Services

/

Incident Detection & Response

24/7 · Compliant with § 30 & § 32 BSIG

Incident Detection & Response for Healthcare

24/7 Security Operations Center with Managed Detection & Response — detect, contain, and report attacks before they impact patient care. NIS2-compliant early warning within 24 hours, audit-ready documentation.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

The attacker is already in the network — the question is how quickly you notice.

Ransomware attacks on clinics have reached a historic high. The average dwell time — that is, the time between intrusion and discovery — in healthcare is several months. Every day costs data, systems, and trust. Rapid detection and coordinated response are the difference between a controlled incident and a headline.

258 days

average Mean Time to Identify for data breaches in healthcare — plus another 71 days until containment.

67%

healthcare facilities worldwide were targeted by a ransomware attack in 2024 — more than half of them affecting patient care.

24 hours

After a significant security incident, NIS2-obligated entities have time to send an early warning to the BSI — followed by a 72-hour report and a final report after one month.

Sources: IBM Cost of a Data Breach Report 2024 · Sophos State of Ransomware in Healthcare 2024 · NIS2UmsuCG § 32 BSIG.

THE REALITY

The attacker is already in the network — the question is how quickly you notice.

Ransomware attacks on clinics have reached a historic high. The average dwell time — that is, the time between intrusion and discovery — in healthcare is several months. Every day costs data, systems, and trust. Rapid detection and coordinated response are the difference between a controlled incident and a headline.

258 days

average Mean Time to Identify for data breaches in healthcare — plus another 71 days until containment.

67%

healthcare facilities worldwide were targeted by a ransomware attack in 2024 — more than half of them affecting patient care.

24 hours

After a significant security incident, NIS2-obligated entities have time to send an early warning to the BSI — followed by a 72-hour report and a final report after one month.

Sources: IBM Cost of a Data Breach Report 2024 · Sophos State of Ransomware in Healthcare 2024 · NIS2UmsuCG § 32 BSIG.

HOW IT WORKS

From alarm to reportable documentation.

An incident has phases detection, investigation, containment, recovery, documentation. Our SOC team guides you through each one, with clearly defined communication and documented decisions that are also accepted by the board and the BSI.

01

Detection

24/7 monitoring of all security-relevant events from endpoints, servers, firewalls, identity systems, and the cloud. Correlation in our SIEM, enriched with healthcare-specific threat intelligence. Alerts with context, not just raw data — and prioritization based on clinical relevance.

01

Detection

24/7 monitoring of all security-relevant events from endpoints, servers, firewalls, identity systems, and the cloud. Correlation in our SIEM, enriched with healthcare-specific threat intelligence. Alerts with context, not just raw data — and prioritization based on clinical relevance.

02

Triage & Investigation

Experienced analysts validate the alert within defined SLAs, investigate attack paths, and determine scope and impact. What happened, which systems are affected, which data may have leaked — the questions you need answered in minutes, not days.

02

Triage & Investigation

Experienced analysts validate the alert within defined SLAs, investigate attack paths, and determine scope and impact. What happened, which systems are affected, which data may have leaked — the questions you need answered in minutes, not days.

03

Response & Containment

Immediate containment by isolating compromised endpoints, blocking misused accounts, and blocking malicious infrastructure. Coordination with your IT and clinical leadership — because in healthcare, every isolation measure must be assessed for its impact on patient care.

03

Response & Containment

Immediate containment by isolating compromised endpoints, blocking misused accounts, and blocking malicious infrastructure. Coordination with your IT and clinical leadership — because in healthcare, every isolation measure must be assessed for its impact on patient care.

04

Recovery & Verification

Structured recovery, forensic analysis, lessons-learned review — and above all: legally compliant documentation for the NIS2 notifications under Section 32 of the BSIG (24-hour early warning, 72-hour report, 1-month final report). We provide the drafts; you and your legal department decide whether to send them.

04

Recovery & Verification

Structured recovery, forensic analysis, lessons-learned review — and above all: legally compliant documentation for the NIS2 notifications under Section 32 of the BSIG (24-hour early warning, 72-hour report, 1-month final report). We provide the drafts; you and your legal department decide whether to send them.

WHAT IS INCLUDED

More than just a SIEM tool — a full SOC team.

Others sell you a detection platform and leave tuning, triage, and incident response to you. We deliver both — technology plus experienced analysts who can respond within minutes when it matters most.

24/7 SOC Team

Experienced security analysts working in three shifts, certified according to GSOM, GCIH, and GCFA. German-speaking, with a deep understanding of healthcare IT — from hospital information systems (KIS) to laboratory interfaces.

EDR & XDR Integration

We work with your existing EDR (Microsoft Defender, CrowdStrike, SentinelOne) or provide one for you. We manage the agents, and policies are continuously adapted to the current threat landscape.

SIEM & Log Correlation

Central log collection from endpoints, servers, firewalls, Active Directory, cloud, and medical gateways. Correlation rules are specifically tailored to healthcare attack patterns — not generic.

Threat Intelligence

Current IOCs from Healthcare ISACs, BSI alerts, and commercial feeds are automatically matched against your environment. Attacks on hospitals look different from attacks on banks — we know the difference.

Incident Playbooks

Defined runbooks for ransomware, business email compromise, data exfiltration, and account takeover. Each playbook includes clear escalation paths to your IT leadership, executive management, data protection officer, and—if necessary—law enforcement.

NIS2 reporting documentation

We prepare the mandatory reportable documents under Section 32 of the BSIG: the 24-hour early warning, the 72-hour report, and the 1-month final report. The legal department and management review and send them — we provide the content, structure, and evidence.

Legal basis

Reporting obligations have been legally fixed since December 2025, with no transition period.

“Essential and important entities shall report any significant security incident to the competent authority without delay, but no later than 24 hours after becoming aware of it.” — NIS2 Directive, Article 23(4)(a)

Implementation in German law is governed by Section 32 of the BSIG. Early warning within 24 hours, notification within 72 hours, and a final report after one month — each with specific content requirements. Anyone who reports incidents too late, incompletely, or incorrectly risks fines under Section 65 BSIG (up to €10 million or 2% of global annual turnover for particularly important entities, up to €7 million or 1.4% for important entities) and personal liability of management under Section 38 BSIG. A well-practiced SOC team turns the reporting obligation into a routine task instead of a crisis.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management) · Section 32 BSIG (notification obligations) · Section 38 BSIG (management liability) · Section 65 BSIG (administrative fine provisions).

Legal basis

Reporting obligations have been legally fixed since December 2025, with no transition period.

“Essential and important entities shall report any significant security incident to the competent authority without delay, but no later than 24 hours after becoming aware of it.” — NIS2 Directive, Article 23(4)(a)

Implementation in German law is governed by Section 32 of the BSIG. Early warning within 24 hours, notification within 72 hours, and a final report after one month — each with specific content requirements. Anyone who reports incidents too late, incompletely, or incorrectly risks fines under Section 65 BSIG (up to €10 million or 2% of global annual turnover for particularly important entities, up to €7 million or 1.4% for important entities) and personal liability of management under Section 38 BSIG. A well-practiced SOC team turns the reporting obligation into a routine task instead of a crisis.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management) · Section 32 BSIG (notification obligations) · Section 38 BSIG (management liability) · Section 65 BSIG (administrative fine provisions).

WHO IS IT SUITABLE FOR

For every healthcare facility.

Attacks on healthcare are not generic — and the response should not be either. We know the workflows, systems, and risk profiles of your organization.

Hospitals

Critical infrastructure with 24/7 availability requirements. Rapid detection and containment — without unnecessarily disrupting clinical workflows.

Learn more

Learn more

Icon
Icon
Medical care centers & practice networks

Heterogeneous practice management systems, TI connectivity, KBV communication. Site-wide visibility, a unified response to attacks.

Learn more

Learn more

Icon
Icon
Private clinics

Pragmatic SOC-as-a-Service without having to build your own 24/7 team. Quick start, clear escalation paths, NIS2-compliant reporting.

Learn more

Learn more

Icon
Icon
Pharma & MedTech

IP theft, production outages, supply chain attacks. Forensically sound documentation for FDA, EMA, and BfArM reporting.

Learn more

Learn more

Icon
Icon
Care facilities

Distributed locations, mobile devices, and a growing threat landscape. Centralized monitoring and containment without an on-site IT team.

Learn more

Learn more

Icon
Icon
Health Tech

Cloud workloads, API attacks, customer data breaches. Integration with CI/CD, cloud-native detection, rapid response without loss of productivity.

Learn more

Learn more

Icon
Icon

OUR APPROACH

SOC performance that really helps in an emergency.

Many SOC services deliver alerts, but no answers. Our promise: When things get serious, we take over — not just technically, but also in terms of communication and documentation.

Context instead of noise

Every alert is validated by people, not just by an engine. You receive enriched incidents with context, impact, and recommended actions — not an unsorted flood from the SIEM.

Clinic before technology

We do not make containment decisions in a vacuum. Before any isolation, we clarify: Does this affect the patient? Is there an alternative solution? Safety and our duty to provide care are weighed equally.

Report as routine

24-hour, 72-hour and 30-day reports under Section 32 of the BSIG are not written here in crisis mode, but as a routine process based on the evidence already available. Your legal department only has to decide whether to send them.

Answers to the most important questions.

The questions we regularly hear from IT leaders, CISOs, and managing directors in healthcare about Managed Detection & Response. More questions answered directly in the free Risk Assessment.

What exactly is included in 24/7 Managed Detection & Response?

What exactly is included in 24/7 Managed Detection & Response?

How quickly do you respond to an alarm?

How quickly do you respond to an alarm?

Will your SOC replace my internal IT team?

Will your SOC replace my internal IT team?

How do you integrate into our existing infrastructure?

How do you integrate into our existing infrastructure?

What happens if an incident actually occurs?

What happens if an incident actually occurs?

How do you comply with the NIS2 reporting obligations under Section 32 of the BSIG?

How do you comply with the NIS2 reporting obligations under Section 32 of the BSIG?

How much does a managed SOC cost for a clinic?

How much does a managed SOC cost for a clinic?

Where are log and incident data stored?

Where are log and incident data stored?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641