With the increasing digital transformation of healthcare and improvements in the quality of data, IT systems in healthcare are becoming an increasingly attractive target for malicious actors. A cyberattack can cripple an institution, cause disruptions in service delivery and result in patient harm.
Major threats for healthcare organisations include ransomware, breaches caused by cloud vulnerabilities and misconfigurations, bad bot traffic and phishing. Ransomware accounts for 54% of all breaches in healthcare, costing healthcare organisations an average of EUR 300,000 per incident, according to The European Union Agency for Cybersecurity (ENISA). With the incorporation of medical devices in patient care, the threat of an attack expands beyond traditional IT systems.
“Connected medical devices like infusion pumps, pacemakers and imaging systems often operate on outdated software, they lack encryption or are improperly configured,” said Nana Odom, head of clinical engineering at Cleveland Clinic London. “This creates highly vulnerable entry points for attackers.”
The emergence of AI-powered attacks has heightened the risk.
The new era of defense training
“You used to just have to worry about phishing attacks. Now you have to worry about deepfakes and AI-created voice call fakes,” David Wall, CIO of Tallaght University Hospital in Ireland, which experienced a cyberattack in 2021, pointed out in an interview for HIMSS TV. “You think you’re speaking to a colleague, but you’re not actually speaking to a colleague.” This creates the need for updated staff training on information safety.
“Training and awareness for staff on an ongoing basis is really important,” Wall said. “It’s crucial that staff don’t become disengaged, so conducting simulated phishing attacks in-house is really, really important. These should be done on a weekly, daily or monthly basis, and organisations should coordinate different types of simulations – perhaps a direct attack against the finance department or a hospital-wide test, like a fake free voucher for a local supermarket.”
Some healthcare organisations are already implementing measures to address these challenges. At Cleveland Clinic London, security assessments are conducted as part of the procurement process, shifting the focus from reactive fixes to proactive prevention, Odom explained.
Still, the ENISA report shows widespread cybersecurity deficiencies across healthcare organisations: 95% struggle with risk assessments, and 46% have never conducted one. What’s more, 40% lack security awareness training for non-IT staff, and only 27% of organisations have a dedicated ransomware defense program. These deficiencies often stem from fundamental misunderstandings about healthcare technology.
“Many believe that once a medical device is deployed, it works in isolation without the need for updates,” Odom said. “However, these devices often run on commercial operating systems that require regular patching to fix vulnerabilities. Healthcare technology management (HTM) teams face resistance when trying to implement firmware updates or security patches due to fears of disrupting clinical workflows or voiding warranties. However, unpatched devices pose significant security risks.”
The blueprint for protection
In response to the widespread vulnerabilities and escalating threats, the European Commission unveiled a comprehensive Action Plan in January 2025. Central to the commission’s strategy is establishing a pan-European Cybersecurity Support Centre under ENISA. The centre will provide healthcare institutions with tailored guidance, tools, training and services, including cybersecurity best practices, regulatory mapping tools, early warning services and incident response playbooks.
The plan introduces several measures:
- Mandatory ransomware reporting: Member states may require healthcare providers to disclose ransom payments as part of cybersecurity incident reporting, building on the NIS2 Directive.
- Supply chain security: A security risk assessment of medical device supply chains will be conducted. The Support Centre will provide procurement guidelines to manage risks related to cloud services and third-party vendors.
- Medical device cybersecurity: Manufacturers are encouraged to report cyber incidents and vulnerabilities through ENISA’s reporting platform.
- Industry collaboration: A European Health CISOs Network will facilitate knowledge sharing among cybersecurity professionals, while a European Health ISAC will improve coordination between providers and manufacturers. A Health Cybersecurity Advisory Board will guide the plan’s implementation.
Building upon existing cybersecurity legislation – including the NIS2 Directive, Cybersecurity Act, Cyber Resilience Act and Cyber Solidarity Act – the plan also introduces stronger management commitment requirements, with the NIS2 Directive introducing executive responsibility for cybersecurity preparedness.
For the implementation to be effective, ENISA underscores the importance of collective action, recommending essential cybersecurity checks such as offline encrypted backups, comprehensive awareness training, strong vulnerability management and robust incident response plans. This shift toward collective responsibility represents a fundamental change in how healthcare approaches cybersecurity.
“Cybersecurity will no longer be viewed as solely an IT function,” Odom predicted. “Instead, it will evolve into an organisation-wide responsibility under a unified governance framework, fostering a positive cybersecurity culture. Patients, too, will play a more active role by demanding secure platforms and accountability from healthcare providers.”
Nana Odom, head of clinical engineering at Cleveland Clinic London, will speak about cybersecurity and medical devices at the “Are You Safe?” cybersecurity session at HIMSS Europe 2025 in Paris taking place June 10-12. See the full program.