“Data is to companies what children are to parents: the most valuable and protected asset.”
This statement, made during a data protection training session in 2023, left a lasting impression. In just a few words, it captures what many attempt to convey through lengthy PowerPoint presentations, whitepapers, or brochures.
In the healthcare sector, one could replace “companies” in the opening statement with “hospitals” or “care facilities.” While some might argue that patients are more worthy of protection than data, the answer would, of course, be a resounding yes. Still, about 20 years ago, the initial statement might have been dismissed. In the digital world of 2024, however, the perspective has fundamentally changed. Physical break-ins to steal products have become less common, as digital theft is far easier. Blueprints, production plans, and even confidential strategy documents, blueprints for new products, internal financial statements, employee names, and customer data—all of which are highly sensitive—can be stolen digitally. The loss of such data may not only lead to reputational damage but also a violation of GDPR, potentially resulting in heavy fines (Article 83, Section 5 of the GDPR).
Increasing Cyberattacks on Hospitals
Against this backdrop, digitalization in healthcare is both a blessing and a curse. IT systems simplify numerous processes, from patient management and analysis of treatment data to networking medical devices, supporting research, and facilitating information exchange between institutions. However, these very systems also create new vulnerabilities that attackers increasingly exploit.
Many organized cybercriminal groups follow an unwritten “code of conduct” that discourages attacks on hospitals and medical facilities, recognizing that IT failures in these environments can endanger lives. However, not every hacker adheres to this principle. The rising number of cyberattacks on hospitals in recent years confirms this (e.g., University Hospital Düsseldorf 2020, Klinikum Bremen 2023, University Hospital Frankfurt 2023, Krankenhaus Esslingen 2023, Caritas Clinic Dominikus 2024, Bezirkskliniken Ansbach 2024). In nearly every case, affected hospitals had to suspend emergency services, switch to internal (analog) emergency operations, and in some instances, transfer patients to other facilities.
Security Objectives and Cybersecurity Requirements for Hospitals
Beyond the traditional security goals—confidentiality, availability, integrity, and authenticity—healthcare facilities must also comply with GDPR requirements, specifically the assurance objectives of the Standard Data Protection Model: Data minization, availability, Integrity, Confidentiality, Non-linkability, Transparency, Intervention capability.
Additionally, hospitals with more than 30,000 inpatient treatment cases per year are classified as critical infrastructure under the German BSI Act (§2, Section 10; §10, Section 1 BSIG in conjunction with §6, Section 4 BSI-KritisV).
This classification mandates the implementation of adequate organizational and technical measures (OTM) in accordance with §8a BSIG, which must adhere to the “state of the art.” These requirements are further specified through “sector-specific security standards” (B3S), which, for hospitals, are covered in the B3S “Medical Care” framework (current version: 1.2 as of January 10, 2023). This framework explicitly states in Chapter 2 that, due to the heterogeneous system landscape in hospitals, there is no universally recognized “state of the art,” necessitating an individualized approach.
Since May 2023, all critical infrastructure operators are also required to implement attack detection systems (SzA), which must automatically analyze operational data and detect potential threats(more information here). Further obligations arise from current and upcoming regulations such as the CER Directive, the Cyber Resilience Act (CRA), and the NIS2 Directive, all of which introduce additional compliance and audit requirements.
The Key Question: Make or Buy?
The aforementioned system heterogeneity in hospitals, combined with a historically lower emphasis on IT security compared to industrial companies, is likely one of the main reasons why healthcare facilities are frequent attack targets. In simple terms, hospital IT systems are often so vulnerable and easy to compromise that cybercriminals view them as “low-hanging fruit” despite ethical concerns.
This raises a critical question: Should healthcare facilities tackle this challenge on their own, or are they even capable of doing so? Given the extensive regulatory requirements, the answer in most cases is no. This often leads to the search for an external service provider capable of efficiently implementing IT security measures.
This brings us back to the initial analogy: If data is as valuable to organizations as children are to parents, then outsourcing IT security is akin to entrusting children to daycare. Especially for first-time parents, there are many concerns at the outset. Handing over responsibility to someone else without knowing exactly what happens behind closed doors can be daunting. These concerns must be addressed to ensure peace of mind.
The same applies to IT security providers entrusted with protecting an organization’s data and patient information. To some extent, sovereignty over data integrity and confidentiality is transferred. A quick and easy decision might be to rely on references and brand names, assuming “they know what they’re doing.” In many cases, the cheapest provider wins the contract.
A more thorough—and ultimately more sustainable—approach is to conduct a comprehensive evaluation of different providers, discuss security and monitoring strategies, get to know the vision and people behind the company, and build a foundation of trust. This approach ensures that an organization selects not just a provider but a trusted advisor.
Some initial evaluation criteria for service providers may include:
- Existing partnerships
- Portfolio of products and services
- Economic factors (pricing, contract terms, etc.)
- Compatibility with existing in-house systems
- Previous experience with the provider
- The provider’s own compliance with legal requirements
Additionally, some less obvious but crucial factors should not be overlooked, such as:
- The healthcare facility’s own awareness of IT security: Is it seen as a necessary evil or an essential part of the value chain?
- The provider’s commitment to sustainability and social responsibility
- Potential collaboration on projects beyond regulatory compliance
- The provider’s ability to accommodate custom requirements
Often, these aspects turn out to be more significant than initially assumed. Given the complexity of hospital IT landscapes, a one-size-fits-all security solution is rarely effective, even if it appears to be the cheapest option upfront.
A reliable security provider helps assess the current state, identify gaps, clarify open questions, and address concerns transparently. The provider should introduce key personnel, explain involvement in projects beyond IT security, and offer proof-of-concept evaluations before committing to long-term contracts. Sticking with the daycare analogy: There should be trial days before full enrollment.
Conclusion
The sheer volume of legal and regulatory requirements for IT security has become a major challenge for healthcare institutions. Combined with the increasing frequency of cyberattacks on hospitals—driven by historical underinvestment, limited internal resources, and vulnerable IT landscapes—there is a growing need for external partners to strengthen cyber resilience. Selecting the right provider is therefore crucial.
Given the sensitivity and criticality of healthcare data, as well as the complexity of modern IT infrastructures, organizations should take the time to carefully assess potential partners beyond just economic factors.
Ultimately, the goal is to ensure that organizations can entrust the confidentiality, integrity, and availability of their data without fear.
Or, to return to the initial analogy: A good IT security provider ensures that children can be dropped off at daycare every morning with peace of mind—and picked up safely in the afternoon.
aDvens GmbH is part of the Provider Directory
