NIS2 in healthcare: Awareness also needed for smaller facilities

The NIS 2 Implementation Act has been in force since December 2025 and makes managing directors of hospitals, medical supply centers (Medizinische Versorgungszentren, MVZs), and other healthcare facilities personally liable for cybersecurity. But how is this to succeed in a sector characterized by outdated medical technology and tight budgets?

heise online spoke with legal experts Dennis-Kenji Kipker and Tilmann Dittrich, who recently published a NIS2 guide for executives in healthcare, about the changes and whether the law is more than just a paper tiger.

With the NIS 2 Implementation Act, management is personally liable for IT security incidents. Does this make the clinic director legally responsible for patient damages, similar to a doctor in case of malpractice?

Tilmann Dittrich: If you take it strictly, the liability of management is not new, but a clarification. A managing director or board member has always been liable for the organization of the company under the GmbH Act (GmbHG) or Stock Corporation Act (AktG). However, the new law now explicitly highlights this responsibility for cybersecurity and links it to a training obligation. For many CISOs and IT managers, this is a blessing. They tell us: Finally, we have a legal argument to get budgets and the necessary attention from management.

A constant topic in the industry: Who is responsible if a doctor cannot issue an e-prescription or access the electronic patient record (ePA) due to a failure of the telematics infrastructure (TI)?

Dittrich: That's a difficult point. The TI was removed from the BSIG (Act on the Federal Office for Information Security and on the Security of Information Technology of Facilities) because it is regulated sector-specifically in the Social Code Book V. However, this does not mean that it is not a critical infrastructure. The responsibilities are complexly divided between Gematik, the software manufacturers, and the doctor or hospital as the user. If the TI is disrupted from the outside, it is difficult to blame the hospital. But the challenge remains: If the electronic patient record is to be a reliable tool, but I am exposed to external disruptions, I always need redundancy.

Dennis-Kenji Kipker: This is a classic diffusion of responsibility that we see in all complex supply chains. This is not a Gematik-specific problem. However, we must abandon the notion that there is one hundred percent security. It is good that we are discussing security in Germany and have not rushed into rapid digitalization like Great Britain. There, the National Health Service (NHS) reported the first confirmed death in Europe due to a cyberattack in 2024: An attack on a pathology service provider led to delays in blood test results, which proved fatal for one patient. This shows where a hasty approach without a robust security foundation can lead.

Doesn't the mix of strict BSIG and old SGB V rules lead to a compliance nightmare rather than more security in clinics?

Dittrich: Yes, this double regulation, for example for clinic MVZs, is a problem. On the one hand, there are the strict BSIG requirements, and on the other, the KBV guideline, which is easier to implement but procedurally weaker. This creates uncertainty and additional effort. Ideally, there would be a clear regulation that avoids such overlaps.

How should a clinic management decide if they have the budget for a new firewall or a new MRI machine? Both save lives, but only IT faces personal liability.

Dittrich: That is precisely the entrepreneurial risk decision that must be made and documented. You can no longer say you don't care. If something happens, this exact assessment will be examined – by the BSI, by a public prosecutor's office, or in a civil lawsuit. The argument "We can't afford it" is not a justification for lower patient safety.

Is NIS-2 regulating the wrong target if the biggest risk for clinics often lies with small, unregulated software suppliers?

Kipker: One hundred percent supply chain security is an illusion. However, regulations like the Cyber Resilience Act or specific requirements for digital resilience in medical device law are a first step. If we manage to ensure that an insulin pump is no longer attackable with a standard password from the online user manual, we have gained a lot. Industry associations must also develop standards for securing supply chains, as this is increasingly becoming a contractual requirement.

In many hospitals, there are old but expensive medical devices for which there are no more security updates. Who is liable if an attacker gains access to the network through them?

Kipker: In case of damage, no one cares whether the device was old or the manufacturer no longer provides updates. The hospital is obliged to ensure security according to the state of the art. If they operate outdated "legacy IT," they must manage the risk, for example, by isolating the device from the network.

Dittrich: If a clinic chooses a provider that offers no patches or only short-term support, that is an entrepreneurial risk decision. But then perhaps a mistake was made during procurement.

There are also questions about the new Paragraph 17 of the Medical Device Operator Ordinance, which now requires operators to regularly check their software. Both clinics and manufacturers seem uncertain about what this means in practice. What is the effect of the change?

Kipker: Uncertainty arises because § 17 does not specify a fixed test catalog. However, an "appropriate" test carried out according to the "recognized rules of technology" means acting risk-based and comprehensibly. These are requirements that we have generally known in IT security law for many years. In this specific case, it means carrying out a risk assessment regarding the relevant factors, for example, the degree of networking, whether remote maintenance is carried out, what the threat situation is, and whether the care pathway is particularly critical.

If the clinic's CISO warns and management does not act for cost reasons – who is liable in case of damage?

Dittrich: Management. If the CISO points out a clear risk, management must make a documented decision. They cannot shift responsibility.

Does the obligation to report to the BSI 24 hours a day hinder actual crisis management?

Dittrich: The reporting pressure is high, no question. This requires excellent internal information processes. In an emergency, it must be clear who passes on what information to whom and when. This diverts resources, but it is now a legal obligation and part of professional crisis management. The report is made via the new central BSI portal, which is operated jointly with the Federal Office for Civil Protection and Disaster Assistance.

What happens if this portal itself becomes the target of an attack or fails?

Kipker: At least as far as factual accessibility is concerned, fallback solutions are provided for such exceptional situations, for example, transmission by email or telephone. To what extent this procedure is sensible and can be maintained over a longer period is another matter, because media breaks increase the risks of misinformation, misunderstandings, data not being transmitted, and longer reaction times.

Can the BSI even cope with this flood of information?

Kipker: That is the crucial question. We are talking about potentially 30,000 affected facilities in total. If even a fraction of them report, the BSI faces a huge challenge. The concern is that the portal will become a mere data graveyard, where reports are received but cannot be analyzed and correlated in a timely manner due to a lack of personnel and expertise. The danger of a single point of failure is real – not only due to technical attacks, but also due to simple overload. A central portal is only as strong as the authority behind it.

Are the crisis teams for physical security and cybersecurity in clinics separate silos that do not cooperate in an emergency?

Kipker: Yes, unfortunately, that is often still the case. Many hospitals have a hospital alarm and emergency plan (KAEP) for physical disasters, but cyber risks are typically not integrated. We urgently need to move away from this silo mentality because hybrid attacks – such as a fire in the server room combined with a DDoS attack – are the new reality. They lead to precisely those dangerous cascading effects that can jeopardize security of supply.

Is the law unrealistic for small MVZs and ambulance services without an IT department?

Dittrich: The challenge is huge, that's clear. But even small practices are part of the critical care chain. What we urgently need are support services and awareness campaigns for these smaller service providers, who are often completely unprotected, as is repeatedly seen during power outages.

If a clinic could only afford one major measure now, what would be your most urgent advice?

Kipker: Clearly process management. Employee training is important, but also not expensive. In a hospital, the process landscape is more crucial. Hospitals are extremely dependent on technology. Structured management that defines how devices are procured, maintained, and removed from the network is the basis.

Dittrich: I agree. Through technical and organizational processes, the risk of the individual employee must be minimized anyway.

(mack)