Cybersecurity: An essential investment for protecting hospitals and patient safety

The entry into force of the European Health Data Space (EHDS) provides an important spur for the collection, processing and analysis of personal electronic health data across Europe, which – it is hoped – will bring tangible benefits for health providers and patients. For hospitals and other healthcare services, the EHDS could bring multiple potential advantages, including increased administrative efficiency, less duplication of medical tests, decision-making support for selecting treatments and prevention (both in a national and cross-border context), advancing research and innovation, and other benefits derived from a wide range of data, including patient-provided health information.

However, the EHDS can only be implemented successfully if accompanied by an equally diligent effort to strengthen hospitals’ and other healthcare providers’ protections against cybersecurity threats.  This is because the EHDS not only increases the volume of available health data but crucially also the number of health and supply chain actors, technologies and tools (including mobile, IoT and connected medical devices) involved. Recent statistics have painted a grim picture, with cyber-attacks on the rise across the European hospital and healthcare sector yet only scarce funding and institutional capacities for confronting the threat. While the nature of the menace is dynamic as it evolves with the possibilities afforded by digitalisation, the fact remains that large-scale incidents severely obstruct hospitals’ ability to provide patient care, at worst paralysing healthcare systems and endangering lives. In today’s volatile geopolitical environment, the risk has never been greater that the steadily growing data repositories of hospitals and healthcare services are targeted.

Protecting patients’ privacy is essential, as health data meant to save lives can be misused if not properly safeguarded. Even in cases where ransom is paid, risks like future misuse, public exposure, or resale of personal health information may still persist.

The good news is that the majority of cybersecurity threats are preventable. As noted in HOPE’s Position on the EU Cybersecurity Framework, ensuring the routine application of good cyber-hygiene practices and investing in effective processes, awareness-raising actions and training (starting with basic electronic identification, authentication and communication protocols) is fundamental. Developing cyber policies and skills is even more vital as the EHDS becomes a reality, with six priority categories of health data logged in EHRs and a vast array of other data shared for secondary uses. 

As ensuring patients’ trust is a major factor in advancing the digital transformation of health and care, safeguarding the highest possible level of cybersecurity in the sector must be a key priority. When people feel safe in everyday interactions with healthcare providers using digital technologies, they are more likely to embrace the EHDS and view the sharing and processing of health data in a positive light. The gains will become tangible and evident. Due to their intimate, confidential nature, health data are particularly sensitive; the consequences of leaks and misuse can be severe.

The European Action Plan on the cybersecurity of hospitals and healthcare providers, released in January 2025, recognises the urgent need to strengthen cybersecurity measures along the threat continuum, i.e. from prevention to deterrence. Although non-binding, it creates a European framework for enhanced cooperation and giving targeted support through new healthcare-specific structures (the EU Cybersecurity Support Centre as part of ENISA), services, guidelines and coordinated action, while urging Member States to produce their own strategic plans for handling cybersecurity threats and providing financial assistance to micro, small and medium-sized healthcare providers by distributing Cybersecurity Vouchers.

Currently undergoing stakeholder consultation to refine it further, the Action Plan represents a timely addition to the evolving European cybersecurity architecture. As an umbrella for healthcare-specific mechanisms, services (e.g., early warning and ransomware recovery subscriptions, rapid response), and obligations, its elements offer a pivotal frame for strengthening hospitals’ cyber-resilience, and in turn also patients’ safety, privacy and rights. Crucially though, its successful implementation will require the allocation of dedicated resources, which should include adequate European financing given the critical budgetary constraints hospitals and healthcare services are facing across the Union. In addition, the Action Plan should avoid duplicating already existing governance structures and networks to ensure that the pressing necessity to report, log, analyse, evaluate and learn from cyber incidents in a timely fashion does not become overly burdensome or unproductive. 

About the author

Sascha Marschang is a Senior Advisor at the European Hospital and Healthcare Federation (HOPE). His work primarily focuses on the digital transformation of health and care - including the implementation of the European Health Data Space, AI Act and EU Cybersecurity Framework - and its everyday impacts on the sector.

His main interest lies in supporting a human-centric, democratic integration of digital technologies that generates tangible benefits for healthcare institutions, their staff and patients. This should include robust safeguards for protecting fundamental rights and tackling the digital divide.

Health democracy for health data in France

Health democracy for health data in France

Access to healthcare data has been a major concern for patients and healthcare users’ associations for many years in France. As far back as 2008, when France Assos Santé set up a national task force dedicated to digital healthcare, the exploitation of the French National Healthcare Data System was already on our agenda. This fall, we have reached a new milestone with the launch of a new service in collaboration with the Health Data Hub, a significant step in our commitment to enable access to healthcare data and its uses.

DSL x EHDEN Patient Registries Bootcamp

On 5-6 December 2023, the third Data Saves Lives Ambassador Training Bootcamp was held in Brussels, Belgium, in partnership with the European Health Data & Evidence Network (EHDEN). The bootcamp centred on the process of establishing community-led patient registries. The ultimate aim was to empower participants with insights into the steps involved and the pivotal role of patient groups in shaping registry design for community benefit.

DSL Ambassador Training Bootcamp

On 28-29 March 2023, the second ever Data Saves Lives Ambassador Training Bootcamp was held on the top of Artificial Intelligence (AI) in Lisbon, Portugal. The purpose was to equip regional and national level organisations with a better understanding of the opportunities and challenges presented by the use of AI in healthcare and the potential role of patient groups in influencing the design and use of AI to improve the lives of their members. This blog gives an insight into the hot topics that were discussed as well as a summary of the key insights.  

Reflections on our Ambassador Training Bootcamp - #DataSavesLives

In October 2022, we hosted our very first Data Saves Lives Ambassador Training Bootcamp in Prague, Czech Republic. The purpose was to equip regional and national level organisations with practical tools and tips on how to advocate for and have informed dialogue around health data sharing. This blog gives an insight into the hot topics that were discussed as well as a summary of the key insights.

Making patient registries work for patients – accessing data to drive better outcomes

As experience and research continues to develop, we see that the ability to access data affects not only the patient’s ability to look after themselves, but also their relationships with their clinical team and with their own illnesses and comorbidities. A shift to being empowered begins at the point of diagnosis, with a collaborative and interactive relationship between patients and healthcare professionals, which empowers patients to take on responsibility for their condition with the appropriate clinical support.