Cybersecurity in hospitals needs to be a management task

Hospitals have become one of the most vulnerable targets for cybercrime – while at the same time regulatory pressure on management is increased by the EU’s NIS2 directive. Managing boards that still treat cybersecurity as an IT issue are exposing hospitals to operational shutdown, legal liability, and reputational damage.

For hospitals in the EU, cybersecurity has become a legal obligation. The EU’s NIS2 (revised Network and Information Security Directive) came into force in October 2024, establishing a regulatory framework that healthcare leaders must follow.

Under NIS2, the management boards of hospitals and other essential entities are directly and personally responsible for the level of cybersecurity compliance. And, as a consequence, for any failures as well. Hospital CEOs can no longer delegate this responsibility entirely to specialist staff, as NIS2 requires management bodies to approve cybersecurity measures, oversee their implementation, and demonstrate accountability.

Failure to comply can lead to hefty financial penalties both for the hospital as an organization and individual members of management. In the worst case, executives can even be banned from exercising their management functions.

A cyberattack on a hospital is not an abstract IT incident. By rendering data inaccessible and devices unusable, it has direct consequences for patients and clinical operations. Ultimately, this can lead to poorer patient outcomes and increased complications.

The cost is not only patient well-being but will also show itself in the balance sheet: the average financial disruption caused by cyberattacks in US healthcare reached 1.47 million US dollars in 2024. One in four organizations required more than a month to recover from a ransomware attack.

The most severe damage is loss of reputation and erosion of patient trust if hospital operation is limited or temporarily terminated after a cybersecurity incident.

Hospital cybersecurity fails when technology, processes, and staff are not aligned.

On the technical side, hospitals need layered defenses – from network segmentation and access controls to monitoring systems that detect threats in real time. Medical and IoMT devices, electronic health records, or patient-owned devices brought into the hospital all represent entry points that must be managed systematically and diligently.

Secure processes are critical. This includes documented incident response plans, regular security audits, and clearly defined roles and responsibilities in the event of a breach. Despite this, only 37% of hospitals currently conduct annual cybersecurity incident response exercises, and just 50% of healthcare organizations perform regular cybersecurity audits.

But it’s not all about technology: the human factor is important, too. According to the 2025 Ponemon Institute report, 35% of healthcare organizations identify ‘employees not following policies as the leading cause of data loss or exfiltration incidents’. Because of this, hospital leadership needs to integrate awareness training, clear communication, and a security-conscious culture into their organization to increase resilience.

Hospital leaders need to approach cybersecurity as a strategic management issue rather than a technical afterthought. This can strengthen their position to protect their institution, patients, and ultimately themselves, too.

First, hospitals need to identify where their biggest vulnerabilities are by performing a formal gap analysis. From there, each hospital should invest where its operational risk is highest.

Also, hospitals need to assign clear executive ownership for cybersecurity. This means designating a person responsible for cybersecurity, establishing clear reporting lines to the board, and ensuring that cybersecurity is a standing item on the management agenda, not only after an incident has already occurred.