Home |Articles |
Cybersecurity in E-Health: From Regulation to Real Action

Cybersecurity in E-Health: From Regulation to Real Action

Press
May 15, 2025

In an era where patient data flows seamlessly across borders, systems, and connected devices, the question is no longer whether healthcare data is at risk — but whether we’re doing enough to protect it.

That was the central topic of discussion during the panel “Cybersecurity of Data – What Do We Do to Protect It?”, held on May 13, 2025, at the EU conference on cross-border e-health, under the Polish Presidency of the Council of the European Union.

The panel brought together experts from law, policy, hospital administration, European cyber institutions, and industry. What became clear was this: securing e-health systems is no longer about theory, but about execution. It's about building resilient, verifiable digital infrastructures that can uphold both the confidentiality and the continuity of care — even under cyber duress.

This article brings together the key themes from that discussion, expanded with technical and regulatory insights, and grounded in the reality of modern connected healthcare.

Trust Is More Than Encryption

The foundation of e-health is trust — between patients and providers, between hospitals and vendors, between systems across borders. And while encryption is essential, it’s not enough. Trust must be engineered into every layer of the system.

Cybersecurity in healthcare isn't just about protecting data. It’s about protecting life-critical processes, often facilitated by IIoT devices — from infusion pumps and patient monitors to hospital infrastructure and cross-border health records.

This is why the panel emphasized the concept of "circles of trust" — a layered approach to cybersecurity where every actor in the ecosystem must be both accountable and verifiable. From software components and firmware to update infrastructure and human access control, each layer must be designed to fail safe, and recover fast.

The Regulatory Landscape: Stronger, but Not Yet Sufficient

Over the past three years, the EU has made significant regulatory strides:

  • MDR (Medical Device Regulation) ensures that software and devices undergo safety risk assessments and clinical validation — including cybersecurity considerations.
  • The Radio Equipment Directive (RED) delegated act introduces mandatory cybersecurity features for wireless-enabled medical devices as of August 2024.
  • The upcoming Cyber Resilience Act (CRA) introduces horizontal cybersecurity requirements for all products with digital elements, including medical devices.
  • The NIS2 Directive enforces organizational-level cyber risk management across essential and important entities — such as hospitals and medical device manufacturers.

These frameworks are aligned in one message: cybersecurity is not optional. But they differ in depth and enforcement. Regulations on paper won’t save systems unless they are implemented, verified, and enforced consistently across Member States.

What’s missing is an actionable mechanism to ensure that devices remain secure throughout their lifecycle, not just at certification. The reality is stark: medical devices often operate for 10+ years — far longer than their typical security support window.

A Missing Piece: The Case for a “Cyber CE+” Standard

During the discussion, the need for a lifecycle-oriented security certification emerged as a clear gap.

Let’s call it Cyber CE+: a conceptual extension of the CE mark that doesn’t only confirm that a product is safe and compliant at launch — but that it is also designed, provisioned, and supported with long-term cybersecurity in mind.

What Cyber CE+ would enforce:

  • 🧾 A transparent Software Bill of Materials (SBOM) and Cryptographic Bill of Materials (CBOM)
  • ⚙️ Secure-by-default device configuration and update handling
  • ✍️ Digitally signed firmware and enforced signature validation
  • 🕵️ Clear vulnerability disclosure and patch response timelines
  • 🔁 Documentation and tooling for key rotation and secure update delivery
  • 🗓️ A defined support period for security patches and updates

This is not a silver bullet. But it would raise the bar — and provide both regulators and hospitals with a signal of long-term resilience, not just launch-day compliance.

Where the Pain Points Are: Technology, People, and Execution

1. Outdated technology and patching gaps

According to Cynerio 2022 report many hospitals still operate devices running obsolete operating systems, unsupported software stacks, or custom firmware with no patching pathway. A recent industry study showed that 53% of connected medical devices contain known vulnerabilities, and over 70% run unsupported operating systems.

2. Cybersecurity skills gap

The talent shortage is not only in hospitals — it extends to regulators, manufacturers, and public health authorities. Cybersecurity requires not only specialized tools, but people who know how to use them.

3. Inconsistent implementation and oversight

NIS2, CRA, and RED are powerful frameworks. But enforcement will vary greatly depending on national capacity. Without EU-level alignment on audits, accountability, and support mechanisms, implementation will be patchy — and vulnerable systems will persist under the radar.

The Role of Industry: Responsibility Beyond Compliance

Device manufacturers have a critical role to play. Not just in passing audits — but in building systems that are resilient by design.

This includes:

  • 📄 Maintaining a machine-readable SBOM and CBOM
  • 🔐 Implementing signed update pipelines and secure boot
  • 📡 Supporting over-the-air (OTA) updates with rollback protection
  • 📣 Establishing coordinated vulnerability disclosure processes

At Modino.io, we focus on helping manufacturers and system operators automate artifact integrity, key lifecycle management, and update delivery — even in offline or intermittently connected industrial environments. Because in real-world e-health deployments, security must work under pressure and without excuses.

What Comes Next: Practical, Future-Focused Actions

  • Standardize secure update protocols. Common OTA mechanisms should be validated, audited, and reusable — not reinvented in every product line.
  • Support hospital cybersecurity maturity. This means funding, training, and operational blueprints for secure device inventory and risk analysis.
  • Get ahead of emerging risks. AI-enabled attacks, deepfakes, and quantum computing threats aren’t just buzzwords — they require serious cryptographic planning and adaptable architecture.

And perhaps most importantly: regulators, manufacturers, and healthcare providers must talk to each other. Cyber resilience doesn’t happen in silos.

Because This Is About Patients, Not Just Systems

Every vulnerability in a hospital system has a patient on the other end. Every delayed patch or broken update pipeline is a potential disruption in someone’s care.

Cybersecurity in e-health is not a technical checkbox. It’s a clinical safety imperative.

Systems that handle medical data and life-critical functions must be treated as such: continuously protected, independently verifiable, and built to endure.

Glossary of Key Terms

  • CRA – Cyber Resilience Act
  • NIS2 – Network and Information Security Directive (v2)
  • MDR – Medical Device Regulation
  • RED – Radio Equipment Directive
  • SBOM – Software Bill of Materials
  • CBOM – Cryptographic Bill of Materials
  • CE – Conformité Européenne (EU conformity marking)
  • Cyber CE+ – Hypothetical extended certification for lifecycle cybersecurity
  • OTA – Over-the-Air Update
  • IIoT – Industrial Internet of Things

If you’re building or managing infrastructure in healthcare, industrial systems, or critical data environments — and need help implementing secure update chains, verifiable artifact pipelines, or trusted key management — let’s talk.

Secure systems don’t build themselves.

Go back to Articles