Skip to main content

Health-ISAC Hacking Healthcare 4-11-2025

This week, Health-ISAC®‘s Hacking Healthcare® examines a new European Commission consultation tied to the action plan for the cybersecurity of hospitals and healthcare providers that was put forward in January. Then, following our last article on Singapore’s introduction of a new draft guidance on medical device cybersecurity, we examine the French Commission Nationale de l’Informatique et des Libertés (CNIL) public consultation on draft recommendations for the compliance and security of electronic patient records.[i] 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version: TLP WHITE Hacking Heathcare 4.11.2025
Size : 260.9 kB Format : PDF

 

Text Version:

Welcome back to Hacking Healthcare®.

European Commission Action Plan Open Consultation

In mid-January, the European Commission launched an action plan to “strengthen the cybersecurity of hospitals and healthcare providers.”[i] The plan outlined a range of actions that should or could be taken by various stakeholders, but it also acknowledged the need for flexibility to refine the approach over time. This open consultation appears to be part of the “comprehensive stakeholder consultations and the continuation of exchanges with Member States and relevant networks” that was promised as a means to ensure the action plan remained attuned to health sector needs and could evolve as conditions changed.[ii] 

 

Background on the Action Plan

The action plan came as a response to the increased frequency and sophistication of cyber threat activity against the health sector, the criticality of healthcare provider services and the need to mitigate patient harm, the potential for the erosion of public trust resulting from attacks against the health sector, and the desire to improve security and resiliency during a period of digital transformation and expanding attack surfaces. 

The action plan proposed EU-level coordination and measures from the Commission, ENISA, and member states to improve the cybersecurity of hospitals and healthcare providers. Proposed lines of effort included tailored guidance, tools, services, and training to hospitals and healthcare providers. For those looking for a broader refresher, we would encourage you to review our Hacking Healthcare article from January 24th.[iii] 

 

What Does the Consultation Cover?

The new consultation is open to everyone, but the European Commission specifically wants to hear from:[iv]

  • Managerial staff of hospitals and healthcare providers
  • Healthcare IT professionals
  • Healthcare professionals
  • Healthcare authorities
  • Patients, and organisations representing patients
  • Compliance and data privacy professionals
  • Cybersecurity industry players
  • Healthcare industry players

 

As for the content, the consultation asks respondents to answer mostly multiple choice questions in the following broad categories:[v]

  • Key challenges
  • Capacity of hospitals and healthcare providers
  • Preventing cybersecurity incidents
  • European capabilities for detecting cyber threats against the health sector
  • Rapid response and recovery
  • National actions & public-private cooperation

The deadline for responding to the consultation is June 30. 

France: Consultation on Draft Recommendations for Compliance and Security of Electronic Patient Records 

The French CNIL, which is France’s independent regulatory entity and their national data protection authority, has opened a public consultation on a draft recommendation that seeks to address improvements to the processing and security of electronic patient records.    

According to the CNIL, the two most significant catalysts for these draft recommendations are the massive rise in personal data breaches at hospitals over the period of 2018 to 2024[vi] and multiple instances of CNIL finding patient data was inadequately protected at various institutions.[vii] The draft contains proposed legal and technical recommendations. 

What Does the Consultation Cover?

The 47-page draft recommendation[viii] is split into 16 sections that cover a variety of issues that include security measures related to data retention, securing data exchanges, security measures relating to access, subcontractors and their obligations, and requirements around multi-factor authentication and data encryption. 

The CNIL has a web-based form for submissions,[ix] and they invite individual entities, federations, associations, and networks to submit combined comments by May 16.

 

Action & Analysis 
**Available with Membership**

 

Member Considerations

For those Health-ISAC members that could be impacted by either of these consultations, there is plenty of time to assess the following consultations and provide comments. We do hope that you take advantage of the opportunity to help shape these ongoing efforts in France and the EU.Members can play a key role in informing initiative leaders about existing efforts – such as those within Health-ISAC – to help prevent duplication, break down silos, promote more effective use of current resources, and improve situational awareness. Health-ISAC encourages members to provide feedback on this initiatives through the consultative process identified above.

 

[i] Please be aware that there is no formal English translation of the CNIL press release, public consultation submission form, or the draft recommendations themselves. The analysis of these documents was enabled by web browser based translation. Health-ISAC members should assess all details for themselves to ensure accuracy. https://www.cnil.fr/fr/conformite-et-securite-des-dossiers-medicaux-la-cnil-lance-une-consultation-publique-sur-un-projet

[i]https://digital-strategy.ec.europa.eu/en/library/european-action-plan-cybersecurity-hospitals-and-healthcare-providers

[ii]https://digital-strategy.ec.europa.eu/en/library/european-action-plan-cybersecurity-hospitals-and-healthcare-providers

[iii] https://health-isac.org/health-isac-hacking-healthcare-1-24-2025/

[iv] https://ec.europa.eu/eusurvey/runner/Healthcare-Cybersecurity-Targeted-Consultation

[v] https://ec.europa.eu/eusurvey/runner/Healthcare-Cybersecurity-Targeted-Consultation

[vi] From 16 in 2018 to 196 in 2024. 

[vii]https://www.cnil.fr/fr/conformite-et-securite-des-dossiers-medicaux-la-cnil-lance-une-consultation-publique-sur-un-projet

[viii] https://www.cnil.fr/sites/cnil/files/2025-03/projet_de_recommandation_dossier_patient_informatise.pdf

[ix]https://www.cnil.fr/fr/webform/consultation-publique-projet-de-recommandation-dossier-patient-informatise-dpi

[x]https://digital-strategy.ec.europa.eu/en/library/work-programme-2025-2027-digital-europe-programme-digital

[xi]https://commission.europa.eu/cybersecurity-healthcare_en

[xii] https://ec.europa.eu/eusurvey/runner/Healthcare-Cybersecurity-Targeted-Consultation

 

  • Related Resources & News