- Healthcare is listed in Annex I of the NIS2 Directive as a sector of high criticality. Hospitals, laboratories, pharma, and medical device manufacturers with 50+ employees or EUR 10M+ revenue are affected.
- Healthcare is subject to additional regulation: DSGVO (GDPR) (health data as a special category), MDR (Medical Device Regulation), and industry-specific standards such as B3S.
- Special risks: Medical devices with lifecycles of 10-20 years, proprietary operating systems, 24/7 availability, and the direct danger to human life when systems fail.
- A medical laboratory with 70 employees can achieve NIS2 compliance in 12 months but must consider regulatory overlaps (GDPR, MDR, B3S) from the start.
- Executive management is personally liable, and in healthcare, potential criminal consequences are added if inadequate IT security leads to patient endangerment.
Healthcare as a Sector of High Criticality
Healthcare is among the sectors where a cyberattack can immediately become life-threatening. When a hospital's IT fails, surgeries cannot take place, emergency rooms must turn away patients, and life-sustaining systems lose their control. This is not a theoretical consideration: The ransomware attack on Dusseldorf University Hospital in September 2020 forced the clinic to redirect emergency patients to other hospitals. A patient died on the longer transport route, although the causal connection was not conclusively established legally.
The EU has therefore placed healthcare in Annex I of the NIS2 Directive as a sector of high criticality. The NIS2 transposition act (NIS2UmsuCG) covers the following sub-sectors:
- Healthcare providers: Hospitals, clinics, rehabilitation facilities, care facilities (above the size thresholds)
- EU reference laboratories: Laboratory facilities performing certain EU-wide functions
- Research and development laboratories for pharmaceuticals: Including clinical trials
- Manufacturers of basic pharmaceutical substances and preparations: Pharmaceutical companies
- Manufacturers of medical devices classified as critical: Medical technology companies whose products are deemed critical during a public health emergency
Additionally, medical device manufacturers also fall under NIS2 through Annex II (manufacturing sector), regardless of whether their products are classified as critical. The thresholds are the same as for all NIS2 sectors: at least 50 employees or EUR 10 million revenue.
The Regulatory Landscape: NIS2 Meets GDPR, MDR, and B3S
What makes healthcare particularly complex under NIS2 is the overlap with existing regulations. No other sector has as many parallel compliance requirements in the areas of information security and data protection.
DSGVO (GDPR) and Health Data
Health data belongs to the special categories of personal data under Article 9 DSGVO (GDPR). Its processing is subject to enhanced protection requirements. A data breach where patient data is exfiltrated is not only an NIS2-reportable security incident but also a reportable data protection violation under Article 33 DSGVO (GDPR). This means: You report to two authorities (BSI and data protection authority), with different deadlines and content.
| Obligation | NIS2 | DSGVO (GDPR) |
|---|---|---|
| Reporting deadline | 24 hours (initial notification) | 72 hours |
| Reporting authority | BSI | Competent data protection authority |
| Reporting obligation | Significant security incident | Breach of personal data |
| Notification to affected persons | Not explicitly required | Required when high risk to data subjects |
| Fines | Up to EUR 10M / 2% of revenue | Up to EUR 20M / 4% of revenue |
In practice, this means: The incident response plan must cover both reporting channels in parallel. And the Data Protection Impact Assessment (DPIA) under Article 35 DSGVO (GDPR), which is mandatory when processing health data at scale, provides valuable inputs for the NIS2 risk analysis.
Medical Device Regulation (MDR)
For medical device manufacturers, the EU Medical Device Regulation (MDR) adds another layer. The MDR requires in Annex I "general safety and performance requirements" for medical devices, which also include cybersecurity aspects. Since 2021, the MDR explicitly requires manufacturers to consider cybersecurity risks in their risk management.
For institutions that use medical devices (hospitals, laboratories), the MDR means: Responsibility for cybersecurity of medical devices lies with the manufacturer, but you as the operator must ensure that the operating environment meets the manufacturer's specifications. If the manufacturer of a CT scanner requires specific network segmentation or patch levels, you must implement that.
Industry-Specific Security Standard (B3S)
For the healthcare sector, an industry-specific security standard (B3S) for hospital healthcare delivery has existed since 2019. This B3S was developed based on the IT Security Act and recognized by the BSI. Hospitals that have already implemented the B3S have a head start on NIS2 compliance, as the requirements overlap significantly.
However, the B3S is tailored to hospitals. Laboratories, pharmaceutical companies, and medical device manufacturers can orient themselves by it but must make industry-specific adjustments.
Special Risks in Healthcare
The risk landscape in healthcare differs fundamentally from other sectors in several respects.
Medical Devices: Legacy Equipment and Manufacturer Dependency
Medical devices are the biggest challenge for IT security in healthcare. An MRI scanner costs between EUR 500,000 and 3 million and has an expected service life of 10 to 15 years. Laboratory analysis devices often run 8 to 12 years. Patient monitors, infusion pumps, and ventilators have similar lifecycles.
The problem: These devices run on the operating system that was current at the time of certification. An MRI scanner from 2015 runs on Windows 7 or Windows Server 2012. A laboratory line from 2018 may use Windows 10, but in a version that the manufacturer has not approved for updates. Because any change to the operating system could jeopardize the device's certification as a medical product.
The consequences for NIS2 compliance:
- Patching is often not possible without manufacturer approval, which sometimes takes months or years
- Endpoint protection cannot be installed because the manufacturer does not allow it or device performance would suffer
- Network segmentation is the most important compensating measure to isolate unpatched devices
- Manufacturer support is critical: Contractually clarify how quickly the manufacturer provides security updates and what compensating measures they recommend
24/7 Availability Without Exception
Hospitals and laboratories providing emergency care cannot simply shut down systems for maintenance. A CT scanner needed at 3 AM must function at 3 AM. Laboratory devices analyzing emergency blood counts cannot have maintenance windows.
For NIS2 implementation, this means:
- Redundancy is not optional but essential for survival. Critical systems must be designed redundantly so one system can be maintained while the other continues operations.
- Rolling updates instead of big-bang patches. Security updates are applied to one device while the backup device ensures operations.
- Emergency operating procedures must work without IT. What happens when the Laboratory Information System (LIS) fails? Can results be documented and transmitted manually?
Patient Data as a High-Value Target
Health data is worth significantly more on the black market than credit card data. A stolen credit card brings an attacker USD 5 to 10. A complete health record (name, date of birth, insurance number, diagnoses, medication) can bring USD 200 to 1,000 because it can be used for identity theft, insurance fraud, and extortion.
For laboratories, there's an additional factor: Analysis results can be relevant for insider trading (for instance, if a laboratory conducts clinical trials for publicly listed pharmaceutical companies) or for extortion (manipulation of test results).
Connected Medical Technology and IoT
The increasing networking of medical devices (Internet of Medical Things, IoMT) significantly expands the attack surface. Infusion pumps controlled via WiFi. Patient monitors that send data to the central monitoring station. Laboratory devices that automatically transmit results to the LIS. Each of these devices is a potential entry point.
Typical vulnerabilities: hard-coded access credentials, unencrypted communication (HL7 without TLS, DICOM without security extensions), missing authentication, and rare firmware updates.
NIS2 Measures for Healthcare
The ten minimum measures from Article 21 apply without restriction. Some require healthcare-specific adaptations.
Risk Analysis: Patient Safety as the Guiding Criterion
In healthcare, a fourth criterion is added to the classic risk assessment (confidentiality, integrity, availability): patient safety. A system failure that is an inconvenience in an office business can be life-threatening in a hospital or laboratory.
The risk analysis must therefore answer the following questions:
- Which systems are directly or indirectly involved in patient care?
- What happens if this system fails? Can patients be harmed?
- How long can clinical operations be maintained without this system?
- Are there manual fallback procedures, and are staff trained in them?
Risk prioritization must place the patient safety criterion above purely economic considerations. A system whose failure could endanger a patient always takes precedence over a system whose failure would only cause financial damage.
Network Segmentation: Isolating Medical Devices
The most important technical measure in healthcare is consistent network segmentation. Medical devices that cannot be patched must be operated in isolated network segments that allow only the minimally necessary connections.
Recommended network zones:
| Zone | Systems | Security Level |
|---|---|---|
| Clinical network | HIS/LIS, clinical workstations, report servers | High (access control, encryption) |
| Medical device zone | MRI, CT, laboratory line, analysis devices | Very high (maximum isolation, only necessary connections) |
| Office network | Administration, email, internet | Standard (firewall, endpoint protection) |
| IoMT zone | Patient monitors, infusion pumps, wearables | Very high (separate VLANs, gateway-based communication) |
| DMZ | Web servers, patient portals, interfaces to external partners | High (WAF, IDS/IPS) |
| Guest WiFi | Patients, visitors | Strictly isolated, no access to internal systems |
Between zones, only defined services communicate over defined ports and protocols. Everything else is blocked and logged.
Incident Response: Maintaining Clinical Operations
The incident response plan in healthcare has one distinction: The top priority is not rapid IT recovery but maintaining patient care. This sounds trivial but has practical consequences.
When a ransomware attack encrypts the Laboratory Information System, the first question is not "How do we restore the LIS?" but "How do we ensure that emergency laboratory results continue to be produced and delivered to treating physicians?" IT recovery runs in parallel, but clinical emergency operations take precedence.
Specific elements of the incident response plan:
- Clinical emergency operations plan: Defined for each department, how care continues without IT
- Prioritized recovery sequence: Life-sustaining systems > diagnostics > documentation > administration
- Communication with regulatory authorities: BSI notification (24h), data protection authority (72h for patient data), potentially the responsible health authority
- Notification of referring institutions: When a hospital can no longer accept emergencies, the emergency dispatch center and surrounding hospitals must be immediately informed
Staff Training: Including Clinical Personnel
In healthcare, the training challenge is particularly large. Physicians, nurses, and medical-technical assistants are highly qualified in their field, but IT security is rarely part of their training. At the same time, they work under high time pressure, which increases susceptibility to phishing and social engineering.
Training concept for healthcare:
- Short and practical: 30-minute modules instead of full-day seminars. Clinical staff don't have time for long training sessions.
- Case studies from healthcare: Not abstract IT scenarios but concrete examples like "Phishing email disguised as a laboratory report" or "USB stick found containing alleged patient data."
- Integration into existing continuing education: Integrate NIS2-relevant content into the already mandatory training sessions (hygiene, fire safety, data protection).
- Specialized training for IT staff: Deep dives on OT security (medical devices), HL7/FHIR security, DICOM hardening.
Practical Example: Medical Laboratory with 70 Employees
Let's look at how a mid-market laboratory can approach NIS2 implementation.
Starting Position:
BioAnalytica GmbH (fictitious example) is a medical laboratory based in Hesse. 70 employees, EUR 12 million annual revenue. The laboratory offers a broad spectrum of laboratory diagnostics: clinical chemistry, hematology, microbiology, immunology, and molecular diagnostics. Clients are private practice physicians, hospitals, and other laboratories.
The IT and laboratory infrastructure:
- Laboratory Information System (LIS): Swisslab (on-premise, two servers in high-availability cluster)
- Analysis devices: 25 different laboratory devices from 8 manufacturers (Roche, Siemens Healthineers, Abbott, Beckman Coulter, bioMerieux, Hologic, Illumina, QIAGEN)
- Middleware: Communication layer between LIS and analysis devices
- Sample management: Automated sample distribution and pre-analytics
- Server infrastructure: 4 physical servers (2x LIS cluster, 1x file server/AD, 1x backup)
- Workstations: 35 PCs (laboratory and administration)
- Communication: Microsoft 365, fax (yes, still), laboratory portal for submitters
- Interfaces: HL7 connections to 120 submitter practice systems, connections to 3 hospitals, connection to the telematics infrastructure (TI)
IT is managed by an IT manager and a system administrator. An external IT system house handles server maintenance and network management. An ISMS does not exist. DSGVO (GDPR) requirements are covered by an external Data Protection Officer, but technical measures are not systematically documented.
Phase 1: Assessment and Regulatory Classification (Months 1-2)
Applicability analysis: BioAnalytica falls under NIS2 with 70 employees and EUR 12 million revenue. Healthcare sector (laboratory) is in Annex I. Classification: important entity.
Regulatory assessment: BioAnalytica is subject to the following regulatory frameworks in addition to NIS2:
- DSGVO (GDPR) (health data, Art. 9)
- Medical device law (as operator of in-vitro diagnostics)
- German Medical Association Quality Assurance Guideline (RiliBaeK)
- Data protection requirements of the Association of Statutory Health Insurance Physicians
- Telematics infrastructure requirements (gematik)
The risk analysis and action planning must consider all these requirements in an integrated manner. One advantage: Many requirements overlap, so a single measure often fulfills multiple compliance objectives simultaneously.
Appoint CISO: The IT manager takes on the CISO role at 50% time allocation. Since the laboratory already has an external Data Protection Officer, CISO and DPO will work closely together to leverage overlaps and avoid duplication.
Create asset inventory:
| Category | Count | Most Critical Asset |
|---|---|---|
| Laboratory devices | 25 | Roche cobas 8000 (main analysis device for clinical chemistry) |
| Servers | 4 | LIS cluster (Swisslab) |
| Workstations | 35 | LIS workstations in the laboratory |
| Network | 12 | Core switch, firewalls, WLAN |
| Interfaces | 123 | HL7 connections to submitter practices |
| Middleware | 2 | Communication servers laboratory devices-LIS |
| Cloud services | 3 | Microsoft 365, laboratory portal, TI connector |
Key finding: Of the 25 laboratory devices, 8 run on Windows 7 Embedded or older. The Roche cobas 8000 (built 2017) runs on Windows 7, and Roche has not offered an OS migration for this generation. Three older devices run on Windows XP Embedded.
Phase 2: Risk Analysis (Months 3-4)
The risk analysis considers both IT security risks and the impact on patient care. In ISMS Lite, the patient safety criterion can be mapped as a fourth dimension in the risk assessment and prioritization adjusted accordingly.
| Risk | Impact on Operations | Impact on Patients | Rating |
|---|---|---|---|
| Ransomware encrypts LIS | Laboratory operations halt | Emergency diagnostics unavailable | Critical |
| Compromise of patient data | GDPR + NIS2 reporting obligation, reputational damage | Data protection violation | Critical |
| Laboratory device (Win XP) as entry point | Lateral movement into network | Manipulated results conceivable | High |
| Manipulation of laboratory results | False reports are sent | Direct patient endangerment | Critical |
| Failure of HL7 interfaces | Results don't reach submitters | Delayed diagnoses | High |
| Compromise of laboratory portal | Unauthorized access to reports | Data protection violation | High |
| TI connector compromised | Access to health network | Data exfiltration possible | Medium |
Identified as particularly critical: The integrity of laboratory results. If an attacker manipulates analysis values, physicians can make wrong diagnoses and initiate wrong therapies. This risk is treated with the highest priority.
Phase 3: Technical Measures (Months 5-8)
Network segmentation (Months 5-6): The network is divided into security zones:
- Laboratory zone: Analysis devices, middleware, sample automation. Strictly isolated, only defined connections to the LIS via middleware.
- LIS zone: LIS servers, LIS workstations. Access only from the laboratory zone (via middleware), from authorized workstations, and through defined interfaces.
- Interface zone (DMZ): HL7 gateway, laboratory portal, TI connector. Controlled data traffic inbound and outbound.
- Office zone: Administration, email, internet. No direct access to laboratory or LIS zone.
- Management zone: Server management, backup, monitoring. Accessible only to IT staff.
The laboratory devices running Windows XP or Windows 7 are placed in their own micro-segment. Firewall rules allow exclusively communication with middleware over the HL7 port. No internet access, no access to file servers or email.
Integrity protection for laboratory results (Months 6-7): Additional protective measures are implemented for the integrity of laboratory results:
- Digital signatures on reports in the LIS
- Audit trail for all changes to results (who changed what when)
- Plausibility checks: Automatic alerting for results outside defined ranges
- Comparison between the value sent by the analysis device and the value received in the LIS (detection of manipulation in transit)
MFA and access control (Month 6): MFA is introduced for all external access (VPN, laboratory portal administration, Microsoft 365) and all privileged accounts. For LIS workstations in the laboratory, chip card-based authentication is implemented (compatible with the electronic health professional card).
Backup and recovery (Month 7): The existing backup is expanded with offline backups. Recovery times are tested and documented:
- LIS: RTO 2 hours (high-availability cluster covers most failure scenarios, backup restore as fallback)
- Laboratory device configurations: Annual backup of all device configurations and calibration data
- HL7 interface configurations: Documented and versioned, recovery in 4 hours
Vulnerability management (Months 7-8): For IT systems, a regular patch cycle is established. For laboratory devices, a differentiated approach is followed:
| Device Category | Patch Strategy |
|---|---|
| Devices with current OS (Win 10/11) | Patches after manufacturer approval, quarterly |
| Devices with end-of-life OS (Win 7) | Compensating measures (segmentation, monitoring), no patching |
| Devices with Win XP | Maximum isolation, access only via middleware, planned replacement within 2 years |
| Devices without Windows | Firmware updates after manufacturer approval, otherwise network isolation |
Phase 4: Organizational Measures (Months 8-10)
Training program:
- All employees: 30-minute online module on cyber hygiene, integrated into annual mandatory training
- Laboratory staff (MTA, BTA): Additional training on secure use of laboratory devices, reporting channels for unusual system behavior, handling USB sticks and data carriers
- IT team: Deep dive on HL7/FHIR security, medical device network security, incident response
- Executive management: NIS2 obligations, personal liability, approval role, interplay of NIS2/GDPR
- External DPO: Integration into the ISMS, coordination of reporting processes
Supplier assessment: BioAnalytica identifies 15 critical suppliers:
| Supplier | Special Requirements |
|---|---|
| Roche (analysis devices) | Patch policy, remote maintenance security, lifecycle planning |
| Siemens Healthineers | Same as above |
| Swisslab (LIS vendor) | Security certification, SLA including security response times |
| External IT service provider | Security questionnaire, NIS2 clauses in contract |
| Microsoft (M365) | Compliance documentation available (SOC 2, ISO 27001) |
| Laboratory portal hoster | Hosting location, encryption, backup, availability |
| gematik/TI provider | Review security architecture of TI connection |
Particularly important is the assessment of laboratory device manufacturers. BioAnalytica clarifies with each manufacturer:
- Which operating system versions are currently supported?
- How quickly are security updates provided?
- What compensating measures does the manufacturer recommend for end-of-life devices?
- Is there a migration path to current operating systems?
- What requirements exist for the network environment?
Business continuity plan: The emergency operations plan defines manual fallback procedures for each area:
| System | RTO | Manual Procedure |
|---|---|---|
| LIS | 2 hours (cluster failover) / 8 hours (backup restore) | Document results on paper, transmit to submitters by phone/fax |
| Analysis devices | Device-dependent | Individual devices can often operate standalone |
| HL7 interfaces | 4 hours | Report transmission via fax/laboratory portal manually |
| Laboratory portal | 8 hours | Reports via fax or encrypted email |
The plan is tested in a tabletop exercise. Scenario: Ransomware attack on Monday morning, LIS unavailable, 200 samples waiting for analysis. Result: Emergency operations with manual result transmission work, but throughput drops to approximately 30% of normal operations. Prioritization by medical urgency (emergency samples first) is incorporated into the procedure.
Phase 5: Audit and Continuous Improvement (Months 10-12)
Internal audit: Systematic review of all NIS2 minimum measures, plus alignment with GDPR requirements and RiliBaeK.
Audit findings:
- Three laboratory devices on Windows XP have no replacement plan (corrective action: request budget for device replacement within the next 18 months)
- Fax communication is unencrypted (accepted residual risk, as fax is established in medical communication and accepted under data protection law, but define migration path to encrypted channels)
- Two HL7 connections to submitter practices run unencrypted (corrective action: introduce TLS encryption, inform submitters)
Management review: Executive management approves the residual risk catalog, the budget for the following year (focus: replacement of Windows XP devices), and the training plan.
Budget Overview
| Item | One-time (Year 1) | Annual (from Year 2) |
|---|---|---|
| External consulting (ISMS setup) | EUR 30,000-45,000 | EUR 8,000-12,000 |
| Network segmentation (hardware + configuration) | EUR 15,000-25,000 | EUR 2,000-3,000 |
| Backup expansion | EUR 5,000-10,000 | EUR 2,000-3,000 |
| MDM/MFA | EUR 3,000-5,000 | EUR 2,000-3,000 |
| Training | EUR 5,000-8,000 | EUR 3,000-5,000 |
| CISO time allocation (internal) | EUR 30,000-35,000 | EUR 30,000-35,000 |
| Total | EUR 88,000-128,000 | EUR 47,000-61,000 |
Not included are costs for replacing end-of-life laboratory devices, as these must be accounted for in the regular investment plan anyway. However, NIS2 requirements accelerate the replacement, which impacts the investment budget for the next two to three years. Tool costs can be kept low: ISMS Lite covers all ISMS modules 500 Euro pro Jahr without seat licenses or hidden costs.
Particular Challenges and Solutions
Collaboration Between CISO and DPO
In healthcare, the Information Security Officer and Data Protection Officer necessarily work closely together. Both deal with protecting patient data but from different perspectives. The CISO considers the security of systems and data comprehensively; the DPO focuses on protecting personal data and the rights of data subjects.
Recommendation: Conduct joint risk analysis, maintain separate responsibilities. The DPIA can serve as input for the NIS2 risk analysis and vice versa. Set up reporting processes (BSI and data protection authority) in parallel but define the trigger jointly.
Dealing with Manufacturer Dependency
In healthcare, you are more dependent on the manufacturer for medical devices than in most other industries. You cannot simply patch a laboratory device or change its network configuration yourself without jeopardizing the certification.
Solution approach: Include cybersecurity requirements in procurement criteria from the outset. When purchasing a new laboratory device, negotiate simultaneously: guaranteed patch delivery within defined timeframes, operating system migrations within the lifecycle, documented security architecture, and support for network integration.
What You Should Do Now
If you work in healthcare and need to implement NIS2, the following first steps are recommended:
- Inventory applicability and existing regulation. Which requirements do you already meet through GDPR, B3S, MDR, or other frameworks? NIS2 doesn't start from a blank slate but supplements existing obligations.
- Create a medical device inventory. Which devices run on which operating systems? Which are networked? Which have remote maintenance access? This inventory is the foundation for the risk analysis.
- Review network segmentation. Are medical devices in their own network segments? Are there uncontrolled connections between laboratory/clinic and office? Segmentation is the single most effective measure for protecting legacy devices.
Healthcare has a special responsibility in NIS2 implementation that goes beyond mere compliance. It's not just about fines and liability but about protecting patients. An ISMS that takes this aspiration seriously is more than a regulatory exercise — it's a contribution to patient safety.
Further Reading
- NIS2 for SMEs: What You Need to Know and What to Do Now
- NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What's Due When
- Risk Assessment in the ISMS: Methods, Criteria, and Practical Examples
- Protection Needs Assessment: How to Determine the Protection Requirements of Your Assets
- Documenting TOMs: Technical and Organizational Measures Under GDPR