Bosch partnered with McKinsey to develop and launch CyberCompare. In an interview with McKinsey, Jannis Stemmann, CEO of CyberCompare, discusses the challenges facing statutory health insurance companies in 2025 and how efficient cybersecurity can be achieved despite tight budgets.
Mr. Stemmann, what is the work of CyberCompare, particularly regarding the healthcare sector?
We assist companies in prioritizing their security measures, creating appropriate tenders, and comparing offers to ensure efficient, cost-effective, and still effective cybersecurity. In the healthcare sector, for example, we collaborate with hospital networks and health insurance companies to design and tender Managed SOCs, or Security Operations Centers. Additionally, we also support pharmaceutical companies and medical device manufacturers.
What specific challenges do you see in securing IT systems in healthcare? How do they differ from other industries?
Regulations play a central role in healthcare. Almost all organizations, whether private or public, are regulated by laws such as KRITIS or NIS2. While the regulations differ from other sectors like banking and insurance, the requirements for security levels are similar. Due to public regulation, the procurement processes, participation competitions, and bidding procedures for security solution providers are particularly challenging. The most important solutions are often Managed SOCs, frequently integrated with Operations Technology and medical technology. Other specific challenges include budget restrictions and a lack of qualified personnel. Despite government funding programs, many organizations struggle to find the appropriate budget for cybersecurity. Overall, the similarities between sectors are greater than the differences when it comes to cybersecurity.
What do you see as the biggest difficulties your clients in the healthcare sector face? Why is effective cybersecurity such a significant challenge for hospitals and health insurance companies?
In hospitals, cybersecurity measures must be prioritized over other requirements, which is often difficult. For example, when staff need to ensure healthcare delivery, this can sometimes conflict with security requirements, such as Multi-Factor Authentication or device monitoring. Additionally, outdated IT landscapes and devices often complicate monitoring and thus the responsiveness to incidents. A sector-wide issue is also the lack of qualified personnel. However, there are positive examples: Together with a company health insurance fund, we are currently implementing a Managed SOC, and the staff there are highly qualified.
Are there typical weaknesses in cybersecurity management in the healthcare sector? What are the reasons for this, and what can organizations do about it?
Many institutions have a backlog in digitalization and the implementation of security solutions due to budget cuts. Moreover, it is challenging to find qualified providers with experience in healthcare who offer affordable solutions. Here, we can leverage our experience from over 50 tenders in the industry since our founding four years ago. A positive example is the mentioned hospital network, which collaborated on the tender and found a good compromise between efficient and cost-effective service delivery. At the same time, a very well-qualified service provider was selected. We helped establish the critical criteria for the tenders and implement operational concepts like Co-Managed Security Information and Event Management together with our clients.
What do you think are the priorities for healthcare organizations looking to improve their defenses against cyberattacks? Where should hospitals and health insurance companies start?
I would recommend both hospitals and health insurance companies to tackle the following three steps sequentially. First, they should meet compliance requirements: With KRITIS and NIS2, the security basics are already covered. Unregulated institutions should also orient themselves accordingly. In the second step, worst-case scenarios should be addressed: Organizations should create backups, recovery, and emergency plans, as well as conduct simulations. Finally, third-party risk management must be ensured, which becomes even more relevant in the context of NIS2. The priority here should be to find a highly efficient approach to reviewing service providers so that the effort corresponds to the benefit. However, cyber risks from suppliers do not usually pose the greatest risk to healthcare facilities, so a risk assessment and prioritization are necessary for efficient operations.
Mr. Stemmann, thank you for the conversation.
Source: https://www.mckinsey.de/publikationen/gkv-check-up-2025
