Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings.
Data protection declaration | Legal notices
Settings

Healthcare: Combating Cyber Infections with Digital Hygiene

Nov 17, 2025 Audit

The digital interconnection of the healthcare sector and outpatient care is challenging information security along treatment chains. IT systems are becoming more open and permeable for the exchange of patient data. At the same time, the risks posed by complex cyberattacks are increasing significantly. How can security measures keep pace?

Since the introduction of electronic data processing in Germany’s pension insurance system 60 years ago, the digitalization of the healthcare sector represents the second major structural transformation in social administration. More than 1,850 hospitals, 140,000 medical and dental practices, and 17,000 pharmacies are connected to the platform for digital health applications - the telematics infrastructure (TI) operated by gematik GmbH. Since January 2025, the rollout of the electronic patient record (ePA) has been underway, initiated by the Act to Accelerate the Digitalization of Healthcare (Digital Act, DigiG). Already, 70 million ePA accounts have been created. Those with statutory health insurance can upload medical documents via their insurer’s app, view medication lists, or share personal health data with authorized individuals.
The electronic prescription for prescription-only medications is further driving digital structural change. In the first year after its introduction, 500 million e-prescriptions were redeemed in 2024. In addition, the Hospital Reform Act (KHVVG), which came into force in 2025, promotes the expansion of outpatient care models, leading to even greater interconnection of information systems.

Exchange of Sensitive Personal Data

Whether via the telematics infrastructure (TI), hospital information systems (HIS), practice management systems (PMS), or the integration of medical devices into outpatient structures, future patient care will largely depend on the exchange of sensitive personal data. As a result, the healthcare sector is increasingly coming into focus for cybercriminals who deliberately interfere with data infrastructures and, for example, encrypt systems to extort high ransom payments. Such attacks usually result in massive costs for restoring IT systems. According to Germany’s Federal Ministry of the Interior, across industries even small businesses with ten employees incur average damages of €250,000.

Prevention Through Digital Hygiene

Organized cybercriminals operate in a highly professional manner. Using AI models, they identify vulnerabilities on a massive scale in order to spread malware through security-critical nodes within affected IT systems. Hospitals, laboratories, and medical practices are particularly at risk. Their computer systems and software solutions are often historically grown legacy systems. These applications have proven reliable for years, are deeply integrated into operations, and are indispensable. However, they pose significant security risks if manufacturers no longer provide sufficient updates. In addition, staff shortages make it difficult to modernize data-processing systems.
To keep pace with cyberthreats, a strategy of digital hygiene aimed at ensuring the security, availability, and resilience of patient data is essential. It should be given the same preventive priority as medical hygiene. Digital hygiene thus not only protects devices and data but, through the smooth functioning of IT system architecture, above all safeguards patients. Frankfurt University Hospital, after detecting an attack attempt comparatively early, was still able to protect its patient data but nevertheless had to go offline for more than six months and completely rebuild its IT landscape.

Ransomware Attacks and Social Engineering

Germany’s Federal Office for Information Security (BSI) is observing a significant spread of malware in outpatient medical facilities in particular, used to encrypt IT systems and subsequently extort ransom payments (ransomware attacks). According to the Sophos Ransomware Report 2025, most affected organizations are able to restore their data from backups within about a week. However, nearly half of them pay ransoms averaging one million US dollars.
In addition to ransomware attacks, so-called social engineering is spreading as an increasingly threatening form of data theft. This method targets individuals directly. Cybercriminals manipulate employees, for example via career portals, by initiating seemingly trustworthy contact to obtain sensitive company information, bypass security barriers, or install malware. Data can thus be stolen, sold, or used for further attacks without this being noticed at first.

Robust Protection Concepts Take Operational Assets into Account

Critical risk situations arise when organizations do not regularly inform their employees about key security risks and appropriate protective measures. Risk analyses, professional training, and technical measures must therefore go hand in hand. The foundation of robust cybersecurity consists of identifying data and processes that are particularly critical for medical care and patient safety. All security-relevant data-processing systems must be identified and analyzed, including whether they are separated or segmented from one another. Key questions also include which departments use them and whether data are provided locally via in-house servers or by external providers (cloud services). All operational assets - such as data, components, storage locations, and premises - must be recorded in order to monitor them actively and, in the spirit of digital hygiene, literally prevent the spread of infections.

Regulatory Requirements for Cybersecurity

While hygiene concepts and safety routines are essential for preventing infection risks, checklists alone are not sufficient to address the complexity of virulent cyber infections. Instead, an Information Security Management System (ISMS) is suitable for defense. This risk-based management approach is not limited to IT system security but encompasses all critical data-processing procedures, business processes, employee expertise, and the protection of physical and virtual locations, including workplaces. This allows the technical and organizational protection objectives to interlock.
So far, the IT Security Acts of 2015 (IT-SiG 1.0) and 2021 (IT-SiG 2.0), as well as the BSI Critical Infrastructure Ordinance (BSI-CRITIS Regulation), require operators of critical infrastructures - such as large hospitals, major laboratories, or hospital pharmacies - to establish and continuously develop an ISMS. IT-SiG 2.0 refers in this context to attack detection systems (SzA) as “processes supported by technical tools and organizational integration for detecting attacks on information technology systems.” CRITIS operators in the healthcare sector comply by applying industry-specific security standards, such as B3S Healthcare in Hospitals, B3S Pharmaceuticals, or B3S Laboratory Diagnostics, and by undergoing a CRITIS audit. Proof of the audit is then submitted to the BSI.

NIS2 Directive to Strengthen Cybersecurity

As digital interconnection along treatment chains continues to grow, regulatory requirements for information security across the healthcare sector are also increasing. The circle of critical infrastructures is no longer limited to the CRITIS sector alone but is significantly expanded by the new NIS2 Directive aimed at strengthening cybersecurity. The EU framework has been in force since October 2024 - however, Germany’s legislative process to transpose the directive into national law has not yet been completed (as of October 2025). NIS2 expands the scope of critical infrastructures to include so-called “important entities” and “essential entities,” covering around 30,000 companies in Germany. These include, for example, large healthcare providers with statutory health insurance mandates, laboratory networks, and diagnostic service providers.
Entities affected by NIS2 must secure their IT systems with comprehensive protection concepts. This includes not only technical precautions but also the integration of organizational measures such as risk analysis and security assessments, incident reporting, risk management and corrective measures, and - within the framework of the ISMS - necessary training for executives and specialist staff.

Cybersecurity Is Never Complete – Best Practice:

The ISO/IEC 27001:2022 standard has proven itself as a systematic defense concept against cyber threats. At the core of the globally recognized ISMS standard are continuous risk analysis and risk treatment to maintain the confidentiality, integrity, and availability of information assets even in highly dynamic threat environments. Annex A of the standard contains 93 possible technical and organizational measures (controls), including physical security measures and controls for the protection of personal data.
If an ISMS is implemented in accordance with ISO/IEC 27001:2022, additional frameworks with supplementary requirements - for example from the healthcare sector - can easily be integrated. The standard is therefore suitable for both CRITIS and NIS2 environments. Its audit basis is composed of various standards, sources, and regulatory frameworks. The insights gained can in turn be used to derive new security assessments relevant to internal and external stakeholders.
Before the NIS2 requirements come into force in Germany, the measures described in ISO/IEC 27001:2022 and in the draft for the NIS2 Implementation Act (NIS-2-UmsuCG, Chapter 2, §30(2), sentence 2, items 1–10) can be used to establish a robust protection concept. However, not all measures in Annex A of ISO/IEC 27001:2022 must be implemented. The key lies in appropriate organizational and technical precautions to prevent disruptions. Organizations must be able to justify independently why they apply - or do not apply - specific control measures.
Cybersecurity is never complete, not even in the healthcare sector. All service providers should regularly review their implemented and planned measures in order to identify new threats to their data-processing systems at an early stage. Such a strategy, which continuously records and evaluates critical parameters and characteristics of information security during ongoing operations, not only fulfills due diligence obligations. Nevertheless, should a cyberattack occur, an effective ISMS contributes significantly to minimizing potential impacts on treatment quality as well as financial consequences and liability risks.
Show all articles