Safer in Doctors' Offices? A Big Change Is Coming to the Medical IT Market

• The Council of Ministers' Committee on Digital Affairs has established a task force to support digitalization in healthcare. It is composed of representatives from the Ministries of Digital Affairs and Health, as well as their subordinate agencies.
• We've learned the first details about the team's priorities. It will work in four areas, including medical data sharing and health cybersecurity.
• Deputy Minister of Digital Affairs Dariusz Standerski announces that the team will also develop standards and guidelines for cybersecurity in healthcare.
• Standerski does not rule out that the guidelines proposed by the team may be incorporated into laws in the future.

The team supporting digitalization in healthcare is a response to the slow pace of processes at the Ministry of Health. However, following the change in leadership, digitalization is to be a priority, as Prime Minister Donald Tusk stated when announcing the government reshuffle.

The matter is all the more urgent because the money from the National Recovery Plan must be spent by August 2026 , under which PLN 4.3 billion is allocated specifically for the digital transformation in healthcare (PLN 3.1 billion is a pool for hospitals alone, PLN 1.2 billion for e-Health Center projects).

As we reported last week, Deputy Minister of Digital Affairs Dariusz Standerski headed the team. Other invited members included the Medical Research Agency, the National Health Fund, the e-Health Center, the Central Information Technology Center, the Scientific and Academic Computer Network, and the IDEAS Research Institute.

"We should have been implementing digitalization together for a long time now, taking into account the perspectives, competences, and experiences of representatives of various state institutions," Deputy Minister of Health Dr. Tomasz Maciejewski told us shortly after his first meeting with Minister Standerski. "Let's draw on the experience of other European countries, such as France, which has decided to digitalize the entire country, not just selected sections," he added.

First meeting, four priorities for the new team

On Tuesday, September 23rd, the team held a working meeting. As we learned, it was agreed that the team would work on four areas:

• providing basic medical data in mObywatel and establishing the relationship between mObywatel and IKP,
• establishing rules for access to data for research and development purposes,
• organizing medical records and processes,
• cybersecurity standards and guidelines in healthcare.

What exactly do these slogans mean? Deputy Minister Standerski told WNP and Rynek Zdrowia that the government wants to introduce some basic health-related information to the mObywatel mobile app, such as recent test results and information on available preventive care. The intention, however, is not to duplicate the Individual Patient Account (IKP), but to encourage the use of this health app. It's also an idea to popularize the IKP, which currently has 3 million users (more than three times as many as mObywatel).

The plan is to accelerate work on e-registration for doctors

The team also wants to support the Ministry of Health in implementing a key EU regulation – the European Health Data Space (EHDS). This regulation aims to enable the cross-border exchange of medical data for EU citizens to obtain healthcare services outside their country of residence. It also aims to free up health information for research and development purposes. Formally, the EHDS regulations have been in force since March 2026, but full implementation is expected around 2029.

An inter-ministerial task force will also focus on accelerating work on the Central e-Registration system. A pilot program for this solution will be completed by the end of the year in three areas (first-time cardiology visits, cytology screenings, and mammography). Starting in 2026, all facilities providing these services under contract with the National Health Fund (NFZ) will have six months to integrate with the system. Otherwise, the Fund will not pay for visits not recorded in the Central e-Registration system.

Over time, the obligation will apply to an increasing number of services. Wojciech Demediuk, Director of the e-Health Department, revealed at a recent meeting of the Parliamentary Health Committee that, as early as August 2026, the appointment booking system could also cover services such as infectious diseases, hepatology, immunology, endocrinology, nephrology, neonatology, and lung diseases.

New cybersecurity standards are designed to protect patient data.

One of the challenges the team faces is cybersecurity in healthcare. Although medical facilities are responsible for ensuring the safety of a vast number of patients' data, there are still no uniform cybersecurity standards in place. This poses a problem for medical facility directors, as they often lack the expertise to evaluate the solutions they use. Public institutions, however, offer little support.

The task force will develop cybersecurity standards and guidelines for healthcare. Minister Dariusz Standerski assured CIS and Rynek Zdrowia that these guidelines will also apply to the security of applications used by medical facilities. Initially, these guidelines will be issued by the Ministry of Health, but may later be adopted as statutory provisions.

In December 2024, "Dziennik Gazeta Prawna" reported that the data of approximately 10 million patients had been exposed for years to theft from applications used by pharmacies and doctors. The programs easily gained access to patients' medical records and personal data (including addresses and contact details), as well as the right to issue reimbursed prescriptions, referrals, and sick leave certificates. The irregularities affected several thousand clinics, medical and dental offices, and pharmacies.

The problem was brought to attention by anonymous whistleblowers, and the existence of a vulnerability in the applications was documented and described in detail by Jakub Staśkiewicz, a cybersecurity expert and author of the OpenSecurity.pl blog. The error primarily lay with the manufacturers of the office software. Access to the patient database in their applications was achieved using a hard-coded password embedded in the software code.