Healthcare has become the favourite target of ransomware in Europe. According to ENISA's health-sector threat landscape, this family of attacks makes up more than half of the incidents analysed, and hospitals bear the worst of it. It is no accident: a stalled operating theatre, an encrypted patient record or an A&E department without systems is pressure few boards can withstand for more than a few hours.
On top of that comes a change of framework: under the NIS2 directive, most European healthcare organisations are essential entities, with concrete obligations on risk management, incident reporting and board accountability. This article brings together what the data says, what the law demands and how a hospital group is protected in practice without disrupting care.
At a glance
- The threat: ransomware accounts for more than half of the health sector's cyber-threats according to ENISA, and hospitals are the hardest hit.
- The harm: it is not measured in euros alone; attacks delay tests and procedures and have been linked to worse clinical outcomes.
- The law: healthcare is an essential entity under NIS2, with fines of up to 10 million euros or 2% of worldwide turnover and direct board accountability.
- The surface: identity, connected medical devices (IoMT), suppliers and legacy systems widen the ground to defend.
- The priority: hardened identity, round-the-clock detection, immutable backups and a tested continuity plan, in that order.
Why is healthcare ransomware's favourite target?
The short answer is that healthcare combines high value with low tolerance for downtime. Clinical data is a special category and highly monetisable; at the same time, care pressure means every hour of interruption carries a human cost, not only a financial one, which makes hospitals more likely to pay.
ENISA's data bears this out: in its sector analysis, healthcare providers — hospitals first — were the most affected, and the most common consequences were data breach or theft and disruption of care. The ENISA Threat Landscape 2025 keeps ransomware among the dominant threats across Europe, with no sign that the pressure is easing.
The real cost is not measured in euros alone
The commonest mistake when valuing a healthcare incident is reducing it to the recovery bill. The consequence that defines this sector is different: the impact on patient safety. A study reported by Help Net Security found that 72% of surveyed organisations suffered at least one incident that disrupted patient care, with delays to tests and procedures linked to poorer clinical outcomes.
Operational downtime adds a second layer. US figures serve as a scale reference — each day of ransomware downtime is estimated at around 1.9 million dollars for a healthcare organisation — and although the amounts vary by country, the pattern is universal: in healthcare, recovery time is as critical as recovery itself. That is why business continuity and recovery stop being an appendix to the plan and become its core.
Where is the attack surface in a hospital group?
A healthcare group does not defend one network but several overlapping ones: clinical office IT, hospital information systems, biomedical technology and the supplier chain that holds it all up. Each layer has its own weak point.
| Layer | Dominant risk | Priority control |
|---|---|---|
| Identity and email | Phishing and credential theft as the way in for ransomware | Phishing-resistant MFA and Microsoft 365 protection |
| Medical devices (IoMT) | Connected equipment with known vulnerabilities that cannot be patched live | Network segmentation and OT-style monitoring |
| Suppliers and supply chain | One compromised supplier dragging in dozens of sites | Third-party risk management |
| Legacy systems | Old clinical applications impossible to update | Isolation, hardening and compensating controls |
Own analysis based on the incident patterns described by ENISA and sector research, 2025-2026.
The fastest-growing layer is connected medical devices. Sector estimates point to more than seven million IoMT devices in smart hospitals by 2026, and many of them carry known vulnerabilities that cannot always be fixed without stopping the equipment (medical device analysis). Treating them as what they are — operational technology — and protecting them with OT security logic is more realistic than trying to patch them like a laptop.
What does NIS2 demand of healthcare entities?
The NIS2 directive places healthcare among the high-criticality sectors of its Annex I. In practice, most healthcare providers above the size threshold are classified as essential entities, the tier subject to the greatest requirements and oversight.
That translates into three obligations worth keeping distinct. First, proportionate risk-management measures (Article 21): access control, vulnerability management, supply-chain security, encryption and continuity plans. Second, reporting of significant incidents (Article 23) within staggered deadlines, starting with an early warning. Third, board accountability: management bodies must approve and supervise the measures and may be held liable for failures.
The incentive is tangible. For essential entities, NIS2 sets maximum fines of at least 10 million euros or 2% of worldwide annual turnover, whichever is higher (directive text). In Spain, transposition is still under way in mid-2026 — the draft bill was approved by the Council of Ministers in January 2025 and the European deadline fell in October 2024 — so the obligations are already on the table even as the national detail is finalised (European Commission tracker). Preparing your NIS2 alignment now is the prudent choice.
How to protect a healthcare group: the real priorities
With limited budget and staff, order matters more than the list. These are the priorities that move the needle:
- Harden identity. Most ransomware attacks start with a stolen credential or a phishing email. Phishing-resistant MFA and proper Microsoft 365 protection shut the most-used door.
- Detect in real time, around the clock. Ransomware does not rest at weekends or on night shifts. A managed SOC with managed detection and response (MDR) shortens the gap between intrusion and containment, which is where an incident is won or lost.
- Immutable, tested backups. Isolated, immutable backups verified with real restore drills are the difference between recovering in hours and negotiating a ransom.
- Prioritise vulnerabilities by exposure. A vulnerability management practice that ranks by real risk — what is exposed and what is being exploited — beats chasing every CVE equally.
- Control your third parties. Much of the risk arrives through suppliers. Third-party risk management keeps a supplier's failure from becoming yours.
- Rehearse the response. An incident response plan proven through drills turns chaos into procedure on the day it counts.
What we see in practice
In the healthcare groups we work with, the leap in maturity rarely comes from buying more tools. It comes when someone watches the telemetry continuously and knows what to do in the first few minutes. In our managed SOC for a healthcare group, the difference was not one particular technology but the combination of round-the-clock detection, rehearsed procedures and backups that genuinely restored. That is the recurring pattern: healthcare resilience is a matter of disciplined operations more than of a product catalogue.
The heart of it
Healthcare is not a ransomware target by chance but by design: high value, low tolerance for downtime and a surface that keeps growing. NIS2 puts a name and consequences to that exposure, but real protection is not proven with a certificate — it is proven by how fast a group detects, contains and recovers. The useful question for any healthcare board is not whether it will face an attempt, but how many minutes it would take today to notice.