Industries

/

Care facilities

Without a NIS2 requirement — still a common target for attacks

Cybersecurity for care facilities

Inpatient care, outpatient services and home care are not explicitly covered by NIS2 — but have been among the most affected sectors for years. We deliver a lean security program of awareness training, phishing simulations, vulnerability management, and 24/7 monitoring — built for distributed locations, mobile devices, and tight IT budgets.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

Unregulated — no less at risk.

Care providers process highly sensitive health and social data, coordinate distributed care staff via mobile devices, and usually have very lean IT. Attackers know this: care organizations have been among the most consistently targeted sectors for years — and the GDPR consequences of an incident are severe regardless of NIS2 status.

14,000

inpatient and outpatient care services in Germany — often with an IT infrastructure that is not sized to cope with the threat landscape.

€20 million

GDPR fine cap for violations of Article 9 (health data) — regardless of whether NIS2 applies.

Days to weeks

Average downtime caused by ransomware in care facilities — with a direct impact on staffing schedules, billing, and care documentation.

Sources: Federal Statistical Office care statistics · GDPR Art. 83(5) · industry surveys.

THE REALITY

Unregulated — no less at risk.

Care providers process highly sensitive health and social data, coordinate distributed care staff via mobile devices, and usually have very lean IT. Attackers know this: care organizations have been among the most consistently targeted sectors for years — and the GDPR consequences of an incident are severe regardless of NIS2 status.

14,000

inpatient and outpatient care services in Germany — often with an IT infrastructure that is not sized to cope with the threat landscape.

€20 million

GDPR fine cap for violations of Article 9 (health data) — regardless of whether NIS2 applies.

Days to weeks

Average downtime caused by ransomware in care facilities — with a direct impact on staffing schedules, billing, and care documentation.

Sources: Federal Statistical Office care statistics · GDPR Art. 83(5) · industry surveys.

Regulatory context

No NIS2 — instead GDPR, SGB XI, and increasingly contractual and insurance requirements.

According to the current interpretation, care facilities do not fall directly within the scope of NIS2. But that does not mean cybersecurity is optional: health and social data are specially protected data under Article 9 of the GDPR; in addition, social secrecy under Section 35 of Book I of the Social Code (SGB I) and social data protection under Sections 67–85a of Book X of the Social Code (SGB X) apply—with strict requirements for technical and organizational measures.

01 · GDPR Art. 9 & 32

Protection of health data

Care data are special categories of personal data (Art. 9 GDPR). Art. 32 GDPR requires appropriate technical and organizational measures. Fines for violations: up to €20 million or 4% of annual turnover. In the event of a breach, reporting obligations under Art. 33 (72 hours to the supervisory authority) and Art. 34 GDPR (notification of affected individuals) apply.

02 · Social Code Book XI

Quality and data protection requirements

The German Social Code Book XI (SGB XI) requires care facilities to implement quality management (§ 113 SGB XI) and to protect care documentation. Digital care documentation, electronic MDK reports and billing data must be secured against unauthorized access. The MD (Medical Service) is increasingly also reviewing IT-related aspects as part of the quality inspection.

03 · Contract requirements

Insurer, payer, parent company

Even without a direct NIS2 obligation, the practical pressure is growing: cyber insurers require documented awareness training and vulnerability management as a condition of coverage. Long-term care insurers and public contracting authorities are increasingly requiring ISMS evidence in tenders. Care chains with a parent company are often subject to group-wide security policies with NIS2-like depth.

Legal sources: GDPR Arts. 9, 32, 33, 34, 83 · § 35 SGB I (social confidentiality) · §§ 67–85a SGB X (social data protection) · § 113 SGB XI · BSI recommendations for care facilities.

Regulatory context

No NIS2 — instead GDPR, SGB XI, and increasingly contractual and insurance requirements.

According to the current interpretation, care facilities do not fall directly within the scope of NIS2. But that does not mean cybersecurity is optional: health and social data are specially protected data under Article 9 of the GDPR; in addition, social secrecy under Section 35 of Book I of the Social Code (SGB I) and social data protection under Sections 67–85a of Book X of the Social Code (SGB X) apply—with strict requirements for technical and organizational measures.

01 · GDPR Art. 9 & 32

Protection of health data

Care data are special categories of personal data (Art. 9 GDPR). Art. 32 GDPR requires appropriate technical and organizational measures. Fines for violations: up to €20 million or 4% of annual turnover. In the event of a breach, reporting obligations under Art. 33 (72 hours to the supervisory authority) and Art. 34 GDPR (notification of affected individuals) apply.

02 · Social Code Book XI

Quality and data protection requirements

The German Social Code Book XI (SGB XI) requires care facilities to implement quality management (§ 113 SGB XI) and to protect care documentation. Digital care documentation, electronic MDK reports and billing data must be secured against unauthorized access. The MD (Medical Service) is increasingly also reviewing IT-related aspects as part of the quality inspection.

03 · Contract requirements

Insurer, payer, parent company

Even without a direct NIS2 obligation, the practical pressure is growing: cyber insurers require documented awareness training and vulnerability management as a condition of coverage. Long-term care insurers and public contracting authorities are increasingly requiring ISMS evidence in tenders. Care chains with a parent company are often subject to group-wide security policies with NIS2-like depth.

Legal sources: GDPR Arts. 9, 32, 33, 34, 83 · § 35 SGB I (social confidentiality) · §§ 67–85a SGB X (social data protection) · § 113 SGB XI · BSI recommendations for care facilities.

TYPICAL ATTACK SCENARIOS

Why care providers are affected so often.

Distributed locations, shift work, high staff turnover, mobile devices in clients' homes—all of this creates an attack surface that does not exist in traditional enterprise environments. The patterns are predictable—and addressable.

Ransomware in nursing documentation

If digital care documentation is encrypted, operations come to a standstill immediately — shift schedules, MD reports, medication administration, and billing all run through it. Many facilities do not have complete offline backups and have to switch to paper for weeks.

Loss of mobile devices

Tablets and smartphones used for route planning and documentation in outpatient care are regularly lost or stolen. Without device encryption, MDM, and remote wipe, this is an immediate GDPR reportable incident under Art. 33 — with access to clients’ addresses, diagnoses, and medication.

Phishing targeting nursing staff

Shift work, time pressure, and mixed levels of IT experience make nursing teams a preferred target group. Typical lures: supposed schedule updates, payroll emails, pharmacy delivery confirmations. Single-use credentials are often enough to gain broad access to the PVS or the documentation.

Compromised remote maintenance of the PVS software

Healthcare software providers often have cross-site remote maintenance access with shared credentials. If a software provider is compromised, potentially hundreds of facilities can be affected at the same time — a classic supply chain attack with cascading damage.

OUR SOLUTIONS

A tiered security program for distributed care facilities.

You don’t need everything at once. Our starting point typically begins with awareness and phishing simulation — this covers the most common attack vector and immediately provides insurance and audit evidence. VM and Managed SOC build on top of that once it makes sense.

Continuous training

Phishing Simulation as a Service

Monthly campaigns with care-related hooks — shift schedule updates, payroll emails, training sign-ups. Click-through and report rates are the only hard proof that awareness really gets through.

Service

Service

Icon
Icon

Employee Resilience

Security Awareness Training

Micro-modules lasting 1–5 minutes, available on smartphone and tablet. Perfect for shift handovers and team meetings. Progress is automatically documented — important for insurance, MD audits, and proof of GDPR compliance under Article 32.

Service

Service

Icon
Icon

Know the attack surface

Vulnerability Management

Cross-site discovery across all care facilities, clients, servers, and mobile devices. Focus on the typical vulnerabilities in decentralized environments: missing patches, open RDP ports, weak VPN configurations.

Service

Service

Icon
Icon

24/7 Managed SOC

Incident Detection & Response

Central monitoring of all locations without an on-site security team. Rapid containment in the event of ransomware, account takeover, or supply chain attacks. Prepared GDPR notification documents under Article 33 — so you can handle a breach without chaos.

Service

Service

Icon
Icon

WHY ENTROPY CS

Security that works in shift operations.

Care is a business with tight margins and chronic staff shortages. Any security measure that noticeably takes up time in care will fail. Our approach is designed to make security largely invisible.

Compactly sized

We don’t build enterprise architectures. Our package for care facilities is intentionally lean, focused on the truly critical risks — and affordable in the low to mid five-figure range per year.

Documentation for MD and insurers

Every measure produces evidence that you can use directly in MD quality audits, insurance applications, and tenders — without having to prepare anything yourself.

Care vocabulary, not tech vocabulary

Awareness content is written in the language of care — route planning, nursing documentation, MDK reporting, medication. No abstract security terms, no enterprise metaphors.

Answers specifically for care facilities.

Answers specifically for care facilities.

The questions we regularly hear from facility managers, nursing service managers, and IT managers in care chains and individual locations.

NIS2 does not apply to us — why should we invest anyway?

NIS2 does not apply to us — why should we invest anyway?

Our care software runs as a cloud service. Isn't our provider automatically secure?

Our care software runs as a cloud service. Isn't our provider automatically secure?

We have dozens of locations. Can you protect them all at the same time?

We have dozens of locations. Can you protect them all at the same time?

How does awareness work for employees without their own company account?

How does awareness work for employees without their own company account?

How much does that cost for a typical care facility?

How much does that cost for a typical care facility?

Does this go over well with our care staff, or does it seem contrived?

Does this go over well with our care staff, or does it seem contrived?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641