The Healthcare Sector in the Crosshairs of Cyberattacks
How secure are hospitals in the digital age?
June 23, 2026
A typical day at the hospital that, at first glance, seems completely routine: Medical devices are networked, patient data is available in real time, and treatments are supported digitally.
But during an ongoing treatment, the IT security system detects unusual activity on the network. A networked medical device becomes the starting point for an attempted attack. The goal is to gain access to other systems in the hospital.
The security mechanisms kick in immediately. The affected device is isolated, suspicious connections are severed, and the analysis of the incident begins automatically. Day-to-day operations remain unaffected for the time being.
It is at moments like this that a hospital’s true resilience is put to the test. After all, the crucial question is not whether an attack is detected, but how well a hospital is prepared for it when it actually happens.
Barbara Groll speaks with Andreas Mangerich of Microsoft Germany about current threats to hospitals and clinics, the security of medical technology, the use of artificial intelligence in cyber defense, and the question of how healthcare can remain resilient in the future.
How realistic is such an attack scenario?
Andreas Mangerich: In recent years, the healthcare sector has found itself in a dual role. On the one hand, it is rapidly digitizing. Key terms here include electronic health records, telematics infrastructure, and AI-supported diagnostics. On the other hand, it is a critical infrastructure on which human lives depend. It is precisely this combination that makes hospitals, medical practices, and health insurers a highly attractive target for attackers.
Patient data is among the most valuable data sets on criminal marketplaces because, unlike a credit card, it cannot simply be reset. Added to this is the geopolitical situation. Since 2022, we have observed a significant increase in state-tolerated or even state-directed attacks on European healthcare infrastructure.
On the other hand, this threat is facing an industry that has suffered from a decades-long backlog of IT investment, a high degree of heterogeneity in the systems used, and a severe shortage of skilled workers. Regulatory pressure is also mounting, for example through the NIS 2 Directive or industry-specific security standards such as B3S.
In short: The attack surface is currently growing faster than defensive capabilities. At the same time, a system failure in the healthcare sector has different consequences than in most other industries.
Are hospitals, then, a particular target for attacks?
Andreas Mangerich: Yes, quite clearly. The situation report from the BSI—the Federal Office for Information Security—as well as the Digital Defense Report published by Microsoft have shown a disproportionate increase in incidents in the hospital sector for years. This is particularly true for ransomware attacks.
Ransomware is a form of malware. It is often referred to as an encryption Trojan. It encrypts a user’s data and only releases it after a payment or ransom has been made. Only then do the victims receive the key to regain access to their data.
There have also been several incidents reported in the media recently.
Andreas Mangerich: Ransomware is now virtually omnipresent. From an economic perspective, the reason for this is very straightforward. Attackers count on victims being willing to pay a high ransom because a hospital cannot afford to shut down. Every hour of downtime means canceled surgeries, diverted emergency room patients, and thus very real risks for patients.
Many hospitals still operate with outdated systems and infrastructure. What risks does this pose?
Andreas Mangerich: This is one of the most underestimated problems in everyday hospital operations. Medical devices typically have a lifecycle of 15 to 20 years. When we look at traditional IT systems, however, we’re generally talking about three to five years. In practice, this means that in many facilities, an MRI, a CT scanner, or even a laboratory device is still running on operating systems for which security updates have not been available for years. As a result, it’s often impossible to patch or fix security vulnerabilities. At the same time, any change to the configuration could potentially jeopardize approval under medical device regulations.
Is that why you mentioned the regulatory requirements earlier?
Andreas Mangerich: This is a regulatory conflict of objectives that plays right into the hands of attackers.
Added to this are proprietary protocols without encryption, hard-coded passwords, or simply a lack of separation between the medical network and the administrative network. If there is even a single compromised device in such a network, it can become a foothold for compromising other systems and, in the worst case, the entire network.
Hospitals, in particular, must operate around the clock. How is it even possible to maintain an effective level of security under these conditions?
Andreas Mangerich: Ultimately, we must stop viewing security as a one-off project and instead integrate it into operations as an ongoing task. If shutting down the system isn’t an option, compensatory measures must be put in place. These include consistent network segmentation, so that a vulnerable device doesn’t immediately endanger the entire facility, as well as continuous monitoring by a SOC—a Security Operations Center—that detects anomalies in real time. Equally important is a risk-based patching approach in which maintenance windows are coordinated with clinical workflows.
So, by “patch,” you mean that new updates and upgrades are constantly being released?
Andreas Mangerich: Exactly. Ultimately, the key principle is resilience—that is, the ability to withstand an attack rather than merely trying to prevent it.
This includes proven emergency plans, regular tabletop exercises with hospital management, and immutable backups stored separately. Security must not become an issue only after an incident has occurred. Rather, it must be firmly integrated into everyday clinical practice, much like hygiene standards.
It is crucial that this effort is supported by hospital management. Otherwise, it remains the responsibility of the IT department, which is often already structurally overburdened.
Has this awareness taken hold in hospitals yet, or is there still a lot of persuasion needed?
Andreas Mangerich: It varies greatly. I have clients where this awareness has already taken hold. There, at least the IT leadership is pursuing these approaches—or wants to pursue them. Often, however, such changes are held back by existing structures or even by the teams themselves.
This quickly brings us to issues such as the shortage of skilled workers, how long employees have been with the company, and the extent to which the company invests in their continuing education. Are employees continuously kept up to date, or have they been working with the same technologies they’re already familiar with for ten or fifteen years?
This brings us to the topic of adoption and change management. Am I willing to be open to new approaches? Anything new usually triggers a backlash at first.
What components does a secure IT architecture in a hospital require—especially with limited resources?
Andreas Mangerich: First and foremost, I need a complete inventory of all assets, including medical technology and OT—Operational Technology. Because at the end of the day, the bottom line is: I can only protect what I know.
Another important point is the issue of identity. This is actually no longer a trend, but has been a central requirement for years. Identity must now be understood as a new perimeter. Multi-factor authentication, privileged access management, and the principle of least privilege are no longer negotiable today. The assumption that a username and password are sufficient is long outdated.
Third, we need consistent segmentation based on zero-trust principles, so that no device and no user is implicitly considered trustworthy.
Ultimately, it’s usually about the data. That’s why I need a robust backup and recovery strategy with immutable copies or a reliable data rollback capability. This remains the most effective safeguard against ransomware.
In addition, we need 24/7 detection and response to security incidents. Realistically, smaller organizations can often only achieve this through collaborative or managed models, such as external service providers, municipal SOC consortia, or sector-wide partnerships.
Another important point concerns the human factor. This involves consistent awareness training for everyone involved—and that means everyone: administrators, managers, and board members alike. Even today, a significant portion of all incidents still begins with a classic phishing attack.
Finally, we need cloud-enabled and standardized architectures. This relieves smaller institutions in particular of the burden of requiring specialized knowledge and allows them to use security as a scalable service. Those working with limited resources benefit from standardization, automation, and collaboration—not from siloed solutions they may have relied on for years.
How can medical information be transmitted securely while also ensuring it is reliably available?
Andreas Mangerich: That is precisely the crux of the matter in digital healthcare, because confidentiality and availability are equally vital here.
Technically, this starts with end-to-end encryption, both during data transmission and at rest. Added to this is a fine-grained access control model that makes information visible only where it is actually needed clinically. Availability, in turn, is achieved through redundant, geographically dispersed architectures as well as clearly defined recovery times, which must be tested regularly.
Ultimately, however, proper data classification is also essential. Not all information is equally critical, but everyone must understand its protection requirements.
What role will artificial intelligence play in the future in protecting hospitals from cyberattacks?
Andreas Mangerich: Especially in cyber defense, artificial intelligence will fundamentally change the landscape in the coming years—on both sides.
On the defensive side, it enables something that human analysts simply can no longer accomplish at this speed today. This includes correlating billions of signals generated worldwide every day, detecting the subtlest behavioral anomalies, and automatically containing attacks within seconds rather than hours.
This becomes a critical factor, especially in a hospital, where every minute counts. AI also helps relieve the burden on smaller facilities by automating routine tasks in the SOC. This allows scarce and highly qualified staff to focus on cases that actually require human judgment. At the same time, we must be realistic. Attackers use the same tools, for example, for highly personalized phishing attacks or to automatically search for vulnerabilities. In recent weeks, there has been a lot of coverage of a new AI model from the company Anthrophic called Mythos. It can independently and quite impressively detect critical security vulnerabilities. Such systems are already demonstrating just how powerful AI can be in this regard. There is a lot happening in this field right now.
This will further accelerate the race rather than slow it down. Therefore, the “human-in-the-loop” principle remains crucial—that is, AI as an enhancer rather than a substitute for responsibility.
Ultimately, transparency and governance are needed to ensure that decisions made by AI systems remain traceable in such a sensitive environment.
What might a hospital look like in 2035? Especially if security is truly built in from the very beginning.
Andreas Mangerich: In a hospital of the year 2035 that has consistently internalized security, cybersecurity may even have become invisible because it has been built in everywhere from the very beginning.
In such a perfect world, every medical device would have a so-called Software Bill of Materials (SBOM). This is essentially a digital package insert that documents the software components used throughout the entire lifecycle. At the same time, systems can be updated without jeopardizing the devices’ regulatory approval. The infrastructure is software-defined and segmented. It consistently follows the so-called zero-trust principles. This means that every request is explicitly verified, regardless of where it comes from.
An AI-powered defense system operates in the background. It detects attacks in real time and isolates affected areas before clinical processes can be compromised.
Patient data flows in a controlled manner between the various sectors—for example, between hospitals, doctors’ offices, research institutions, and in exchanges with payers. This is based on European data sovereignty.
If I understand you correctly, there are risks, but the industry is aware of the challenges and is continuously working on improvements.
Andreas Mangerich: These risks exist everywhere. They are present in the private sphere just as much as in the business context. Of course, the unique characteristics of the healthcare sector that we’ve already discussed also come into play.
At the same time, however, I see that those in charge are doing their best to address these challenges. In my view, it is crucial that this commitment be actively supported. Healthcare facilities must receive the necessary resources, just like any other business.
Above all, cybersecurity must become a top priority. It falls within the purview of hospital management and must be given prominent attention there.
I know this still sounds like a very ambitious vision today. But when we reach the point where security is no longer a project but becomes an inherent feature of the system—just as hygiene is today—then we will have already come a long way.
The interview was conducted by Barbara Groll, Media Relations, Bayern Innovativ GmbH, Nuremberg
Your Contact
Bayern Innovativ GmbH,
