NIS2 for Healthcare Organizations
Healthcare is classified under Annex I of NIS2, making hospitals and medical facilities essential entities (besonders wichtige Einrichtungen) with the highest compliance requirements. Here is your practical guide.
Why Does NIS2 Apply to Healthcare?
Healthcare was already one of the most targeted sectors for cyberattacks before NIS2. The combination of sensitive patient data, life-critical systems, and often outdated IT infrastructure makes hospitals and clinics attractive targets. The 2020 Duesseldorf University Hospital ransomware attack – which forced emergency room closures and patient diversions – demonstrated that cyberattacks on healthcare can directly threaten lives. NIS2 codifies what the sector already knows: IT security in healthcare is patient safety.
The EU classified health under Annex I (sectors of high criticality) of the NIS2 Directive, covering hospitals, reference laboratories, pharmaceutical manufacturing, and medical device manufacturers. Large healthcare entities (250+ employees) are classified as 'besonders wichtige Einrichtungen' (essential entities) under Section 28(1) BSIG. Medium entities (50-249 employees) are 'wichtige Einrichtungen' (important entities). Essential entities face proactive BSI supervision – the BSI can audit you at any time, without requiring evidence of non-compliance first.
Healthcare already operates under strict data protection rules (GDPR, patient confidentiality) and sector-specific regulation (KHZG, BSI KRITIS for larger hospitals). NIS2 adds a systematic cybersecurity management layer: not just protecting patient data, but securing the entire IT infrastructure that delivers care. If your HIS goes down, you cannot access patient records. If your PACS fails, radiology stops. If your medical devices are compromised, patient safety is at risk. NIS2 requires you to assess and manage all of these risks.
Hospital Information System (HIS/KIS)
The central clinical system: patient records, admissions, scheduling, clinical documentation, ordering, and billing. Systems like SAP IS-H, Dedalus ORBIS, Agfa HealthCare ORBIS, or iMedOne. This is the single most critical IT asset – if the HIS is down, clinical operations revert to paper and care quality drops immediately. One asset entry.
PACS and imaging systems
Picture Archiving and Communication Systems store and distribute medical images (X-ray, CT, MRI, ultrasound). Tightly integrated with the HIS via DICOM/HL7. Systems like Sectra, Agfa Enterprise Imaging, or Philips IntelliSpace. PACS stores massive amounts of data and is often connected to imaging modalities throughout the facility. Compromise can block radiology and diagnostics.
Networked medical devices
Patient monitors, infusion pumps, ventilators, surgical robots, and diagnostic equipment connected to the hospital network. Many run embedded operating systems (Windows CE, Linux variants) with limited update capabilities. FDA/MDR certification constraints may prevent patching. Group by device type – for example, '35 patient monitors (Philips IntelliVue)' is one entry. These require special security treatment due to regulatory constraints.
Laboratory information system (LIS)
Systems managing laboratory workflows: sample tracking, test ordering, result reporting, and quality control. Connected to analyzers and the HIS. LIS directly affects diagnostic turnaround times. If the LIS is compromised, lab results cannot be verified or communicated, potentially delaying treatment decisions.
Network infrastructure
The clinical network connecting HIS, PACS, medical devices, and administrative systems. Includes wired and wireless infrastructure, firewalls, network segmentation between clinical and administrative zones, and VPN for remote access. Network segmentation is critical in healthcare – medical devices, clinical systems, guest Wi-Fi, and administrative IT should be on separate network segments.
Endpoints and administrative IT
Clinical workstations, nursing stations, office PCs, and mobile devices (tablets for ward rounds, smartphones). Standard office applications, email, and communication tools. Grundschutz allows grouping: '120 clinical workstations (thin clients)' is one entry. Include mobile device management (MDM) as a grouped asset if used for clinical communication.
1. Register with the BSI
Complete your Section 33 BSIG registration. Healthcare entities classified as essential face proactive BSI supervision, which means the BSI may audit you at any time. Being registered and demonstrating active compliance work puts you in a far better position than being discovered as unregistered during an audit.
2. Build your asset inventory
List all systems supporting clinical care, diagnostics, and administration. Pay special attention to networked medical devices – many healthcare organizations do not have a complete inventory of devices connected to their network. Walk the floors, check with biomedical engineering, and document what is connected. You cannot secure what you do not know exists.
3. Set up incident reporting
Healthcare cybersecurity incidents can be life-threatening. Your incident response plan must account for clinical impact: which systems can operate in degraded mode, what manual fallback procedures exist, when to divert patients, and who makes those decisions. Establish the BSI reporting chain (24h/72h/1 month) and the internal clinical escalation chain in parallel.
4. Strengthen access controls
Healthcare has a unique access control challenge: clinicians need fast access to patient data in time-critical situations, but broad access creates risk. Implement role-based access controls (RBAC) for the HIS, enforce MFA for remote access and administrative accounts, conduct quarterly access reviews, and ensure that departed staff have access revoked promptly. Emergency access procedures ('break glass') should be documented and audited.
5. Encrypt patient data
Patient data is among the most sensitive data categories under both GDPR and NIS2. Implement encryption at rest for databases containing patient records and encryption in transit for all clinical data flows. PACS images, HL7/FHIR messages, and lab results should all travel encrypted. Document your encryption standards and key management procedures – this is a specific Section 30 requirement.
Healthcare faces a tension between security and clinical workflow that no other sector experiences at the same intensity. A locked-down system that requires 30 seconds of authentication at each workstation costs time in an emergency department where seconds matter. NIS2 compliance in healthcare requires finding the right balance: strong security for administrative and remote access, streamlined but audited access for clinical workflows, and emergency override procedures that are logged and reviewed.
Networked medical devices are the sector's biggest unsolved challenge. A patient monitor from 2018 may run an embedded OS that the manufacturer no longer patches. FDA/MDR certification means you cannot modify the device's software without recertification. The answer is compensating controls: network segmentation (isolate medical devices on their own VLAN), traffic monitoring, restricted communication (devices only talk to the systems they need), and lifecycle planning. Document everything – the BSI understands the medical device constraint and evaluates compensating controls as valid.
Healthcare organizations that already participated in KRITIS (under the original BSI-KritisV) have a significant head start. The KRITIS requirements overlap substantially with NIS2. If you have KRITIS audit evidence, use it as the baseline and extend it to cover the additional NIS2 requirements: formal management liability documentation (Section 38), supply chain security assessment, and the specific incident reporting timelines. For non-KRITIS healthcare organizations, the NIS2 requirements are the first time you face structured cybersecurity regulation – start with the 4-week plan and adapt it for your clinical environment.
Frequently Asked Questions
We are a hospital with 200 beds. Are we essential or important?
Healthcare falls under Annex I (sectors of high criticality). If your hospital has 250 or more employees, you are classified as an essential entity (besonders wichtige Einrichtung). With fewer than 250 employees but more than 50, you are an important entity (wichtige Einrichtung). If you are already classified as KRITIS (critical infrastructure), you are automatically essential regardless of size. Essential entities face proactive BSI supervision and the higher penalty tier (up to 10 million euros).
We cannot patch our medical devices. How do we comply with NIS2?
NIS2 requires 'appropriate and proportionate' measures, not impossible ones. For medical devices that cannot be patched due to manufacturer or regulatory constraints: document the risk in your risk assessment, implement compensating controls (network segmentation, traffic monitoring, restricted communication), include the limitation in your supplier assessment for the device manufacturer, and maintain a lifecycle plan for eventual replacement. The BSI explicitly recognizes that OT and medical device environments require adapted security approaches.
Does GDPR compliance already cover our NIS2 patient data obligations?
GDPR covers data protection (privacy, consent, processing lawfulness), while NIS2 covers the security infrastructure that protects that data. They complement each other but do not substitute. Your GDPR compliance means you understand data flows and have processing records – that helps. NIS2 adds: systematic risk management for the IT systems processing that data, incident reporting to the BSI (not just the data protection authority), supply chain security for IT suppliers, and management liability for cybersecurity measures.
How does NIS2 relate to KHZG (Hospital Future Act) funding?
KHZG funded IT modernization in German hospitals, including IT security investments. If your hospital received KHZG funding for cybersecurity projects, those investments likely address some NIS2 requirements. However, KHZG was about investment, not about ongoing compliance management. NIS2 requires continuous risk management, regular reviews, incident reporting processes, and management oversight – these are operational practices, not one-time projects. Use your KHZG investments as the technical foundation and build the NIS2 management framework on top.