Industries

/

Medical care centers & practice networks

New in the NIS2 scope · § 390 SGB V · TI connection

Cybersecurity for medical care centers & practice networks

Medical care centers and practice networks have been directly regulated for the first time since the NIS2UmsuCG — alongside the IT security guideline under § 390 SGB V, TI connectivity, and gematik requirements for e-prescriptions, e-sick notes, and ePA. We combine awareness, phishing simulation, vulnerability management, and a managed SOC for providers operating across multiple locations.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

Heterogeneous IT, growing obligations, tight deadlines.

Medical care centers (MVZ) and practice networks have grown over many years: different practice management systems, various internet connections, inconsistent password policies, distributed TI connectors. At the same time, the regulatory landscape has become increasingly complex — and is now meeting IT structures that are rarely prepared for these requirements.

~1,000

Medical care centers in Germany are covered for the first time by NIS2 as important entities — many of them without existing security structures.

€7 million

Maximum NIS2 fine for important entities under Section 65 of the BSI Act (or 1.4% of global annual turnover) — plus personal liability of management under Section 38 of the BSI Act with personal assets.

1 location = all

With a shared domain and centralized infrastructure, one compromised site is enough — within minutes, all the others are affected too. One incident turns into ten practices going down at the same time.

Sources: NIS2UmsuCG · Section 28 BSIG · Section 390 SGB V · KBV IT Security Directive · gematik TI 2.0 Roadmap.

THE REALITY

Heterogeneous IT, growing obligations, tight deadlines.

Medical care centers (MVZ) and practice networks have grown over many years: different practice management systems, various internet connections, inconsistent password policies, distributed TI connectors. At the same time, the regulatory landscape has become increasingly complex — and is now meeting IT structures that are rarely prepared for these requirements.

~1,000

Medical care centers in Germany are covered for the first time by NIS2 as important entities — many of them without existing security structures.

€7 million

Maximum NIS2 fine for important entities under Section 65 of the BSI Act (or 1.4% of global annual turnover) — plus personal liability of management under Section 38 of the BSI Act with personal assets.

1 location = all

With a shared domain and centralized infrastructure, one compromised site is enough — within minutes, all the others are affected too. One incident turns into ten practices going down at the same time.

Sources: NIS2UmsuCG · Section 28 BSIG · Section 390 SGB V · KBV IT Security Directive · gematik TI 2.0 Roadmap.

Regulatory context

Three parallel regulatory frameworks — NIS2, KBV and gematik.

Since December 2025, MVZs have been subject to an interplay of three sets of regulations that address different protected assets: NIS2 protects the security of supply, Section 390 of Book V of the Social Code protects outpatient healthcare, and gematik specifications protect the telematics infrastructure. A clean implementation covers all three at the same time.

01 · NIS2 · Section 30 BSIG

Important setup

MVZs with 50 or more employees or annual turnover and balance sheet total of €10 million are considered important entities. They must implement the ten risk management measures from Section 30 of the BSIG, report incidents under Section 32 of the BSIG, and register with the BSI — the initial registration deadline ended on 6 March 2026, and entities that missed it should register immediately. Management is personally liable under Section 38 of the BSIG.

02 · Section 390 SGB V

KBV IT Security Policy

The KBV guideline applies to all contract medical practices, including medical care centers (MVZ). It defines tiered minimum security measures depending on practice size — basic level, medium level, high level. For medium-sized and large practices, the requirement also includes penetration tests, network segmentation, and structured patch management.

03 · gematik / TI

Telematics & eHealth applications

TI connectivity for ePrescriptions, eAU, ePA, and KIM communication is subject to gematik specifications. The transition to TI 2.0 — with decentralized access instead of centralized connector hardware — increasingly shifts security responsibility to practice IT. Anyone operating systems required for TI must provide complete proof of their security.

Legal sources: NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) · Sections 28, 30, 32, 38 of the BSIG · Section 390 of SGB V · KBV IT Security Directive · gematik specifications (TI 2.0, e-prescription, eAU, ePA).

Regulatory context

Three parallel regulatory frameworks — NIS2, KBV and gematik.

Since December 2025, MVZs have been subject to an interplay of three sets of regulations that address different protected assets: NIS2 protects the security of supply, Section 390 of Book V of the Social Code protects outpatient healthcare, and gematik specifications protect the telematics infrastructure. A clean implementation covers all three at the same time.

01 · NIS2 · Section 30 BSIG

Important setup

MVZs with 50 or more employees or annual turnover and balance sheet total of €10 million are considered important entities. They must implement the ten risk management measures from Section 30 of the BSIG, report incidents under Section 32 of the BSIG, and register with the BSI — the initial registration deadline ended on 6 March 2026, and entities that missed it should register immediately. Management is personally liable under Section 38 of the BSIG.

02 · Section 390 SGB V

KBV IT Security Policy

The KBV guideline applies to all contract medical practices, including medical care centers (MVZ). It defines tiered minimum security measures depending on practice size — basic level, medium level, high level. For medium-sized and large practices, the requirement also includes penetration tests, network segmentation, and structured patch management.

03 · gematik / TI

Telematics & eHealth applications

TI connectivity for ePrescriptions, eAU, ePA, and KIM communication is subject to gematik specifications. The transition to TI 2.0 — with decentralized access instead of centralized connector hardware — increasingly shifts security responsibility to practice IT. Anyone operating systems required for TI must provide complete proof of their security.

Legal sources: NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) · Sections 28, 30, 32, 38 of the BSIG · Section 390 of SGB V · KBV IT Security Directive · gematik specifications (TI 2.0, e-prescription, eAU, ePA).

TYPICAL ATTACK SCENARIOS

Why MVZs are particularly vulnerable.

Distributed locations with different starting points, shared infrastructure, and high integration via practice management systems (PVS) and TI — a successful attack spreads quickly across all locations. The typical patterns are documented and can be addressed.

Unpatched practice management systems

PVS updates are often delayed or skipped altogether because every update can disrupt practice operations. As a result, known vulnerabilities remain open for months — with direct access to patient master data, billing information, and TI access credentials.

Shared credentials across locations

In established MVZ structures, passwords and admin accounts are often shared across locations. A successful phishing attempt at one location therefore immediately opens up all the others. Missing MFA on RDP, VPN, and PVS is a recurring issue in our risk assessments.

e-prescription and KIM account misuse

With a compromised doctor account, e-prescriptions can be issued, electronic sick notes generated, or KIM messages sent. The damage affects not only the practice, but also patients, pharmacies, and health insurance providers—and is prosecuted particularly severely as identity misuse in healthcare.

Cross-site ransomware

Because MVZ sites usually run on a shared domain, shared file shares, and central servers, ransomware typically spreads to all locations within minutes. A single incident can therefore very quickly turn into 10 or 20 practices being down at the same time — with corresponding consequences for care and reporting obligations.

OUR SOLUTIONS

A consistent level of security across all locations.

Four coordinated services — centrally managed, rolled out for each location. Proof of compliance for NIS2, KBV, and gematik is generated automatically as a shared byproduct.

Continuous training

Phishing Simulation as a Service

Campaigns with realistic lures — fake KBV notices, referrals, lab emails, e-prescription notifications. Click and report rates by site, trends over time — the only hard effectiveness metric for awareness efforts.

Service

Service

Icon
Icon

Employee Resilience

Security Awareness Training

Modular training courses on MFA, e-prescription security, TI connector protection, and handling compromised accounts. Tailored separately for physicians, MFA staff, and administrative personnel. Proof of NIS2 Article 21(g)- and KBV-compliant training at the push of a button.

Service

Service

Icon
Icon

Know the attack surface

Vulnerability Management

Multi-site asset inventory: which PVS versions, which operating systems, which open ports at each site. A consolidated patch plan instead of 20 individual Excel lists. Direct input into the KBV audit and NIS2 risk management.

Service

Service

Icon
Icon

24/7 Managed SOC

Incident Detection & Response

Monitoring across all locations with a focus on unusual patterns in PVS access, e-prescription activity, and KIM traffic. Rapid isolation of individual locations before ransomware can spread. Ready-made NIS2 incident reports if things still get serious.

Service

Service

Icon
Icon

WHY ENTROPY CS

Multi-location security without bloating your IT department.

Managers of medical care centers need a partner who keeps the full spectrum of cybersecurity and outpatient healthcare regulations in view — not three separate service providers, each with its own tunnel vision.

Multi-location as the basic design

Our architecture is designed from the ground up for distributed organizations. Location-specific metrics, a consolidated group-wide view, and a standardized evidence structure — without you having to do any reporting work yourself.

Regulatory compliance from a single source

We address NIS2, Section 390 of the German Social Code V (SGB V), and gematik requirements in a bundled way. We produce the evidence once and deliver it in the formats expected by BSI, KBV audits, and auditors.

Practical implementation

We know that a site can’t just be closed “quickly” for a rollout. All measures are integrated during ongoing operations, with minimal potential disruption to consultations and billing.

Answers specifically for medical care centers & practice networks.

Answers specifically for medical care centers & practice networks.

The questions we regularly hear from MVZ management, medical directors, and IT managers in practice networks.

Does NIS2 really apply to us as a medical care center?

Does NIS2 really apply to us as a medical care center?

Is compliance with the KBV IT security guideline not sufficient?

Is compliance with the KBV IT security guideline not sufficient?

What about the TI connection — do you handle that?

What about the TI connection — do you handle that?

How do you handle different PVS at different locations?

How do you handle different PVS at different locations?

How much does that cost for multiple locations?

How much does that cost for multiple locations?

We already have an IT service provider. Does that conflict?

We already have an IT service provider. Does that conflict?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641