he has no good example of a country “that has invested a lot in cybersecurity in the health sector.”
In Germany, for example, “they are used to just putting new regulations in place, but invest nothing in the cybersecurity of hospitals,” Meier said.
He believes his Frankfurt hospital would have found the attack earlier if it had an intrusion detection system. They were “very lucky” to discover the attack before it destroyed the entire database, Meier said. “It could have resulted in a complete shutdown of the hospital.”
“Cybersecurity threats pose enormous challenges for the health care sector by endangering the availability of essential health care services,” a spokesperson from the German health ministry told POLITICO in a written response. Germany is backing sector-specific cybersecurity standards and also requires hospitals to invest at least 15 percent of cybersecurity funding received through a program on future-proofing hospitals under its recovery and resilience plan.
Europe’s Health Commissioner Olivér Várhelyi has also made it clear that investment must come from national governments. “If you go to a hospital, you always see a guard in the door. There is money for that, so there should be money for protecting the data as well,” he said in January.
But with the health sector often suffering from underinvestment, how much governments can spend on cybersecurity “is a question,” Magalini said. “There are so many other (health care) problems which are not cybersecurity … so I don’t know how they can make the investments.”
The cost of inaction can be hundreds of millions of euros, as it was with an attack on Ireland’s Health Service Executive in May 2021 that shut down IT systems of the country’s publicly funded health care system. The attack’s cost was estimated at least €101 million, with a further €657 million to be spent safeguarding against future attacks.
“Why did it cost so much? Not because of the damage but [because] then someone intelligent thought, ‘no, we have to rebuild the system in a secure way,’” Magalini said.
Ray Walley, general practitioner from Ireland, saw firsthand how the attack severed ties with the hospital system.“We couldn’t refer stuff in. It affected outflow from the hospital system. We weren’t getting the results of blood tests. We weren’t getting the results of X-rays and scans,” he said.
Walley believes that “cybersecurity is just another form of health care.” “We need to invest in this,” he said. “We need to be proactive. We need to spend the money.”
EU’s action: good, but could be better
The increasing number of cyberattacks on health care systems triggered a response from the EU this year. The European Commission unveiled in January an “action plan” on cybersecurity for hospitals and the health care sector.
The plan proposes setting up a European Cybersecurity Support Center for the health care sector within ENISA and a specific rapid response service. The plan also introduces “cybersecurity vouchers,” which will enable EU countries to provide financial support to smaller health care providers for enhancing their cyber resilience.
“It’s good,” said Markus Kalliola, Sitra’s program director. But it “could be stronger.”
He is one of the authors of the Commission’s evaluation report by Sitra, which points to murky EU governance, a lack of clear targets or budgets and a missed opportunity to build a functioning single market for cybersecurity solutions.
Sitra calls for going beyond the EU’s plan by considering cybersecurity as a matter of national security; setting up mandatory cybersecurity readiness for health care organizations; incorporating cybersecurity skills into health professionals’ basic training; and organizing more pan-European cybersecurity exercises.
With the changing geopolitical situation, “it’s also a matter of national security,” Kalliola said. “EU member states should focus on … what is the national strategy in securing these critical health care services,” he added.
Whether or not Europe’s security will feature in the Commission’s final hospital cybersecurity plan remains to be seen; the EU executive has just concluded a consultation and promised to put forward a refined plan by the end of the year.
Other pieces of EU legislation — including the NIS2 Directive, Cyber Resilience Act, AI Act and medical devices rules — also raise the bar for cybersecurity across different sectors, including health care.
However, “despite advancements in regulatory efforts and technical solutions, implementation remains inconsistent. There is no time to lose in turning regulations into reality,” Kalliola said.