Cybersecurity for hospitals

Hospitals

NIS2 + critical infrastructure + § 391 SGB V · triple regulated

Cybersecurity for hospitals

Hospitals face multiple regulatory burdens: critical infrastructure under BSI-KritisV starting at 30,000 inpatient cases, a particularly important entity under NIS2, plus Section 391 of the German Social Code Book V (SGB V) for all hospitals with Section 108 authorization. We provide awareness training, phishing simulations, vulnerability management, and managed detection & response—tailored to 24/7 shift operations, medical technology, and the realities of patient care.

Free Risk Assessment

THE REALITY

Hospitals are the most lucrative target — and the most vulnerable.

No other industry has so much sensitive data, so much outdated technology, and so little room for downtime. A ransomware attack on a hospital is not an IT problem — it is a healthcare emergency. Admissions are halted, surgeries are postponed, and ambulances are diverted.

67%

the clinics became the target of a ransomware attack in 2024 — more than half had a direct impact on patient care.

€4.88 million

average cost of a data breach in healthcare — the highest among all industries, for the 14th year in a row.

threefold

Regulatory burden: NIS2 obligations, KRITIS compliance evidence under Section 39 BSIG, and the Section 391 SGB V security guideline in parallel.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

THE REALITY

Hospitals are the most lucrative target — and the most vulnerable.

67%

the clinics became the target of a ransomware attack in 2024 — more than half had a direct impact on patient care.

€4.88 million

average cost of a data breach in healthcare — the highest among all industries, for the 14th year in a row.

threefold

Regulatory burden: NIS2 obligations, KRITIS compliance evidence under Section 39 BSIG, and the Section 391 SGB V security guideline in parallel.

Sources: Tolsdorf, Langer, Lo Iacono — ACM CCS '25, Justus Liebig University Giessen · Check Point Research Healthcare Report · NIS2UmsuCG § 30, § 38 BSIG · BSI Situation Report 2025.

Regulatory context

Three regulatory frameworks, one hospital — and you have to comply with all three at the same time.

Unlike in other industries, three separate regulatory frameworks overlap in hospitals. Each has its own scope, its own deadlines, and its own documentation requirements — and each carries significant penalties for noncompliance.

01 · Critical Infrastructure

Critical infrastructure

Hospitals with 30,000 or more inpatient cases per year are considered Critical Infrastructure under the BSI-KritisV. Obligations: registration with the BSI, proof of appropriate security measures under Section 39 of the BSIG (initially after three years, then every two years), reporting of significant IT disruptions, and implementation of the industry-specific security standard B3S.

02 · NIS2

Especially important facility

Since the NIS2 Implementation Act (in force since 6 December 2025, with no transitional period), hospitals are particularly important entities under Section 28 of the BSIG. Obligations: ten risk management measures under Section 30 of the BSIG, 24-hour/72-hour/30-day reporting under Section 32 of the BSIG, personal liability of management under Section 38 of the BSIG, and fines of up to €10 million or 2% of global annual turnover under Section 65 of the BSIG.

03 · Section 391 SGB V

Hospital-specific IT security

Section 391 of Book V of the German Social Code (SGB V) requires hospitals to take appropriate organizational and technical precautions to prevent IT disruptions. The B3S Hospitals of the DKG serves as the reference. Unlike NIS2, Section 391 of SGB V applies to all hospitals — regardless of case volume and critical infrastructure status.

Legal sources: BSI Act (BSIG) · BSI Critical Infrastructure Ordinance (BSI-KritisV) · NIS2 Implementation and Cybersecurity Strengthening Act of 6.12.2025 · § 391 SGB V · B3S Hospitals (DKG) · IEC 80001-1 (medical device networks).

Regulatory context

Three regulatory frameworks, one hospital — and you have to comply with all three at the same time.

01 · Critical Infrastructure

Critical infrastructure

02 · NIS2

Especially important facility

03 · Section 391 SGB V

Hospital-specific IT security

TYPICAL ATTACK SCENARIOS

The attacks we see in clinics every day.

Hospitals are not attacked indiscriminately — the profiles are frighteningly consistent. Those who know the patterns can protect themselves in a targeted way instead of investing broadly.

Ransomware via phishing

The most common entry point: an email to the administration or outpatient clinic that looks like a job application, invoice, or doctor’s letter. After the click, lateral movement, data exfiltration, and encryption follow — and the operating room comes to a standstill. Average downtime in healthcare: several days to weeks.

Legacy medical devices as an entry point

CT scanners, lab equipment, infusion pumps running Windows XP or Windows 7 — no manufacturer support, no patches, but full network access. Once compromised, they serve as a persistent foothold for deeper attacks into the HIS, RIS, and patient records.

Compromised remote maintenance access

Technology, cleaning, laboratories, medical device manufacturers: dozens of external access points, often with inadequate MFA protection, fragmented access control, and weak logging. Compromised credentials from a single partner are often enough.

Data exfiltration before encryption

Modern ransomware groups first exfiltrate data and then encrypt it — the double extortion scheme. For clinics, this means patient data, diagnoses, and treatment records ending up on leak sites. GDPR fines, damages claims, and irreparable reputational damage are added on top of the operational outage.

OUR SOLUTIONS

Four services that together create a security foundation suited to a clinic.

Individual measures are not enough. Awareness without phishing simulation is theory, vulnerability scanners without a SOC are lists without any response. We combine the four building blocks that jointly address NIS2, KRITIS, and Section 391 of SGB V.

Continuous training

Phishing Simulation as a Service

Monthly, clinic-realistic campaigns — fake applications, lab results, HIS password resets. Measurable improvements in click rate and report rate, directly usable as NIS2 compliance evidence.

Service

Employee Resilience

Security Awareness Training

Annual core course ~20 minutes, quarterly spotlights 1–2 minutes. Role-based content for nursing, physicians, administration, and technology. Directly meets the requirements of NIS2 Art. 21 and § 391 SGB V.

Service

Know the attack surface

Vulnerability Management

Continuous asset discovery, passive detection of medical devices (no active scanning on IoMT — HHS 405(d) best practice), active scanning on IT infrastructure, clinical prioritization instead of CVSS noise, remediation tracking through to the closed vulnerability — and audit-ready evidence for B3S and Section 39 BSIG.

Service

24/7 Managed SOC

Incident Detection & Response

Continuous SIEM monitoring, EDR management, healthcare threat intelligence, and German-speaking analysts. Incident response with clinic-compatible containment logic and prepared NIS2 notifications in accordance with Section 32 of the BSIG.

Service

WHY ENTROPY CS

We build cybersecurity that can withstand everyday clinical operations.

Generic service providers fail when it comes to the unique demands of clinics. We are built for this environment — with the compromises that are truly necessary between patient safety, availability, and regulatory compliance.

Clinical Vocabulary

We speak KIS, RIS, PACS, lab interfaces, TI connectors—not just servers and firewalls. Awareness content, phishing bait, and incident playbooks are specifically tailored to clinic workflows.

Regulatory multiple use

Each of our services produces evidence that can be used at the same time for NIS2, KRITIS verification, and Section 391 of the German Social Code Book V. Instead of three separate documentation streams, you get one consolidated record — effort once, use it three times.

Service mandate as a guiding principle

Each measure — scanner window, containment decision, training time — is judged by whether it jeopardizes patient care. Cybersecurity is a means, not an end in itself.

Answers specifically for clinics.

The questions we regularly hear from executive management, CISOs, and IT leaders in hospitals. More questions directly in the free risk assessment.

Our clinic is under 30,000 cases — does NIS2 still apply?

How do your measures disrupt ongoing clinic operations?

We already have an IT service provider and a KIS maintenance contract — isn’t that enough?

How long does a complete implementation of all four services take?

How much does the complete package cost for a clinic?

What does NIS2 compliance look like in practice?

Can awareness training even work in shift work?

Where are clinical data stored?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Call: +49 30 863283641