Services

/

Vulnerability Management

Compliant with § 30 para. 2 nos. 1, 5 & 9 BSIG

Vulnerability Management for Healthcare

Continuous vulnerability detection and prioritized remediation for hospitals, clinics, medical care centers, care facilities, pharmaceuticals, and MedTech. Asset discovery, clinically prioritized remediation, NIS2 audit-ready evidence — IoMT is captured passively, with active scans only on IT infrastructure.

Free Risk Assessment

Free Risk Assessment

Icon
Icon

THE REALITY

Your attack surface is growing faster than your IT team.

Clinics have a unique attack surface: thousands of medical devices, outdated operating systems, legacy HIS and RIS systems, distributed access for technical staff, cleaning personnel, and external service providers. Without continuous visibility, blind spots arise that attackers can deliberately exploit — with a direct risk to patient care.

70%+

Many medical devices used in everyday clinical practice run on operating systems that are no longer supported by the manufacturer — without patches, without support.

€4.88 million

Average cost of a data breach in healthcare in 2024 — highest among all industries, 14th year in a row.

55 days

On average, it takes until organizations have closed 50% of their critical vulnerabilities. By contrast, attackers need only 5 days for mass exploits.

Sources: Palo Alto Networks Unit 42 Healthcare IoT Report · IBM Cost of a Data Breach Report 2024 · Verizon Data Breach Investigations Report 2024.

THE REALITY

Your attack surface is growing faster than your IT team.

Clinics have a unique attack surface: thousands of medical devices, outdated operating systems, legacy HIS and RIS systems, distributed access for technical staff, cleaning personnel, and external service providers. Without continuous visibility, blind spots arise that attackers can deliberately exploit — with a direct risk to patient care.

70%+

Many medical devices used in everyday clinical practice run on operating systems that are no longer supported by the manufacturer — without patches, without support.

€4.88 million

Average cost of a data breach in healthcare in 2024 — highest among all industries, 14th year in a row.

55 days

On average, it takes until organizations have closed 50% of their critical vulnerabilities. By contrast, attackers need only 5 days for mass exploits.

Sources: Palo Alto Networks Unit 42 Healthcare IoT Report · IBM Cost of a Data Breach Report 2024 · Verizon Data Breach Investigations Report 2024.

HOW IT WORKS

From blind spot to audit-ready proof.

Vulnerability management is not a one-time scan. It is a continuous cycle of visibility, assessment, remediation, and verification tailored to the specific requirements of clinical operations.

01

Asset Discovery & Inventory

We continuously identify all systems in your network—from servers and clients to medical devices as well as OT and IoT components. Passive Discovery prevents disruptions in clinical operations. Result: an always up-to-date asset inventory as the basis for all further steps.

01

Asset Discovery & Inventory

We continuously identify all systems in your network—from servers and clients to medical devices as well as OT and IoT components. Passive Discovery prevents disruptions in clinical operations. Result: an always up-to-date asset inventory as the basis for all further steps.

02

Vulnerability scanning

Authenticated and unauthenticated scans reveal vulnerabilities in IT infrastructure — operating systems, applications, configurations, and network services. Medical devices are captured exclusively through passive asset discovery and SBOM analysis, never actively scanned. This aligns with HHS 405(d) best practice and protects against device failures in clinical operations.

02

Vulnerability scanning

Authenticated and unauthenticated scans reveal vulnerabilities in IT infrastructure — operating systems, applications, configurations, and network services. Medical devices are captured exclusively through passive asset discovery and SBOM analysis, never actively scanned. This aligns with HHS 405(d) best practice and protects against device failures in clinical operations.

03

Clinical prioritization

A CVSS score of 9.8 is irrelevant if the system is isolated in a lab segment. Conversely, a CVSS 6.0 on a patient monitor can be critical. We assess vulnerabilities based on actual clinical risk — patient safety, data protection, and business interruption.

03

Clinical prioritization

A CVSS score of 9.8 is irrelevant if the system is isolated in a lab segment. Conversely, a CVSS 6.0 on a patient monitor can be critical. We assess vulnerabilities based on actual clinical risk — patient safety, data protection, and business interruption.

04

Remediation & Verification

Every critical vulnerability is accompanied by a clear remediation recommendation, effort estimate, and SLA until resolution. Status tracking per asset, trend reports per department, and management reports for executives — including audit-ready NIS2 evidence.

04

Remediation & Verification

Every critical vulnerability is accompanied by a clear remediation recommendation, effort estimate, and SLA until resolution. Status tracking per asset, trend reports per department, and management reports for executives — including audit-ready NIS2 evidence.

WHAT IS INCLUDED

More than a scanner — a fully managed service.

Others sell you a scanner license and leave you to handle configuration, prioritization, and remediation tracking. We take care of the entire cycle — from the initial discovery to the audit report ready for signature.

Continuous asset inventory

Automatic detection of new and changed devices on the network. Classification by type, criticality, and location. Including medical devices, OT/IoT, cloud workloads, and shadow IT.

Authenticated scanning

Credentialed scans uncover deeper configuration weaknesses — registry entries, outdated libraries, patch levels, insecure default credentials. Role-based access, no permanent admin rights.

Medical Device Visibility

Medical devices are captured passively — never actively scanned. Asset inventory with manufacturer, model, firmware, location, and network connections. Risk assessment based on known CVEs, vendor security advisories, and SBOM analysis. MDR and DiGA context is taken into account in the risk assessment.

Clinical risk assessment

Each vulnerability is assessed in context — not just by CVSS, but by clinical relevance: Is the system patient-facing? Are there compensating controls? How high is the outage risk?

SLA-based tracking

Critical vulnerabilities with a defined SLA until remediation. Automatic escalation if deadlines are missed. Trend reports by department show where remediation progress is being made and where it is not.

NIS2 evidence export

Audit-ready evidence of the risk management measures under Section 30 of the BSIG. Prepared as a report: scan history, open and closed vulnerabilities, remediation times — suitable for presentation to the executive board, BSI, and auditors.

Legal basis

Vulnerability Management has been a legal requirement since December 2025.

"Security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure … as well as personnel security, access control concepts, and asset management." — NIS2 Directive Art. 21(2)(e) and (i)

Implementation in German law takes place via Section 30 of the BSIG. Particularly relevant for vulnerability management: subsection 2 no. 1 (concepts for risk analysis and security for information systems), no. 5 (security measures for acquisition, development, and maintenance — including vulnerability management and disclosure of vulnerabilities) and no. 9 (personnel security, concepts for access control, and asset management). Without documented vulnerability management, it is effectively impossible to prove compliance with these measures — and under Section 38 of the BSIG, management is personally liable for breaches of duty.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

Legal basis

Vulnerability Management has been a legal requirement since December 2025.

"Security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure … as well as personnel security, access control concepts, and asset management." — NIS2 Directive Art. 21(2)(e) and (i)

Implementation in German law takes place via Section 30 of the BSIG. Particularly relevant for vulnerability management: subsection 2 no. 1 (concepts for risk analysis and security for information systems), no. 5 (security measures for acquisition, development, and maintenance — including vulnerability management and disclosure of vulnerabilities) and no. 9 (personnel security, concepts for access control, and asset management). Without documented vulnerability management, it is effectively impossible to prove compliance with these measures — and under Section 38 of the BSIG, management is personally liable for breaches of duty.

Legal sources: Directive (EU) 2022/2555 (NIS2) · NIS2UmsuCG of 6 December 2025 · Section 30 BSIG (risk management measures) · Section 38 BSIG (duties of executive management).

WHO IS IT SUITABLE FOR

For every healthcare facility.

Our vulnerability management is tailored to healthcare organizations — not generic IT environments. Scanning methods that respect medical devices, clinically prioritized risk assessments instead of endless CVSS lists, and reports in formats that B3S, NIS2, and auditors can accept directly.

Hospitals

Complex networks with thousands of medical devices, legacy systems, and 24/7 availability requirements. Passive discovery, clinically prioritized remediation.

Learn more

Learn more

Icon
Icon
Medical care centers & practice networks

Heterogeneous locations, different practice management systems, KBV connectivity. Cross-site inventory and consistent prioritization.

Learn more

Learn more

Icon
Icon
Private clinics

Pragmatic vulnerability management without enterprise overhead. Fast setup, clear prioritization, documented NIS2 evidence.

Learn more

Learn more

Icon
Icon
Pharma & MedTech

GxP environments, validated systems, supply chain risks. Active scanning of IT infrastructure while taking validation requirements into account, supply chain transparency in accordance with NIS2.

Learn more

Learn more

Icon
Icon
Care facilities

Distributed locations, mobile devices, remote maintenance access. Focus on remote access controls, billing IT, and centralized patch management.

Learn more

Learn more

Icon
Icon
Health Tech

Cloud-native architectures, API surfaces, CI/CD pipelines. Integration into DevSecOps workflows, container and IaC scanning, SBOM-based transparency.

Learn more

Learn more

Icon
Icon

OUR APPROACH

Vulnerability Management that works in everyday clinical practice.

Generic scanners that disrupt medical devices in clinical settings or spit out reports with 8,000 CVSS 9.8 entries help no one. Our approach is built specifically for healthcare.

Clinical risk before CVSS

We prioritize based on actual business and patient risk — not on an abstract score. Compensating controls, segmentation, and clinical use are factored into the assessment.

Keep medical devices in mind

MDR-regulated devices must not be scanned or patched arbitrarily. We work passively by observing the network, coordinate findings with the medical technology team, and respect validation requirements. Active scans remain reserved for the IT infrastructure.

Remediation instead of Report

A 300-page scan report is not a security gain. We actively guide you through remediation — prioritized, with concrete action recommendations and status tracking until the vulnerability is closed.

Answers to the most important questions.

Answers to the most important questions.

The questions we regularly hear from IT leaders, CISOs, and managing directors in healthcare about vulnerability management. More questions directly in the free risk assessment.

How does your VM differ from a conventional scanner?

How does your VM differ from a conventional scanner?

How do you handle medical devices?

How do you handle medical devices?

Does this meet the requirements of NIS2 and Section 30 of the BSIG?

Does this meet the requirements of NIS2 and Section 30 of the BSIG?

How often are scans performed?

How often are scans performed?

How do you prioritize vulnerabilities?

How do you prioritize vulnerabilities?

How long does the onboarding take?

How long does the onboarding take?

How much does vulnerability management cost for a clinic?

How much does vulnerability management cost for a clinic?

Where are the scan results stored?

Where are the scan results stored?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Book assessment now

Call: +49 30 863283641

Call: +49 30 863283641