We are a hospital – how should we approach cybersecurity?
Cybersecurity in healthcare is no longer optional—it is a mandatory part of risk and operational management in healthcare facilities. Hospitals are regulated entities under the new Cybersecurity Act (ZoKB), effective November 1, 2025, based on the NIS2 directive.
Cybersecurity in hospitals should be based on three key pillars:
-
ISO/IEC 27001 – An ISMS to manage risks, define policies, train staff, and handle incidents
-
ZoKB (NIS2) – A legislative framework requiring operational, technical, and organizational security measures, incident reporting, and auditability
-
IEC 62443-2-1 – A standard for designing and managing cybersecurity in operational (OT) environments, including healthcare settings
IEC 62443-2-1 should serve as a methodological framework for dividing hospital infrastructure into security zones. Each zone (e.g., critical systems, public networks, lab devices) has a designated security level, which determines the technical and organizational measures required—along with the security standards for products entering that zone.
Hospitals should apply this zoning approach in communication with suppliers and demand information on product security levels accordingly.