Cybersecurity for Healthcare & MedTech

Cyber attacks on hospitals are not abstract IT incidents — they directly threaten patient care. When a ransomware attack brings intensive care units, surgical scheduling, and medication management to a halt, patients are transferred to other hospitals, operations are postponed, and medical decisions are made without digital support. Germany has already seen cases where this situation escalated.

The attack surface in healthcare is structurally large: hospitals operate not only classical IT infrastructure but also medical devices — PACS, imaging, infusion pumps, ventilators — that are increasingly networked and in some cases directly connected to the internet or clinical information systems. Many of these devices run on outdated operating systems, receive no security updates, and cannot simply be replaced. This legacy environment is a structural challenge requiring specific compensating controls.

Healthcare data carries particular protection requirements: patient data is classified as a special category of personal data under GDPR. A data protection breach in healthcare is not merely a compliance matter — it is an ethical obligation to patients who have entrusted the institution with their most sensitive personal information.

Hospitals above a certain bed threshold are classified as KRITIS operators in the health sector and are subject to BSI Act and KRITIS-Dachgesetz requirements. This obligates them to maintain a minimum security standard, implement an ISMS, and report significant security incidents to the BSI. NIS2 classifies hospitals with more than 50 employees or €10 million turnover as essential or important entities.

Implementing these requirements in a clinical environment demands particular sensitivity. Security measures must not impede clinical workflows — two-factor authentication, standard in IT, can represent a genuine hazard in a resuscitation room. We understand these conflicts of objectives and develop security architectures that balance clinical requirements with protection goals.

For hospitals offering modern digital health services or connected to the telematics infrastructure, additional requirements from gematik and SGB V apply. We coordinate all relevant requirements within an integrated documentation structure that withstands both BSI audits and hospital audits.

Manufacturers of medical devices with digital functions face a dual regulatory challenge: the EU Medical Device Regulation (MDR) sets requirements for medical product safety across the entire product lifecycle — including cybersecurity requirements specified in guidance document MDCG 2019-16. Simultaneously, the Cyber Resilience Act (CRA) applies from December 2027 to all products with digital elements, including connected medical devices.

MDR and CRA requirements overlap in substance but differ in terminology and assessment procedures. A connected implant or diagnostic software product (SaMD) must satisfy both frameworks. We develop compliance programmes that exploit the overlap area to minimise duplication while fully satisfying both requirements.

For SaMD (Software as a Medical Device), the boundary between MDR and CRA presents its own challenge: which parts of the software fall under MDR, which under the CRA? How are vulnerability disclosure obligations coordinated when ENISA (CRA) and medical device authorities (MDR) must both be informed? We navigate this regulatory complexity and deliver clear, actionable recommendations.