Why IT security is now mission-critical
For a long time, IT security did not play a major role in many hospitals. The focus was understandably on patient care, staffing challenges, and the economic survival of the organization in day-to-day operations. IT was primarily seen as an operational factor – it simply had to work.
Today, this perspective is no longer sufficient. The increasing digitalization of clinical processes, connected medical devices, external service providers, and cloud integrations significantly expand the attack surface. At the same time, successful cyberattacks on hospitals have shown that IT security is not a theoretical risk. It can directly threaten hospital operations, patient safety, and ultimately the viability of the organization.
NIS2: IT security becomes a board-level responsibility
The strong dependence of the healthcare sector on stable IT systems has compelled legislators to take action. With EU Directive 2022/2555 and the German NIS2 Implementation Act (NIS2UmsuCG), cybersecurity is becoming a legally binding obligation for a significantly broader range of organizations. The number of affected entities is increasing from around 4,500 to approximately 29,500, including many hospitals and medium-sized companies in the healthcare sector.
The law has been in force since December 6, 2025. For executive management, this means that IT security is explicitly a leadership responsibility. Senior management can be held personally liable if the implementation of requirements is not properly supervised, if training is neglected, or if documentation is outdated. Violations may result in substantial fines and personal liability. We have summarized the key aspects of NIS2 for you below.
NIS2 requires risk management, security measures, and incident reporting, which must be structured within an Information Security Management System (ISMS). The B3S standard maps these requirements to sector-specific frameworks such as IT-Grundschutz.
To systematically assess the status of your IT security, we consider the most important dimensions, aligned with B3S and NIS2:
- – Organizational: Establishment and operation of an ISMS with clear policies, protection objectives, roles, processes, risk management, and continuous improvement.
- – Personnel: Awareness and training of employees, clear responsibilities, cyber hygiene, and personnel security.
- – Technical: Security measures for IT systems, networks, and applications (including access controls, network segmentation, malware protection, encryption, logging, and secure development practices).
- – Physical: Protection of infrastructure such as data centers, server rooms, and other critical IT areas.
Together, these dimensions form the foundation for an effective and auditable level of security in accordance with NIS2 and B3S, and therefore for stable and secure hospital operations.
Further information can be found below.
Assessment categories according to ISO 27001
Organizational
(Information) Risk Management (ISRM/RM): Establishment of a holistic and systematic risk management process for the consistent identification, assessment, treatment and tracking of information security risks for all critical information assets.
- – B3S Mapping: 5
- – NIS2: §30 ff.
Suppliers & Third Parties: Risk-based supply chain management through the evaluation of service providers regarding their security measures, contractual definition of security requirements, and continuous monitoring.
- – B3S Mapping: 6.12, 6.11
- – NIS2: §30 Abs. 2 Nr. 4
Asset Management: Complete inventory of all information assets and IT systems (IT, medical technology, supply infrastructure, critical applications) with classification according to criticality and protection requirements.
- – B3S Mapping: 3.2.3, 6.5
- – NIS2: §33 Abs. 1-2
Business Continuity Management (BCMS) & Emergency Management: Ensuring operational continuity and recovery of critical processes in the event of disruptions or failures through emergency plans, backup strategies, and regular testing.
- – B3S Mapping: 6.4, 6.6
- – NIS2: §32 ff.
Incident Detection and Response: Establishment of an incident response capability for rapid detection, containment, and remediation of security incidents with structured follow-up (lessons learned) and fulfillment of BSI reporting obligations.
- – B3S Mapping: 6.3, 6.9
- – NIS2: §32
Personnel
Auditing and Continuous Improvement Process (CIP): Implementation of systematic and regular monitoring, audit and review measures to validate the effectiveness of implemented information security controls, identify deviations, and ensure continuous improvement of the information security management system.
- – B3S Mapping: 6.10
- – NIS2: §40
Technical
Trainings and Awareness: Raising awareness and enabling employees through regular, target-group-specific training and cyber-hygiene awareness, as well as ensuring personnel availability through substitution arrangements and screening.
- – B3S Mapping: 6.8
- – NIS2: §38 ff.
Physical
Technical Information Security (Endpoint AV, VPN, Firewalling, IDS/IDP; Incident Detection Systems such as SOC / SIEM): Implementation of all technical security controls for IT systems, networks and applications including access control, network segmentation, malware protection, encryption, logging/monitoring and secure development.
- – B3S Mapping: 6.13 (excl. 6.13.19)
- – NIS2: §30
Why implementing an ISMS pays off
An Information Security Management System (ISMS) is far more than a single document. It represents a structured management system that controls information security through a process-oriented PDCA cycle (Plan–Do–Check–Act), reduces risks and continuously improves security.
Key benefits:
- – Operational integration instead of paper compliance: Security measures become part of everyday hospital operations (e.g., access control, incident reporting), reducing outages and protecting patient data in accordance with PDSG and NIS2.
- – Regulatory compliance: For hospitals classified as critical infrastructure (KRITIS), implementation is mandatory (B3S, §75c SGB V). It helps avoid fines that can reach millions and reduces personal liability risks for management.
- – Economic value: An ISMS reduces risks such as ransomware attacks, optimizes processes, and facilitates certifications such as ISO 27001.
Focusing on measurable KPIs, regular audits and suitable security tools ensures that IT security becomes part of the organizational culture rather than a static compliance document.
In many German hospitals, a well-implemented ISMS can already cover around 80% of NIS2 requirements, significantly strengthening operational resilience.
These are the core components of an ISMS:
- – Security policy: Top management commits to protecting the core security objectives: confidentiality, integrity, availability, and in B3S also authenticity.
- – Risk analysis: Identification and assessment of critical assets such as inpatient care systems, patient data, and medical technology, often based on IT-Grundschutz catalogs.
- – Security controls: Implementation of B3S security measures (mandatory / recommended / optional), including access controls, incident reporting (within 24 hours under NIS2) and staff training.
- – Organization: Establishment of an ISMS team with a dedicated security officer, regular audits and iterative implementation.
Determining your starting point: Our IT security assessment
Through a structured questionnaire, Detecon enables hospitals to conduct a rapid and realistic IT security assessment without extensive preparation.
The assessment is designed for IT leaders and hospital management and provides:
- 1. A clear classification of the current security maturity level across different dimensions.
- 2. Orientation in relation to regulatory requirements and standards (including KRITIS, NIS2 and B3S).
- 3. An initial prioritization of action areas.
- 4. An objective benchmark of the hospital’s current position.
The result is not just an abstract score, but a solid basis for decision-making — for management, investment planning, and the next realistic steps toward stronger IT security.
Access the IT Security Assessment here (coming soon).
Key Facts About NIS2
The NIS2 Act, officially the NIS2 Implementation Act (NIS2UmsuCG), transposes EU Directive 2022/2555 into German law and strengthens cybersecurity across a broader range of companies and institutions. It expands the number of affected organizations from approximately 4,500 to around 29,500, including medium-sized organizations in critical sectors such as energy, healthcare, finance and digital infrastructure.
The law entered into force on December 6, 2025, with a registration deadline at the German Federal Office for Information Security (BSI) on March 6, 2026.
- – Core Requirements: Affected organizations must introduce risk-based cybersecurity management, including risk analyses, supply chain security, incident response, and crisis management. Executives are personally responsible for implementation, training and effectiveness monitoring.
- – Incident Reporting: For significant incidents, a three-stage reporting system applies:Initial notification within 24 hours, follow-up report within 72 hours, final report within one month. The BSI receives expanded supervisory powers, including audits and fines that may reach millions of euros.
- – Implications for IT Security: Organizations should assess whether they fall within the NIS2 scope, particularly medium-sized entities operating in critical sectors such as healthcare. NIS2 harmonizes cybersecurity standards across the EU and requires organizations to strengthen compliance, governance and operational resilience.
Conclusion
The question today is no longer whether hospitals need to address IT security – but how quickly and how systematically they begin. Cyberattacks, regulatory requirements, and increasing digitalization make a structured security management approach essential.
A clear understanding of the current security posture is the first step toward reducing risks and establishing IT security as a sustainable part of hospital operations.
