IT systems in care are becoming more and more attractive targets for liars as care evolves digitally and as data quality rises. An organization can be crippled by a cyberattack, the delivery of services may be hampered, and the patient can suffer.
Big threats for medical organisations include ransom, breaches caused by sky vulnerabilities and misconfigurations, poor bot traffic and phishing. Ransomware accounts for 54 % of all breaches in healthcare, costing healthcare organisations an average of EUR 300, 000 per incident, according to The European Union Agency for Cybersecurity ( ENISA ). The threat of an attack goes beyond standard IT systems as more clinical devices are being integrated into patient care.
According to Nana Odom, head of clinical engineering at Cleveland Clinic London,” Connected medical devices like pacemakers, injection pump, and imaging methods frequently operate on outdated technology, have encryption, or are improperly configured.” This makes for very risky access points for hackers.
The risk has increased as a result of the development of AI-powered problems.
The new century of security training
” You used to only have to be concerned about hacking problems. You now have to be concerned about deepfakes and AI-created tone phone fakes, according to David Wall, CIO of Tallaght University Hospital in Ireland, which was the site of a 2021 attack, in an interview for HIMSS TV. ” You think you’re speaking to a colleague, but you’re not really speaking to a partner”. This makes up for updated staff education in information safety.
” Education and awareness for workers on an ongoing basis is really important”, Wall said. ” It’s important that employees don’t be detached, but conducting simulated spoofing attacks in-house is really, truly important. Organizations should organize various types of simulations, such as a direct attack on the finance office or a hospital-wide exam, like a false free ticket for a local retailer, and these should be done on a weekly, daily, or monthly basis.
Some care organizations are now putting in steps to address these issues. At Cleveland Clinic London, safety assessments are conducted as part of the purchasing process, shifting the focus from responsive tweaks to proactive prevention, Odom explained.
Still, the ENISA report shows across healthcare organisations: 95 % struggle with risk assessments, and 46 % have never conducted one. What’s more, 40 % lack security awareness training for non-IT staff, and only 27 % of organisations have a dedicated ransomware defense program. Basic misinterpretations of healthcare technology are frequently the cause of these flaws.
” Many believe that when a medical device is deployed, it works in isolation without the need for changes”, Odom said. ” However, these products usually run on business operating systems that require regular patching to mend vulnerabilities. Due to concerns about disrupting clinical workflows or voiding warranties, HTM ( Healthcare Technology Management ) teams encounter resistance when attempting to implement firmware updates or security patches. However, unpatched devices pose significant security risks” . ,
The framework for security
In response to the common risks and growing risks, the European Commission released a detailed Action Plan in January 2025. Establishing a pan-European Cybersecurity Support Center under ENISA is at the heart of the agency’s plan. The center will provide medical institutions with personalized guidance, tools, training and services, including cybersecurity best practices, regulatory mapping tools, early warning services and incident response playbooks.
The plan introduces several measures:
- Mandatory ransomware reporting: Member states may require healthcare providers to disclose ransom payments as part of cybersecurity incident reporting, building on the NIS2 Directive.
- Supply chain security: A security risk assessment of medical device supply chains will be conducted. To manage risks relating to cloud services and third-party vendors, the Support Centre will provide procurement guidelines.
- Medical device cybersecurity: Manufacturers are encouraged to report cyber incidents and vulnerabilities through ENISA’s reporting platform.
- Industry collaboration: A European Health CISOs Network will facilitate knowledge sharing among cybersecurity professionals, while a European Health ISAC will improve coordination between providers and manufacturers. A Health Cybersecurity Advisory Board will guide the plan’s implementation.
The plan also introduces stronger management commitment requirements, with the NIS2 Directive introducing executive responsibility for cybersecurity preparedness, in addition to existing cybersecurity legislation, such as the NIS2 Directive, Cybersecurity Act, Cyber Resilience Act, and Cyber Solidarity Act.
ENISA emphasizes the importance of collective action in order for the implementation to be successful, recommending essential cybersecurity checks like offline encrypted backups, extensive awareness training, strong vulnerability management, and robust incident response plans. This shift in healthcare’s approach to cybersecurity is a fundamental change.
“Cybersecurity will no longer be viewed as solely an IT function”, Odom predicted. ” Instead, it will evolve into an organisation-wide responsibility under a unified governance framework, fostering a positive cybersecurity culture. Patients, too, will play a more active role by demanding secure platforms and accountability from healthcare providers”.
At the” Are You Safe” event, Nana Odom, head of clinical engineering at Cleveland Clinic London, will speak about cybersecurity and medical devices. June 10 through 12 is the HIMSS Europe 2025 session in Paris. See the <a href="https://legacy.himss.org/event-himss-europe” target=”_blank”>full program.