Hard2bit
← Back to the cybersecurity blog

Cybersecurity in healthcare: ransomware, NIS2 and how to protect a hospital group in 2026

By Adrián González · CEO · Published: 08 July 2026 · Updated: 08 July 2026
Ciberseguridad en el sector sanitario

Healthcare has become the favourite target of ransomware in Europe. According to ENISA's health-sector threat landscape, this family of attacks makes up more than half of the incidents analysed, and hospitals bear the worst of it. It is no accident: a stalled operating theatre, an encrypted patient record or an A&E department without systems is pressure few boards can withstand for more than a few hours.

On top of that comes a change of framework: under the NIS2 directive, most European healthcare organisations are essential entities, with concrete obligations on risk management, incident reporting and board accountability. This article brings together what the data says, what the law demands and how a hospital group is protected in practice without disrupting care.

At a glance

  • The threat: ransomware accounts for more than half of the health sector's cyber-threats according to ENISA, and hospitals are the hardest hit.
  • The harm: it is not measured in euros alone; attacks delay tests and procedures and have been linked to worse clinical outcomes.
  • The law: healthcare is an essential entity under NIS2, with fines of up to 10 million euros or 2% of worldwide turnover and direct board accountability.
  • The surface: identity, connected medical devices (IoMT), suppliers and legacy systems widen the ground to defend.
  • The priority: hardened identity, round-the-clock detection, immutable backups and a tested continuity plan, in that order.

Why is healthcare ransomware's favourite target?

The short answer is that healthcare combines high value with low tolerance for downtime. Clinical data is a special category and highly monetisable; at the same time, care pressure means every hour of interruption carries a human cost, not only a financial one, which makes hospitals more likely to pay.

ENISA's data bears this out: in its sector analysis, healthcare providers — hospitals first — were the most affected, and the most common consequences were data breach or theft and disruption of care. The ENISA Threat Landscape 2025 keeps ransomware among the dominant threats across Europe, with no sign that the pressure is easing.

The real cost is not measured in euros alone

The commonest mistake when valuing a healthcare incident is reducing it to the recovery bill. The consequence that defines this sector is different: the impact on patient safety. A study reported by Help Net Security found that 72% of surveyed organisations suffered at least one incident that disrupted patient care, with delays to tests and procedures linked to poorer clinical outcomes.

Operational downtime adds a second layer. US figures serve as a scale reference — each day of ransomware downtime is estimated at around 1.9 million dollars for a healthcare organisation — and although the amounts vary by country, the pattern is universal: in healthcare, recovery time is as critical as recovery itself. That is why business continuity and recovery stop being an appendix to the plan and become its core.

Where is the attack surface in a hospital group?

A healthcare group does not defend one network but several overlapping ones: clinical office IT, hospital information systems, biomedical technology and the supplier chain that holds it all up. Each layer has its own weak point.

Typical attack surface in a healthcare group
LayerDominant riskPriority control
Identity and emailPhishing and credential theft as the way in for ransomwarePhishing-resistant MFA and Microsoft 365 protection
Medical devices (IoMT)Connected equipment with known vulnerabilities that cannot be patched liveNetwork segmentation and OT-style monitoring
Suppliers and supply chainOne compromised supplier dragging in dozens of sitesThird-party risk management
Legacy systemsOld clinical applications impossible to updateIsolation, hardening and compensating controls

Own analysis based on the incident patterns described by ENISA and sector research, 2025-2026.

The fastest-growing layer is connected medical devices. Sector estimates point to more than seven million IoMT devices in smart hospitals by 2026, and many of them carry known vulnerabilities that cannot always be fixed without stopping the equipment (medical device analysis). Treating them as what they are — operational technology — and protecting them with OT security logic is more realistic than trying to patch them like a laptop.

What does NIS2 demand of healthcare entities?

The NIS2 directive places healthcare among the high-criticality sectors of its Annex I. In practice, most healthcare providers above the size threshold are classified as essential entities, the tier subject to the greatest requirements and oversight.

That translates into three obligations worth keeping distinct. First, proportionate risk-management measures (Article 21): access control, vulnerability management, supply-chain security, encryption and continuity plans. Second, reporting of significant incidents (Article 23) within staggered deadlines, starting with an early warning. Third, board accountability: management bodies must approve and supervise the measures and may be held liable for failures.

The incentive is tangible. For essential entities, NIS2 sets maximum fines of at least 10 million euros or 2% of worldwide annual turnover, whichever is higher (directive text). In Spain, transposition is still under way in mid-2026 — the draft bill was approved by the Council of Ministers in January 2025 and the European deadline fell in October 2024 — so the obligations are already on the table even as the national detail is finalised (European Commission tracker). Preparing your NIS2 alignment now is the prudent choice.

How to protect a healthcare group: the real priorities

With limited budget and staff, order matters more than the list. These are the priorities that move the needle:

  • Harden identity. Most ransomware attacks start with a stolen credential or a phishing email. Phishing-resistant MFA and proper Microsoft 365 protection shut the most-used door.
  • Detect in real time, around the clock. Ransomware does not rest at weekends or on night shifts. A managed SOC with managed detection and response (MDR) shortens the gap between intrusion and containment, which is where an incident is won or lost.
  • Immutable, tested backups. Isolated, immutable backups verified with real restore drills are the difference between recovering in hours and negotiating a ransom.
  • Prioritise vulnerabilities by exposure. A vulnerability management practice that ranks by real risk — what is exposed and what is being exploited — beats chasing every CVE equally.
  • Control your third parties. Much of the risk arrives through suppliers. Third-party risk management keeps a supplier's failure from becoming yours.
  • Rehearse the response. An incident response plan proven through drills turns chaos into procedure on the day it counts.

What we see in practice

In the healthcare groups we work with, the leap in maturity rarely comes from buying more tools. It comes when someone watches the telemetry continuously and knows what to do in the first few minutes. In our managed SOC for a healthcare group, the difference was not one particular technology but the combination of round-the-clock detection, rehearsed procedures and backups that genuinely restored. That is the recurring pattern: healthcare resilience is a matter of disciplined operations more than of a product catalogue.

The heart of it

Healthcare is not a ransomware target by chance but by design: high value, low tolerance for downtime and a surface that keeps growing. NIS2 puts a name and consequences to that exposure, but real protection is not proven with a certificate — it is proven by how fast a group detects, contains and recovers. The useful question for any healthcare board is not whether it will face an attempt, but how many minutes it would take today to notice.

Frequently asked questions

Why is healthcare a priority target for ransomware?

Because it combines high-value data (special-category patient records) with minimal tolerance for interruption: every hour of downtime has clinical consequences, not just financial ones. That pressure makes hospitals more likely to pay, which is why they account for much of the attack volume according to ENISA.

What does ENISA say about threats in the health sector?

In its health-sector threat landscape, ENISA puts ransomware at more than half of the incidents analysed, with healthcare providers — hospitals above all — the most affected. The most frequent consequences are data breach or theft and disruption of care. The ENISA Threat Landscape 2025 keeps ransomware among the dominant threats across Europe.

Is healthcare an essential entity under NIS2?

Yes. The NIS2 directive includes healthcare among the high-criticality sectors of its Annex I. Most healthcare providers above the size threshold are classified as essential entities, the tier subject to the greatest requirements and oversight.

What fines does NIS2 set for an essential healthcare entity?

For essential entities, NIS2 sets maximum fines of at least 10 million euros or 2% of worldwide annual turnover, whichever is higher. In addition, management bodies must approve and supervise the risk-management measures and may be held liable for failures.

Has NIS2 been transposed in Spain?

As of mid-2026, Spanish transposition is still under way. The draft bill was approved by the Council of Ministers in January 2025 and the European deadline fell in October 2024. The directive's obligations are already defined, so preparing your alignment now is prudent even as the national detail is finalised.

Which controls should a resource-constrained hospital group prioritise?

In this order: hardened identity with phishing-resistant MFA, round-the-clock detection and response through a managed SOC, immutable backups verified with real restore drills, vulnerability management prioritised by exposure and a rehearsed incident response plan. Adding third-party risk management closes the supplier route in.

How are connected medical devices (IoMT) protected?

Medical devices often carry known vulnerabilities that cannot always be patched without stopping the equipment. The realistic strategy is to treat them as operational technology: segment the network to isolate them, monitor their behaviour with OT logic and compensate at the network level for what cannot be fixed on the device itself.

What role does third-party risk play in healthcare?

A central one. Much of the sector's incidents arrive through suppliers — clinical system hosting, billing processors, equipment maintenance — and the compromise of a single one can drag in dozens of sites. Third-party risk management keeps a supplier's failure from becoming the whole organisation's.