European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers Inside Privacy

pUpdates on Developments in Data Privacy and CybersecurityppOn 15 January 2025 the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers the Action Plan The Action Plan sets out a series of EUlevel actions that are intended to better protect the healthcare sector from cyber threats The publication of the Action Plan follows a number of highprofile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacksppWhilst the Action Plan primarily focuses on healthcare providers including hospitals clinics care homes rehabilitation centres and others the plan identifies interdependence between those providers and the healthcare industry Therefore some of the measures proposed address risks affecting the broader healthcare supply chain and ecosystem and will potentially have implications for pharmaceutical and biotechnology industry players as well as medical device manufacturersppThe action that will be of most significance for industry is the plan for Member States to request that entities subject to the NIS2 Directive including healthcare organisations must report on ransom payments when reporting significant incidents to the competent authority under the NIS2 Directive section 33 p14 The Action Plan rationalizes this proposal by stating that the collection of further data is needed to understand the effectiveness of measures taken against ransomware attacks and noting that such reporting would support the effective investigation of incidents Reporting of ransomware payments is not required by the NIS2 Directive so this would represent a significant change for inscope entities While this is titled a national action to be implemented by Q4 2025 it is not immediately clear from the Action Plan if the proposal would take the form of a new EU law that imposes the obligation on Member States or otherwiseppWe have highlighted below additional elements of the Action Plan that will be of particular interest to industryppWhile the Action Plan proposes a wide array of different actions to be taken over the course of the next two years it does not immediately create new obligations for industry We will continue to monitor the progress of the various proposed actionspp                    ppThe Data Privacy and Cybersecurity Practice at Covington has deep experience advising pharmaceutical companies and other healthcare stakeholders on privacy and cybersecurity issues across Europe and will continue to monitor developments If you have any questions about the Action Plan NIS2 and the Cyber Resilience Act or about developments in the cybersecurity space more broadly our team would be happy to assistppMark Young is an experienced tech regulatory lawyer and a vicechair of Covingtons Data Privacy and Cybersecurity Practice Group He advises major global companies on their most challenging data privacy compliance matters and investigations Mark also leads on EMEA cybersecurity matters at theppMark Young is an experienced tech regulatory lawyer and a vicechair of Covingtons Data Privacy and Cybersecurity Practice Group He advises major global companies on their most challenging data privacy compliance matters and investigations Mark also leads on EMEA cybersecurity matters at the firm In these contexts he has worked closely with some of the worlds leading technology and life sciences companies and other multinationalsppMark has been recognized for several years in Chambers UK as a trusted adviser practical resultsoriented and an expert in the field fast thorough and responsive extremely pragmatic in advice on risk provides thoughtful strategic guidance and is a pleasure to work with and has great insight into the regulators According to the most recent edition 2024 Hes extremely technologically sophisticated and advises on true issues of first impression particularly in the field of AIppDrawing on over 15 years of experience Mark specializes inppppAttorney AdvertisingppRepeatedly ranked as having one of the best privacy practices in the world Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry and of ecommerce and digital media business models in particularp