The healthcare sector is classified as an essential entity under the NIS2 Directive, which subjects it to the most demanding regime in the regulation. Public and private hospitals, contracted clinics, diagnostic laboratories and regional health services handle data specifically protected by Article 9 of the GDPR, depend on complex networks of connected medical devices (IoMT) that rarely accept hot patches and, over the last five years, have been the systematic target of ransomware campaigns with direct impact on patient care. This combination makes healthcare one of the most exposed sectors and, paradoxically, the one with the least room to halt a service that cannot be stopped.
Key points on healthcare cybersecurity under NIS2
- The healthcare sector is listed in Annex I of NIS2 as an essential entity, with reinforced obligations on risk management and incident notification.
- Health data is a special category under GDPR (Article 9), with an aggravated sanction regime and demands for minimisation and encryption.
- Hospital ransomware paralyses clinical care, not just administrative processes, so care continuity is part of the security programme.
- IoMT (Internet of Medical Things), PACS and HIS are inherited attack surfaces with patch cycles dependent on the vendor.
- A realistic healthcare compliance plan runs over 12 months: gap analysis, segmentation, healthcare aware MDR, immutable backup and specific clinical incident runbooks.
Why healthcare is a priority target
Few sectors combine such an absolute operational dependency on technology with such a low tolerance for downtime. A medium sized hospital depends on IT systems for admissions, electronic health records, electronic prescribing, laboratory, radiology, pharmacy, operating theatre management and inter service communication. When that layer fails, the immediate consequence is not an administrative delay: it is the inability to operate normally, suspension of scheduled surgeries, diversion of emergency cases and, in serious situations, direct clinical risk.
On top of that operational dependency sits the value of the data. A complete electronic health record trades in criminal markets above a banking record, because it contains stable identifiers, insurance information and personal traceability that is hard to invalidate. The attacker knows that health data does not expire like a credit card and that, in addition, its disclosure generates particularly high reputational and legal damage for the targeted entity, which reinforces the pressure to pay the ransom.
The third factor is the technology mix. Modern servers coexist with imaging equipment running unsupported operating systems, connected devices from different generations and legacy clinical software maintained by the vendor under a closed contract. The result is a heterogeneous surface where patching is not always possible and where segmentation becomes the main line of defence.
NIS2 applied to the healthcare sector in Spain
NIS2 places healthcare in Annex I as a sector of high criticality. The Spanish transposition classifies public and private hospitals that exceed the general thresholds (50 or more employees, or annual turnover above 10 million euros) as essential entities, alongside reference laboratories, manufacturers of critical medical devices and regional health services. The distinction versus the pure private sector is that public healthcare also accumulates obligations under the National Security Framework (ENS), which doubles the compliance matrix without exempting any side.
Incident coordination in healthcare cannot be resolved through a single channel. The competent CSIRT (INCIBE-CERT for the private sector, CCN-CERT for public administration) receives the NIS2 notification at 24 and 72 hours. The Ministry of Health and regional health departments receive parallel information when the incident affects care delivery. The AEPD (Spanish Data Protection Authority) enters the picture when there is improper processing or a breach of health data. The response plan has to contemplate this triple communication from minute one, not improvise it during the crisis.
For contracted hospitals, the practical reality is that the public contracting body will require, through tender or contractual addendum, the same level of measures it applies to the public administration. This means that even when the entity is formally private, its security programme has to be designed considering NIS2 and ENS simultaneously.
Regulatory framework
The main layer is the NIS2 Directive (EU) 2022/2555 and its Spanish transposition. Article 21 sets out the ten minimum areas of technical and organisational measures that every essential entity must implement, with personal liability for the board of directors.
The second layer is the GDPR and the Spanish Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD). Health data is a special category under Article 9 of the GDPR, with a general prohibition of processing except for specific legitimising bases (explicit consent, healthcare delivery, research with safeguards) and a sanction regime where maximum amounts reach 4% of worldwide annual turnover.
Public healthcare is also subject to the National Security Framework (ENS) in its current version, which requires system categorisation, declarations of conformity and biennial audits for systems in the HIGH category. Clinical interoperability adds technical requirements from standards such as HL7 v2, HL7 FHIR and IHE, which although not security standards in the strict sense, define how sensitive data is exchanged between systems and therefore form part of the risk analysis.
The picture closes with European medical device regulations (MDR 2017/745 and IVDR 2017/746), which already incorporate specific cybersecurity requirements for manufacturers, and the regional regulation on electronic health records.
Sector specific risks
The healthcare threat map does not overlap with banking or industry. The categories that recur in audits and reported incidents are the following.
Targeted ransomware. Groups such as Conti and LockBit affiliates have repeatedly attacked European hospitals over recent years. The common pattern combines initial access through phishing or credentials leaked by infostealers, lateral escalation on flat networks, prior exfiltration of clinical databases and coordinated mass encryption with double extortion.
Unpatched IoMT. Infusion pumps, patient monitors, ultrasound machines, anaesthesia systems, imaging equipment and surgical robots run vendor specific firmware with update cycles tied to regulatory certification. Many continue to operate on unsupported operating systems because changing the base OS requires full clinical recertification.
Exposed PACS and HIS. Picture Archiving and Communication Systems (PACS) and Hospital Information Systems (HIS) are critical pieces that in many hospitals have grown by accretion, with remote access for external radiologists, old interfaces and broad service permissions. Their improper exposure is a documented finding pattern in audits.
Phishing targeting healthcare staff. Care pressure, rotating shifts and the heterogeneity of platforms (corporate email, clinical messaging, vendor portals) make healthcare staff especially vulnerable to targeted campaigns that simulate communications from management, equipment vendors or health authorities.
Insider risk. The clinical record is accessible to a high number of professionals out of care necessity, which makes detecting improper access difficult. Minimum necessity access control and audit of clinical record access are essential controls but are often under implemented.
Supply chain. The chain includes cloud providers of clinical records, PACS integrators, IoMT manufacturers, external remote support and telemedicine services. An incident at any of these links propagates to the hospital.
Legacy medical devices without an update path. Equipment in production for fifteen or twenty years that the vendor no longer patches but that remains critical for diagnosis. The only reasonable defence is usually network isolation and passive monitoring.
Documented real cases
The sector has several public incidents that have shaped the priorities of healthcare security programmes in recent years.
The attack on the Health Service Executive (HSE) of Ireland in 2021 left the national health system without IT for several days, with a forced fallback to manual procedures across all hospitals in the country. Full recovery extended over months and prompted a deep review of clinical continuity plans across the rest of Europe.
In 2023, the Hospital Clinic of Barcelona suffered a ransomware incident that affected critical systems and led to cancellation of non urgent surgeries, suspension of scheduled outpatient appointments and diversion of patients to other centres. The public handling of the case offered lessons on communication with citizens and on coordination between the centre, the regional health system and the competent CSIRT.
During 2024, further incidents have been reported in Catalan and other regional healthcare centres, with variable impact but a common pattern: initial vector via credentials or phishing, lateral propagation and direct operational impact on care.
These cases are not cited to glamorise attackers or to provide actionable technical detail, but to establish that the risk is real, recurrent, and that the sector has enough public evidence to justify preventive investment.
12 month healthcare compliance plan
A realistic programme to bring a medium sized hospital to a defensible state against NIS2 and GDPR is planned over twelve months.
Months 1 to 2: applicability and gap analysis. Formal determination of obligations (NIS2, ENS where applicable, reinforced GDPR), mapping of Article 21 against existing controls, identification of critical clinical services and prioritisation of gaps. Formal appointment of the security officer and governance committee with clinical representation.
Months 2 to 4: IoMT inventory and surface discovery. Complete inventory of connected medical devices, clinical systems, integrations with external providers and remote access points. Without a reliable inventory, no subsequent control is defensible.
Months 3 to 6: IT, OT and IoMT segmentation. Design and implementation of microsegmentation by VLAN or equivalent, separating office IT, clinical systems (HIS, PACS), IoMT devices, patient wifi and external provider services. This is the technical lever with the greatest impact in healthcare.
Months 4 to 8: detection and response. Deployment of EDR on clinical and administrative endpoints, integration with MDR if the entity does not have a 24x7 in house SOC, definition of sector specific use cases (anomalous access to EHR, exfiltration from PACS, atypical behaviour on IoMT).
Months 5 to 9: immutable backup and continuity. 3-2-1-1-0 strategy with immutable and air gapped copy, real restoration tests on critical clinical systems, RTO and RPO per care service. Documentation of degraded mode operating procedures for each service (paper, manual forms, alternative internal communication).
Months 8 to 12: IR runbooks, training and exercise. Specific clinical incident runbooks (HIS encryption, PACS unavailability, IoMT compromise), 24h and 72h NIS2 notification drill with the competent CSIRT, board training and internal healthcare awareness campaign.
Priority technical controls for healthcare
Control selection for healthcare must prioritise those that keep clinical operations running when everything else fails.
- 3-2-1-1-0 immutable backup with air gap. Three copies, two different media, one offsite, one immutable or offline, zero errors in the last verification. Restoration tested with real data, not just in the lab.
- EDR and 24x7 threat hunting. EDR on clinical and administrative endpoints, with behavioural detection. If the organisation does not run its own SOC, contract an MDR service with documented healthcare experience.
- Clinical microsegmentation. HIS, PACS, IoMT, office IT and patient wifi on independent VLANs with explicit allowed traffic policies. Lateral movement contained by design.
- MFA on administrative and clinical remote access. Mandatory multi factor for administrators, remote radiologists, vendor support and any access from outside the internal network. No exceptions without a documented expiry date.
- Medical device patch management. Update windows coordinated with the clinical calendar, prior validation with the vendor so as not to invalidate FDA clearance or CE marking, auditable record of each change.
- Outbound DLP and exfiltration monitoring. Detection of mass outbound flows of clinical data, alerts on transfers to unauthorised destinations, integration with the SIEM or MDR service.
- Rotating awareness. Mandatory initial training, quarterly campaigns adapted by role (doctors, nursing, administration, management) and phishing simulations with improvement metrics.
Post incident care continuity
The difference between a well managed incident and a healthcare crisis lies in the preparation to operate without systems. This layer, specific to the sector, is not covered by generic technical controls.
Each clinical service must have downtime procedures documented and known by staff: how to prescribe on paper, how to coordinate the laboratory without a system, how to manage admissions manually, how to notify families and patients. These procedures must be updated when clinical organisation changes, not filed away never to be consulted.
Communication with patients and the public during a public incident is part of the plan. Messages pre approved by management and legal counsel, enabled channels, coordination with the regional health department and the communications office. Improvising communication during a crisis amplifies reputational damage.
At the institutional level, coordination with the regional health department, the Ministry of Health, the competent CSIRT and the AEPD must be defined with operational contact details, not generic ones. The 24 hour NIS2 notification and the 72 hour update require structured information that cannot be gathered from scratch on the day of the incident.
Frequently asked questions
Is a small hospital or SME clinic required to comply with NIS2?
It depends on the thresholds. NIS2 generally applies to entities with 50 or more employees or annual turnover above 10 million euros within the sectors listed in the annexes. Medium and large hospitals, multi site clinics and large private laboratories typically fit as essential entities. A small standalone SME clinic may fall outside the direct scope, but usually ends up inside through contractual route when it works for an obligated entity or for the public administration.
How is IoMT cybersecurity assessed?
Through passive network discovery, platforms specialised in medical device visibility, inventory cross checked with the biomedical engineering team and documentary review of firmware with the vendor. Intrusive active scanning is discouraged on clinical devices in production because it may cause equipment malfunction.
Can the ransom be paid in a healthcare ransomware incident?
The official recommendation from INCIBE-CERT, Europol and most authorities is not to pay. Payment does not guarantee recovery, finances criminal operations and exposes the entity to sanctions if the recipient is under international sanctions lists. When care pressure reaches the limit, the decision escalates to management and legal counsel, but the response plan should never be built assuming payment is a valid option.
What about data exfiltrated before encryption?
Exfiltration prior to encryption turns the incident into a double breach: service unavailability and personal data security violation. This simultaneously triggers NIS2 notification obligations to the CSIRT and GDPR obligations to the AEPD and, where applicable, to the affected individuals, with different deadlines and content. Coordinated management of both communications is part of the runbook.
Is my healthcare cloud provider subject to NIS2?
Cloud service providers serving essential entities usually fall within scope themselves as important or essential entities depending on their size and service. Regardless of their direct obligation, the hospital has to contractually require measures equivalent to its own (security clauses, audit rights, incident notification, data location and processing) under the umbrella of Article 21 letter d.
How do GDPR fines compare with NIS2 fines?
The GDPR provides for fines of up to 20 million euros or 4% of worldwide annual turnover. NIS2 provides for fines of up to 10 million euros or 2% of worldwide annual turnover for essential entities, plus personal liability for management. Both regimes are cumulative when a single incident breaches different obligations, so the impact calculation must consider the sum.
Related resources
- NIS2 in Spain: how to comply with the regulation in 2026
- NIS2 audit step by step
- Ransomware in Spain 2026
- IoT and OT cybersecurity: critical threats 2026
- ENS certification complete guide
- What is ransomware and how it works
Healthcare cybersecurity with Secra
At Secra we support hospitals, clinics and regional health services in NIS2, GDPR and ENS compliance programmes with sector specific methodology. Healthcare aware audit covering IoMT, PACS and HIS, gap analysis against Article 21 with criteria applicable to clinical environments, segmentation design and operational controls compatible with care activity, threat hunting with healthcare use cases and support in coordinated notification to CSIRT, AEPD and regional authorities.
If you need to assess the state of your organisation or plan your compliance roadmap, contact our team and we will review the right scope with you.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.