Unveiled on the sidelines of the 10th edition of the eHealth Security conference, the European Union Agency for Cybersecurity (ENISA) publishes a good practice guide to support entities of the health sector in strengthening their digital security.
The 10th ENISA eHealth Security Conference was organised in collaboration with the Romanian National Cyber Security Directorate (DNSC) and the European Cybersecurity Competence Centre (ECCC) and took place in Bucharest, Romania. Each year, the conference serves as a hub for various stakeholders to connect, exchange insights and best practices, and discuss the latest regulatory framework requirements shaping the sector.
The ongoing digital transformation of healthcare services and providers across the EU has increased complexity and interconnectedness in the sector, while introducing new cybersecurity risks. Medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. According to ENISA’s NIS360 report, the health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance. The report calls for further guidance and support to strengthen resilience across the sector.
Looking at the latest regulatory developments, the EU has reinforced its intention to prioritise the challenges faced by the entire healthcare ecosystem. The current regulatory landscape includes the Medical Device Regulation (MDR), the Cyber Resilience Act (CRA) and the European Health Data Space Regulation (EHDS).
Most recently, the EU Action Plan for the cybersecurity of hospitals and healthcare providers was launched in early 2025 and represents a pivotal update. The Action Plan sets out a series of tasks alongside dedicated resources for the Agency, underscoring the EU’s confidence in its ability to deliver meaningful value to the sector.
Cyber Hygiene in the Health Sector
The ENISA Threat landscape for the health sector revealed that healthcare providers were the most affected, accounting for 53% of all reported incidents.
The ENISA NIS Investments Survey found that healthcare organisations reported the highest number of security incidents related to vulnerabilities in software or hardware, with 80% of organisations citing vulnerabilities as the cause of more than 61% of their security incidents.
In line with the provisions of the EU Health Action Plan, ENISA has published today a Cyber Hygiene in the Health Sector guidance to support entities across the health ecosystem in implementing the most critical cybersecurity practices. The document outlines a set of practical measures that organisations can adopt to mitigate cybersecurity risks, safeguard sensitive data, reduce exposure to cyber threats, and strengthen overall cyber resilience.
These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities—from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain, and promoting cybersecurity awareness.
Contact
For press questions and interviews, please contact: [email protected].
Content written for: Private Sector
