Expanded narrative of the CyberC4HE Coalition’s activities with reference to national laws and European regulations
✓ Establishment of the Cyber4HE Coalition
✓ NIS2 Directive
✓ Act on the National Cybersecurity System (KSC)
✓ RODO and eIDAS regulations
✓ Conclusions from the analysis of 140 hospitals in 2024
✓ Identification of good practices
✓ Recommendations for 2025
✓ Timeline for implementation of recommendations
✓ Forms of support offered by CyberC4HE
Establishment of the CyberC4HE Coalition
The CyberC4HE Coalition was formed in response to the rapidly growing cyber threats in the healthcare sector, which stem from the increasing dependence of medical systems on digital technologies and the outdated IT infrastructure of many facilities. The coalition acts as a platform for cooperation between the public and private sectors, state institutions, NGOs and experts.
Since its inception, the Coalition has brought together leading organizations such as the Center for e-Health (CeZ), the sector CSIRT, the Healthcare Poland Foundation, the Polish Federation of Hospitals (PFSz), regional Chambers of Physicians, and key experts in cyber security, risk management and digital transformation.
The goal of the Coalition is to gather information on the state of preparedness of healthcare entities and to develop an optimal process for implementing an integrated critical infrastructure protection system in accordance with the requirements of the NIS2 Directive, EU ENISA standards and national regulations, such as the National Cyber Security System Act (Journal of Laws 2018, item 1560, as amended) and RODO regulations (Regulation 2016/679 of the European Parliament and of the EU Council).
NIS2 Directive
The NIS2 Directive, adopted in December 2022, is a key piece of critical infrastructure protection legislation in the European Union, extending responsibilities to the healthcare sector. Key provisions include:
Risk management obligation
Every regulated organization must implement a cyber risk management system.
Incident reporting
Medical facilities are required to report major cyber incidents within 24 hours to the sector CSIRT (in Poland: the team at the e-Health Center).
Audit obligation
Organizations must regularly conduct audits to assess IT infrastructure compliance with security requirements.
NCS / KSC
Act on the National Cybersecurity System
(NCS / KSC)
In Poland, the regulations of the NIS2 Directive are being implemented through amendments to the KSC Act, which will come into force on January 1, 2025. The most important provisions of the law:
- Granting hospitals of particular importance to health protection the status of key service operators.
- Introduction of the obligation to create risk management plans and incident response procedures.
- The obligation to ensure compliance with the safety requirements specified in Article 8 of the Act.
- The requirement to conduct reporting in accordance with ESG (Environmental, Social, Governance), which is a new element related to the financing of technological solutions.
Analysis
Conclusions from the analysis of 140 hospitals in 2024
1
Deficiencies in IT infrastructure
62% of hospitals use IT systems that are more than five years old, which prevents them from being updated in accordance with security requirements.
48% of facilities have not implemented real-time threat monitoring systems.
2
Lack of integrated risk management procedures
Most hospitals do not have incident response plans or defined reporting procedures.
3
Insufficient funding
Only 30% of hospitals allocate more than 5% of their IT budget to cybersecurity, which is well below ENISA’s recommendation.
Identification of good practices
Provincial SOC (Security Operations Center)
Provincial Security Operations Centres have been established in 3 provinces to provide monitoring and technical support for healthcare facilities.
Pilot programmes
Hospitals participating in CeZ programmes, such as EZLA (electronic medical records), demonstrated greater resilience to incidents.
Recommendations for 2025
🏢
Construction of distributed SOCs
Establishment of Provincial and Local Government SOCs integrated with CeZ and sectoral CSIRTs.
Financing the construction of SOCs from EU funds (Horizon Europe, Digital Europe) and the ESG component under the KPO (National Recovery Plan).
🛂
Simplified audit and certification model
Simplified audit: Dedicated to medium-sized hospitals, allowing for assessment of compliance with the NIS2 Directive and the KSC Act.
ESG certification: Facilities that meet IT security requirements will be able to obtain certificates confirming ESG compliance, which opens up access to additional funds.
👨🏻💻
Isolated infrastructure and physical security measures
Air-gapped networks: For critical IT systems, such as patient data management systems.
USB port blocking: Mandatory on all medical and administrative devices, except for authorised hardware keys.
📑
Digitisation and elimination of paper-based procedures
Digital documentation: Implementation of digital signatures in accordance with eIDAS, enabling a complete transition to electronic patient consent forms and medical documentation.
EZLA system: Expansion to all hospitals, elimination of risks associated with prescription machines.
👩🏻⚕️
Medical and administrative staff training and support
Nationwide training programme on cyber hygiene and incident management for medical and administrative staff.
Workshops for management on integrating cybersecurity with ESG management.
Schedule for implementing the recommendations
Short-term
(2025)
➜ Pilot project involving simplified audits in 10 hospitals
➜ Construction of 5 Provincial SOCs
➜ Training 20,000 healthcare workers in cybersecurity
Mid-term
(2026–2027)
➜ Certification of 80 hospitals in accordance with ESG
➜ Full implementation of isolated networks in key units
Long-term
(2028+)
➜ The development of the national cybersecurity system in healthcare as a model for other sectors
CyberC4HE
Summary
Based on national and EU regulations, the CyberC4HE coalition has developed a comprehensive plan for cybersecurity transformation in the Polish healthcare sector. Implementation of the recommendations will ensure compliance with the NIS2 directive, protect patient data, and increase the effectiveness of financing, including in preparation for ESG reporting.
Forms of support offered by CyberC4HE
Find out what forms of support the CyberC4HE Coalition offers its members.
Comprehensive cybersecurity transformation plan
The plan includes the implementation of risk management systems, IT infrastructure protection and compliance with the NIS2 directive, supporting hospitals in improving their financing and preparing for ESG reporting.
CyberBook
A handbook of good practices and standards for cybersecurity that supports the implementation of obligations under EU regulations (NIS2, GDPR, eIDAS).
Construction of distributed SOCs
Local security centres in EU regions monitoring threats, co-funded by Horizon Europe and Digital Europe funds.
