The entry into force of the European Health Data Space (EHDS) provides an important spur for the collection, processing and analysis of personal electronic health data across Europe, which – it is hoped – will bring tangible benefits for health providers and patients. For hospitals and other healthcare services, the EHDS could bring multiple potential advantages, including increased administrative efficiency, less duplication of medical tests, decision-making support for selecting treatments and prevention (both in a national and cross-border context), advancing research and innovation, and other benefits derived from a wide range of data, including patient-provided health information.

However, the EHDS can only be implemented successfully if accompanied by an equally diligent effort to strengthen hospitals’ and other healthcare providers’ protections against cybersecurity threats.  This is because the EHDS not only increases the volume of available health data but crucially also the number of health and supply chain actors, technologies and tools (including mobile, IoT and connected medical devices) involved. Recent statistics have painted a grim picture, with cyber-attacks on the rise across the European hospital and healthcare sector yet only scarce funding and institutional capacities for confronting the threat. While the nature of the menace is dynamic as it evolves with the possibilities afforded by digitalisation, the fact remains that large-scale incidents severely obstruct hospitals’ ability to provide patient care, at worst paralysing healthcare systems and endangering lives. In today’s volatile geopolitical environment, the risk has never been greater that the steadily growing data repositories of hospitals and healthcare services are targeted.

Protecting patients’ privacy is essential, as health data meant to save lives can be misused if not properly safeguarded. Even in cases where ransom is paid, risks like future misuse, public exposure, or resale of personal health information may still persist.

The good news is that the majority of cybersecurity threats are preventable. As noted in HOPE’s Position on the EU Cybersecurity Framework, ensuring the routine application of good cyber-hygiene practices and investing in effective processes, awareness-raising actions and training (starting with basic electronic identification, authentication and communication protocols) is fundamental. Developing cyber policies and skills is even more vital as the EHDS becomes a reality, with six priority categories of health data logged in EHRs and a vast array of other data shared for secondary uses. 

As ensuring patients’ trust is a major factor in advancing the digital transformation of health and care, safeguarding the highest possible level of cybersecurity in the sector must be a key priority. When people feel safe in everyday interactions with healthcare providers using digital technologies, they are more likely to embrace the EHDS and view the sharing and processing of health data in a positive light. The gains will become tangible and evident. Due to their intimate, confidential nature, health data are particularly sensitive; the consequences of leaks and misuse can be severe.

The European Action Plan on the cybersecurity of hospitals and healthcare providers, released in January 2025, recognises the urgent need to strengthen cybersecurity measures along the threat continuum, i.e. from prevention to deterrence. Although non-binding, it creates a European framework for enhanced cooperation and giving targeted support through new healthcare-specific structures (the EU Cybersecurity Support Centre as part of ENISA), services, guidelines and coordinated action, while urging Member States to produce their own strategic plans for handling cybersecurity threats and providing financial assistance to micro, small and medium-sized healthcare providers by distributing Cybersecurity Vouchers.

Currently undergoing stakeholder consultation to refine it further, the Action Plan represents a timely addition to the evolving European cybersecurity architecture. As an umbrella for healthcare-specific mechanisms, services (e.g., early warning and ransomware recovery subscriptions, rapid response), and obligations, its elements offer a pivotal frame for strengthening hospitals’ cyber-resilience, and in turn also patients’ safety, privacy and rights. Crucially though, its successful implementation will require the allocation of dedicated resources, which should include adequate European financing given the critical budgetary constraints hospitals and healthcare services are facing across the Union. In addition, the Action Plan should avoid duplicating already existing governance structures and networks to ensure that the pressing necessity to report, log, analyse, evaluate and learn from cyber incidents in a timely fashion does not become overly burdensome or unproductive.