Cybersecurity for healthcare

Hospitals, mental health institutions, residential care, and GP practices are increasingly targeted by focused attacks. At the same time, healthcare must continue: ER, OR, imaging, lab. Downtime is not an option.

NEN 7510 / 7512 / 7513NIS2 & Cybersecurity ActEHR, medical equipment & suppliers

> The cybersecurity challenge in healthcare

The healthcare sector combines everything attackers find interesting: sensitive medical data, critical processes, and complex chains with suppliers and cloud services.

Hospitals are one of the most attacked sectors in Europe; ransomware regularly takes down ORs, ERs, and imaging. [source: ENISA, World Economic Forum]
Dutch healthcare institutions report dozens of serious data breaches and incidents to IGJ and DPA annually. [source: Z-CERT, IGJ]
Legacy systems, medical equipment, and supplier connections make patching and segmentation complex. [source: NEN / ENISA]

Concretely: where does it go wrong in practice?

EHR or portal accounts being abused via phishing or weak passwords.
VPN access for suppliers that was never restricted or disabled.
Medical equipment in the same network segment as office IT.
Insufficient logging and monitoring, causing attacks to be discovered late.
Outsourced IT without clear agreements on patch policy, logging, and incident response.

> Legislation for healthcare institutions

Healthcare organisations must simultaneously comply with NEN standards, European regulations, and requirements from regulators and health insurers.

NIS2 / Cybersecurity Act

Large healthcare institutions fall under NIS2 (in the Netherlands, the Cybersecurity Act). This means, among others:

Risk-based measures for network and information systems.
Mandatory reporting of significant incidents within strict deadlines.
Board-level responsibility for cybersecurity (board of directors / executive board).

Sector standards: NEN 7510 and related standards

NEN 7510 is the baseline standard for information security in healthcare. Often supplemented with:

NEN 7512 / 7513 for logging, exchange, and recording.
ISO 27001/27002 as a framework for information security management.
DigiD requirements for systems with public identification/authentication.

> How Neo Security helps healthcare organisations

We do not start with a generic scan, but with your reality: type of healthcare institution, critical systems, suppliers, medical equipment, EHR/EVS, and cloud.

NEN 7510 / NIS2 gap analysis

Analysis of current measures, policies, and logging.
Overview of risks per process (e.g., ER, OR, lab, imaging).
Roadmap towards demonstrable compliance.

More about governance & compliance: NIS2 / Cybersecurity Act and compliance & governance.

Targeted pentests on healthcare systems

EHR / HIS / LIS / PACS and patient portals.
VPNs, external access (HIS, home monitoring).
APIs towards suppliers and health insurers.

More about our pentests: pentest approach.

OT & medical equipment (OT/IoMT security)

Segmentation and hardening of medical networks.
Risk analysis of connected equipment (infusion pumps, monitors, scanners).
Non-disruptive testing that does not interrupt care processes.
We gladly collaborate with suppliers and R&D teams to safely test healthcare equipment.

More about OT/ICS: OT security assessment.

Incident Response & tabletop exercises

Ransomware and data breach scenarios specific to healthcare organisations.
Practising with crisis team (CIO, CISO, medical manager, communications).
Clear playbooks for IGJ reports, Data Protection Authority, and patient communication.

More about response: incident response and tabletop exercises.

Security awareness for healthcare professionals

Practical training for doctors, nurses, and reception staff.
Focus on phishing, medication and identity fraud, use of mobile devices.
Tailored to the workload and reality on the floor.

More about awareness: security awareness training and phishing tests.

> Why Neo Security for healthcare?

You can leave cybersecurity in healthcare to a generic consultancy – or to a team that has been hands-on themselves.

We come from practice.
Grew up among patch panels, data centres, and hybrid environments. We know the limitations of EHRs, suppliers, and legacy ourselves.
Facts over fear.
No FUD presentations, but findings with clear prioritisation: what needs to happen now, what can wait, what is nice-to-have.
Combination offense + governance.
We link pentests and red teaming to NEN 7510/NIS2 and ISO 27001 frameworks, so findings are directly translatable to policy, controls, and audits.
Sector focus on vital environments.
We primarily work for organisations where downtime is not an option: healthcare, industry, energy, government. Healthcare absolutely belongs there.

> Ready for a clear-eyed view of your digital healthcare environment?

We usually start with a short exploration: which systems are critical, where is the greatest pressure (EHR, medical equipment, suppliers), and which obligations already apply (NEN 7510, NIS2, contractual)? From there, we determine together whether a gap analysis, pentest, or tabletop exercise is the best first step.

Schedule an exploration session View our pentest approach

Our offensive power, your strongest defence. Even at the patient’s bedside.

Sources & background

> loading…