BRUSSELS — Crafty hacking groups backed by hostile states have increasingly targeted European public institutions with cyber espionage campaigns in the past year, the European Union’s cybersecurity agency said Wednesday. Public institutions were the most targeted type of organization, accounting for 38 percent of the nearly 5,000 incidents analyzed, the ENISA agency said in its yearly threat landscape report on European cyber threats. The EU itself is a regular target, it added. State-aligned hacking groups “steadily intensified their operations toward EU organizations,” ENISA said, adding that those groups carried out cyber espionage campaigns on public bodies while also attempting to sway the public through disinformation and interference.  The report looked at incidents from July 1, 2024 to June 30, 2025. Multiple European countries said in August that they had been affected by “Salt Typhoon,” a sprawling hacking and espionage campaign believed to be run by China’s Ministry of State Security. In May, the Netherlands also attributed a cyber espionage campaign to Russia, and the Czech government condemned China for carrying out a cyberattack against its foreign ministry exposing thousands of unclassified emails. These incidents underlined how European governments and organizations are increasingly plagued by cyber intrusions and disruption. Though state-backed cyber espionage is on the rise, ENISA said the most “impactful” threat in the EU is ransomware, a type of hack where criminals infiltrate a system, shut it down and demand payment to allow victims to regain control over their IT. Another type of attack, known as distributed denial-of-service (DDoS), was the most common type of incident, ENISA said. DDoS attacks are most commonly deployed by cyber activists. ENISA said different types of hacking groups are increasingly using each others’ tactics, most notably when state-aligned groups use cyber-activist techniques to hide their provenance. The agency also highlighted the threat to supply chains posed by cyberattacks, saying the interconnected nature of modern services can amplify the effect of a cyberattack.   Passengers at Brussels, Berlin and London Heathrow airports recently experienced severe delays due to a cyberattack on supplier Collins Aerospace, which provides check-in and boarding systems. “Everyone needs to take his or her responsibilities seriously,” Hans de Vries, the agency’s chief operations officer, told POLITICO. “Any company could have a ripple effect … We are so dependent on IT. That’s not a nice story but it’s the truth.”

In an AI-first era, where AI is becoming an integral part of everything we do, its applications spanning across different sectors and facilitating various parts of our daily routines, healthcare should be no exception. In an ideal world, this is what healthcare should look like: a patient goes to an app to book an appointment, AI directs them to the doctor with the best expertise, knows which equipment is available, and which location makes most sense, and puts the appointment in their respective diaries. The complexity with healthcare is that this isn’t just a system, but three interconnected worlds that must work together seamlessly. Patients rightly want care when and where they need it. Clinicians want to ensure their expert resource is directed as impactfully and efficiently as possible. And medical assets, from MRI scanners to life-saving medications, must be available when and where required. This is where investing in technology becomes key. The good news is that the AI revolution in healthcare is already beginning, and the early results are encouraging. Some GP practices have cut waiting times by 73 percent using smart triaging systems, reducing waits from 11 to three days. AI can help tackle the dreaded ‘8am rush’ when phone lines jam with appointment requests. In the same study, GP practices using these systems reduced phone-based contacts from 88 percent to 18 percent and saw a 30 percent drop in missed appointments — potentially saving £350 million annually from reduced non-attendance. Through ServiceNow’s work with NHS Trusts, we’ve identified five areas where change can make an immediate difference, as outlined in ServiceNow’s NHS Digital Transformation white paper: * improving the staff experience; * joining up corporate services; * protecting against cyber threats; * streamlining patient journeys; and * harnessing AI. The reward for getting this right? We could see £35 billion in productivity savings by 2030. That’s money that could be reinvested directly into patient care. Better staff systems could save £750 million annually — not through cuts, but by giving critical NHS workers back the 29 million hours currently lost to bureaucracy. Right now, it takes up to 120 days to get a new NHS employee properly started. In some trusts we have cut that to 25-40 days. Imagine the impact if this was rolled out across the whole NHS. When you’re trying to grow the workforce from 1.5 to 2.4 million people by 2036, every day matters. Joining up corporate services could save another £1.6 billion each year. This is especially urgent given that Integrated Care Systems are facing combined deficits and have been told to slash running costs by 50 percent. The NHS 10 Year Health Plan for England talks about rebuilding the NHS in working-class communities; areas that currently get 10 percent less funding per person. Digital transformation isn’t just about efficiency; it’s about equity. When systems work properly, everyone benefits, but the biggest gains go to those who currently struggle most to access care. The problem is these parts barely speak to each other. The white paper reveals just how costly this disconnection has become: 13.5 million hours wasted annually due to inadequate IT, a 7.5 million case waiting list, and nearly £3 billion spent each year compensating for care failures. Behind every statistic is a person. Someone facing a delayed diagnosis, a cancelled operation or simply not receiving the care they deserve. This fragmentation isn’t just inefficient, it has a direct effect on patients and clinicians too. We’re spending £15.5 billion annually, 6.5 percent of the entire NHS budget, on corporate services that don’t talk to each other. Nurses are spending over a quarter of their time on paperwork instead of caring for patients. GP practices are drowning in 240 million calls annually from frustrated patients who can’t get through. We have a patchwork of systems where crucial information gets lost in translation.  When it takes 20 separate manual processes just to say goodbye to a leaving employee, you know there’s room for improvement. In addition to internal challenges, there’s the cyber threat affecting the NHS. Healthcare cyberattacks doubled between 2022 and 2023. A single ransomware attack forced over 10,000 patients to have their appointments cancelled at just two trusts. Without proper digital defenses and monitoring, we’re one attack away from regional healthcare paralysis. But here’s the thing, AI is only as good as the systems it connects to. That’s where we need to be honest about the infrastructure challenge. You can’t build tomorrow’s healthcare on yesterday’s technology. We need systems that talk to each other, share information securely and put the right information in the right hands at the right moment. The truth is, the NHS can’t do this transformation alone. The scale is too big, the timeline too tight and the technical challenges too complex. It’s about partnership — because the best outcomes happen when public sector insight combines with private sector innovation and speed. We need genuine partnerships focused on outcomes, not just products. At ServiceNow, we’ve seen what’s possible when this approach works: connected systems, freed-up time and better patient experiences. We’re at a crossroads, and the path we choose in the next two to three years will determine the NHS our children inherit. We can keep tinkering around the edges, managing decline through small improvements or we can be bold and build the digital foundation that healthcare needs. This isn’t a distant dream; it’s an immediate opportunity. Patients have waited long enough. NHS staff have endured enough frustration with systems that make their jobs harder, not easier. The cost of inaction isn’t just measured in pounds, it’s measured in lives. The technology exists, the knowledge is there and the legal framework is in place. What we need now is to act on what we already know works for this transformation to happen.

LONDON — Hospitals, local councils and operators of critical U.K. infrastructure are among the organizations who will be banned from paying ransoms to hackers under new plans unveiled by the British government. The move — which will cover all public sector bodies as well as the owners and operators of critical national infrastructure — comes after years of escalating cyber attacks on parts of the British state. Many of these attacks on British institutions and infrastructure can be traced back to Russia-aligned hacking groups that are now the subject of sanctions. Estimates from Chinalysis suggest ransomware payments globally generated $1 billion from victims in 2023 alone. The new measures, which also include the mandatory reporting of all ransomware incidents, come following a consultation in which three-quarters of respondents supported a targeted ban. Security Minister Dan Jarvis told MPs in a written statement on Tuesday that the government’s ransomware plan will provide “vital intelligence to expose, detect and disrupt these criminal networks” and to “defend the economy and our business we need to break the ransomware business model.” The government highlighted the case of the British Library — which suffered a cyber attack in 2023 but did not pay a ransom to hackers. But Rebecca Lawrence, its chief executive, said the library “which holds one of the world’s most significant collections of human knowledge” had its technology infrastructure destroyed by the attack, with users still feeling the impact. This year has seen an escalation in cyber attacks with luxury retailer Harrods, and high-street names the Co-op and Marks and Spencer all seeing their services disrupted by criminals.  INVESTMENT SHAKE-UP While the government is moving to strengthen one arm of its national security operation, it is also seeking to remove what it called “red tape” from other aspects of its defenses. The Cabinet Office announced Tuesday that it is making changes to its National Security and Investment Act — legislation aimed at safeguarding critical areas of the economy from malign or foreign influence. These include removing requirements for key businesses to tell the government about internal restructuring changes or alert officials when appointing a liquidator. Pat McFadden, the department’s lead minister, told MPs that the changes “reduce business burdens without exposing the country to greater risk.” Ministers will also consult on plans to shake up what are defined as key sectors under the legislation to update the importance of areas such as semiconductors and artificial intelligence. The consultation also will look at bringing the water sector under national security legislation.  This would mean that the industry in Britain — which itself is under extensive scrutiny due to debt-laden ownership structures — will have any potential buy-outs, such as those based overseas, escalated to national security experts. The annual review of the legislation, also published Tuesday, revealed that the government had only blocked one deal out of all those called in for further scrutiny. A further 16 saw a “final order” notice submitted to mitigate risks to national security, which could include stringent conditions applied to an investment deal.

Simon Meier, a trauma and orthopedic surgeon, was off duty when a colleague called one evening. University Hospital Frankfurt was the target of a massive cyberattack which required an urgent response. The next morning, Meier, who was also the hospital’s emergency planner, sat in a crisis meeting with hospital leadership. IT teams had worked through the night without success, and now, a critical decision loomed. “We had to cut off the whole hospital network from the internet,” Meier recalled. “We didn’t want to give anyone the chance to tamper with the IT systems anymore.” Internet access was severed, databases were frozen and hospital staff had to switch to pen and paper, as well as phone calls, to deliver care. “It severely impaired the communication between our electronic systems,” Meier said. Accessing lab results or data from mobile X-ray machines became a headache, with systems unable to report to the hospital database. “We had to reschedule appointments just to be able to have a look into the patient’s files and postpone some planned surgeries,” he said. Now, over one-and-a-half years later, the system is not yet back to “normal,” Meier said. Internet and database access remain restricted, and a costly infrastructure rebuild is underway to plug long-exploited vulnerabilities. This attack is just one of 309 cybersecurity incidents targeting the health care sector in the EU in 2023 alone — more than any other critical sector. The cost of a major incident typically reaches some €300,000. Beyond the financial impact, cyberattacks pose a threat to patients’ lives. The stakes became clear in a recent case in the U.K., where the death of a patient was linked — among other contributing factors — to a delayed blood test result caused by a cyberattack that disrupted pathology services last summer.  World Health Organization (WHO) chief Tedros Adhanom Ghebreyesus called cyberattacks on health care “issues of life and death.”  While health care has become the primary target for cybercriminals in recent years, putting lives at risk, the sector paradoxically invests less in cybersecurity than any other industry, leaving high-value data vulnerable to attack. PERFECT TARGET For cybercriminals, targeting health data “is a perfect business plan,” said Christos Xenakis, professor at the department of digital systems at the University of Piraeus, Greece. “It’s easy to steal data, and what you steal, you can sell it at a high price.” Ransomware attacks — where hackers lock data and demand a ransom — dominate the sector, an EU Agency for Cybersecurity (ENISA) report showed. “They achieve two targets: One is to get the data and sell (it), and the other is to encrypt the whole system, disrupt the whole system, and ask for money,” Xenakis said.  While health care has become the primary target for cybercriminals in recent years, putting lives at risk, the sector paradoxically invests less in cybersecurity than any other industry, leaving high-value data vulnerable to attack. | Andreas Arnold/Picture Alliance via Getty Images Stolen data can be sold on the dark web to criminals who use it to commit identity theft, insurance fraud or blackmail. To restore disrupted systems, criminals can demand millions of euros — hackers, for instance, wanted $4.5 million for the return of the stolen data after a cyberattack on Hospital Clínic in Barcelona. The hospital refused to pay.  However, other types of cyberattacks are also on the rise, including those by pro-Russian hacktivists aiming to disrupt health care operations, rather than for profit. Despite the risks, only 27 percent of health care organizations have a dedicated ransomware defense program, and 40 percent don’t offer any security awareness training for non-IT staff, a separate ENISA report found. CREATING CYBERSECURITY CULTURE Xenakis believes that the health care sector sees cybersecurity as “out of their business” scope and as a “luxury” rather than an essential. Health care staff are unaware of the risks, he believes, resulting in poor “cyber hygiene.” He recalls being left alone in a doctor’s office with unsecured computers — an easy target for hackers. “If I wanted to do something, it [would have been] easy for me,” he said. At the same time, he doubts that he would have been left in a room with critical medicines. Hospitals understand the risks if medicines got into the wrong hands, he said, “but they cannot understand cybersecurity.”  The task is to create a culture of good cybersecurity practices to protect data and the systems, Xenakis said. “Technology awareness education is … extremely low.” Findings from the Finnish Innovation Fund Sitra back this up. While many health care organizations have cybersecurity policies in place, they are often not “clearly communicated or consistently understood by their staff.” High personnel turnover — not just among medics but also cybersecurity officers — further “exacerbates training gaps and the ability to enforce cybersecurity policies.” Sabina Magalini, a former professor of surgery at the Catholic University of the Sacred Heart in Rome, who coordinated an EU-funded project PANACEA to improve hospital cybersecurity, believes that current laws overlook hospital-specific challenges. “Hospitals have different problems,” she said, listing high staff turnover, lack of training and overwork. “The hospital is not a nuclear power plant … It’s like a port … with a harbor: people coming in, going out, and everything is open,” Magalini said.  She argued that hospitals need continuous cybersecurity drills and streamlined systems that don’t slow down care. Health care staff “don’t want to pass half of the day logging in and logging out,” she said. BLAME THE SYSTEM, NOT THE STAFF However, training hospital personnel, while beneficial, is insufficient to address security threats. “If you have a hospital with 2,000 people working, the probability for someone to click the button (for a phishing link)” is unavoidable, Xenakis said. Especially as artificial intelligence is increasingly used by cybercriminals for automating attacks, such as phishing and deepfake-driven fraud, making the attacks “very sophisticated, very targeted,” Xenakis said.  Germany is backing sector-specific cybersecurity standards and also requires hospitals to invest at least 15 percent of cybersecurity funding received through a program on future-proofing hospitals under its recovery and resilience plan. | Andreas Arnold/Picture Alliance via Getty Images “You cannot blame the people,” Xenakis said. There must be intelligent detection tools “to eliminate the damage … or counteract the attack,” he said. Magalini also pointed out another shortcoming: cybersecurity consultancies that assist hospitals often originate from outside Europe. “They are either from the United States or Canada … also from Russia,” she said, adding that there should be a “European way of doing cybersecurity.” INVESTMENT GAPS While the risks are clear, national governments are skimping on prevention, Xenakis believes, saying that he has no good example of a country “that has invested a lot in cybersecurity in the health sector.”  In Germany, for example, “they are used to just putting new regulations in place, but invest nothing in the cybersecurity of hospitals,” Meier said. He believes his Frankfurt hospital would have found the attack earlier if it had an intrusion detection system. They were “very lucky” to discover the attack before it destroyed the entire database, Meier said. “It could have resulted in a complete shutdown of the hospital.” “Cybersecurity threats pose enormous challenges for the health care sector by endangering the availability of essential health care services,” a spokesperson from the German health ministry told POLITICO in a written response. Germany is backing sector-specific cybersecurity standards and also requires hospitals to invest at least 15 percent of cybersecurity funding received through a program on future-proofing hospitals under its recovery and resilience plan. Europe’s Health Commissioner Olivér Várhelyi has also made it clear that investment must come from national governments. “If you go to a hospital, you always see a guard in the door. There is money for that, so there should be money for protecting the data as well,” he said in January.  But with the health sector often suffering from underinvestment, how much governments can spend on cybersecurity “is a question,” Magalini said. “There are so many other (health care) problems which are not cybersecurity … so I don’t know how they can make the investments.” The cost of inaction can be hundreds of millions of euros, as it was with an attack on Ireland’s Health Service Executive in May 2021 that shut down IT systems of the country’s publicly funded health care system. The attack’s cost was estimated at least €101 million, with a further €657 million to be spent safeguarding against future attacks.  “Why did it cost so much? Not because of the damage but [because] then someone intelligent thought, ‘no, we have to rebuild the system in a secure way,’” Magalini said.  Ray Walley, general practitioner from Ireland, saw firsthand how the attack severed ties with the hospital system.“We couldn’t refer stuff in. It affected outflow from the hospital system. We weren’t getting the results of blood tests. We weren’t getting the results of X-rays and scans,” he said. Walley believes that “cybersecurity is just another form of health care.” “We need to invest in this,” he said. “We need to be proactive. We need to spend the money.” EU’S ACTION: GOOD, BUT COULD BE BETTER The increasing number of cyberattacks on health care systems triggered a response from the EU this year. The European Commission unveiled in January an “action plan” on cybersecurity for hospitals and the health care sector. The plan proposes setting up a European Cybersecurity Support Center for the health care sector within ENISA and a specific rapid response service. The plan also introduces “cybersecurity vouchers,” which will enable EU countries to provide financial support to smaller health care providers for enhancing their cyber resilience.  “It’s good,” said Markus Kalliola, Sitra’s program director. But it “could be stronger.” He is one of the authors of the Commission’s evaluation report by Sitra, which points to murky EU governance, a lack of clear targets or budgets and a missed opportunity to build a functioning single market for cybersecurity solutions.  Sitra calls for going beyond the EU’s plan by considering cybersecurity as a matter of national security; setting up mandatory cybersecurity readiness for health care organizations; incorporating cybersecurity skills into health professionals’ basic training; and organizing more pan-European cybersecurity exercises. With the changing geopolitical situation, “it’s also a matter of national security,” Kalliola said. “EU member states should focus on … what is the national strategy in securing these critical health care services,” he added. Whether or not Europe’s security will feature in the Commission’s final hospital cybersecurity plan remains to be seen; the EU executive has just concluded a consultation and promised to put forward a refined plan by the end of the year. Other pieces of EU legislation — including the NIS2 Directive, Cyber Resilience Act, AI Act and medical devices rules — also raise the bar for cybersecurity across different sectors, including health care.  However, “despite advancements in regulatory efforts and technical solutions, implementation remains inconsistent. There is no time to lose in turning regulations into reality,” Kalliola said.

Russian basketball player Daniil Kasatkin was arrested in France on a hacking charge at the request of the United States. U.S. authorities believe Kasatkin negotiated payoffs for a ransomware ring that hacked around 900 companies and two federal government entities in the U.S., demanding money to end their attacks, according to a report from AFP. Kasatkin, who was arrested on June 21, denies the allegations. His lawyer, Frédéric Bélot, told POLITICO that Kasatkin is a “collateral victim of that crime” because he bought a second-hand computer with malware.  “He’s not a computer guy,” Bélot said. “He didn’t notice any strange behavior on the computer because he doesn’t know how computers work.” A French court denied Kasatkin bail on Wednesday, and he remains in jail awaiting formal extradition notification from U.S. authorities, according to Bélot. Kasatkin had traveled to France to visit Paris with his fiancée and was detained shortly after arriving at the airport. He played collegiate basketball briefly at Penn State, then four seasons for the Moscow-based MBA-MAI team. Bélot said Kasatkin’s physical condition has deteriorated in jail, which he argued is harming his athletic career. Joshua Berlinger contributed to this report.