When a ransomware group takes down a hospital network, the damage is not measured only in euros. Surgeries get postponed, ambulances get redirected, and clinical staff revert to paper records while IT teams scramble through the night. Europe has watched this scenario play out repeatedly over the past three years, and the pace is not slowing.
For anyone working in IT Security focused on critical infrastructure, the healthcare sector offers a stark illustration of what happens when structural vulnerabilities meet an adversary that has learned exactly where to apply pressure. Understanding why hospitals remain so exposed is no longer an academic exercise; it is a prerequisite for anyone advising or working within the sector.
The Numbers That Frame the Problem
The European Commission does not understate the situation. In 2023, EU member states reported 309 significant cybersecurity incidents affecting the healthcare sector more than any other critical infrastructure category that year. ENISA’s data puts ransomware at 54% of all attacks on the health sector, with hospitals and healthcare providers bearing the brunt of 53% of analysed incidents.
Health-ISAC recorded a 55% surge in cyber incidents across the health sector in 2025 compared to the previous year. The Q4 2025 figures showed a particularly sharp spike in ransomware activity, and security professionals surveyed going into 2026 identified AI-enabled attacks as the leading emerging threat above zero-day exploits and above supply chain breaches.
The financial picture is equally sobering. ENISA confirmed that breaches in the European healthcare sector record the highest average cost of any industry, a pattern consistent with IBM’s finding that healthcare has held this position for fifteen consecutive years.
Why Hospitals Are a Structurally Attractive Target
Attackers are not choosing hospitals because they are easy, they are choosing them because the combination of high-value data and operational urgency creates ideal extortion conditions.
Patient Data Is Worth More Than Financial Credentials
The underground economy has shifted its pricing accordingly. Research from Trellix found that a single electronic health record now trades at approximately $60 on criminal markets roughly twenty times the value of a stolen payment card. Records contain names, dates of birth, diagnoses, treatment histories, insurance details, and social security numbers: everything needed for long-term identity fraud or targeted extortion.
The Qilin ransomware group demonstrated this dynamic precisely in 2025, exfiltrating 852 gigabytes of patient data from a single healthcare provider before deploying encryption. The threat of exposing sensitive diagnoses and treatment histories to patients directly, a tactic now emerging among extortion groups adds a layer of psychological pressure that financial sector victims rarely face.
Operational Urgency Makes Negotiation Very One-Sided
A bank that loses access to its core systems for 48 hours loses revenue. A hospital that loses access to its EHR, imaging systems, and medication management tools loses the ability to safely treat patients. That asymmetry is precisely what ransomware groups are exploiting, and it explains why healthcare has historically had among the highest ransom payment rates of any sector.
The good news is that this is starting to change. Sophos data from 2025 showed that only 36% of healthcare providers paid the ransom, down from 61% in 2022, and average recovery times have improved significantly. But the progress is uneven, and smaller regional hospitals lag considerably behind larger networks.
The Three Structural Vulnerabilities That Persist
1. Legacy Infrastructure and Unpatchable Devices
Hospitals run complex, long-lived technology estates. Medical imaging systems, infusion pumps, and patient monitoring equipment have operational lifespans of ten to fifteen years, and many were designed without any security architecture in mind. Research found that 99% of hospitals manage at least one device with a known exploited vulnerability, and 60% of medical devices are end-of-life and cannot receive security patches.
The vulnerability dwell time between a known CVE being published and it being remediated in a hospital environment averages 3.2 years according to Trellix analysis. Attackers exploit disclosed vulnerabilities within 48 hours of publication. That gap is not a risk, it is a standing invitation.
2. Staffing Deficits That Cannot Be Papered Over
Sophos found that the single most common factor contributing to ransomware compromises in healthcare was a lack of cybersecurity personnel and monitoring capacity at the time of the attack, cited by 42% of affected organisations. Known security gaps were a factor in 41% of cases.
The EU’s own Eurobarometer on Cyberskills found that 81% of companies view difficulties in hiring cybersecurity staff as a direct risk factor for cyberattacks. In healthcare, this is compounded by high clinical staff turnover, reliance on temporary workers, and the reality that training a nurse to recognise a spearphishing email is simply not a priority when wards are understaffed.
3. Third-Party Vendor Access That Is Poorly Controlled
Healthcare runs on ecosystems: billing vendors, laboratory systems, medical device manufacturers, radiology platforms all with some level of network access, many with standing administrative privileges and minimal MFA enforcement. Security researchers have consistently identified third-party vendors as the primary supply chain ransomware vector in 2025–2026.
A compromise does not need to begin inside the hospital. It needs to begin inside any vendor with a trust relationship to the hospital’s environment.
What the EU Is Actually Doing About It
The European Commission launched its Action Plan on the cybersecurity of hospitals and healthcare providers in January 2025, structured around four pillars: prevention, detection, response, and deterrence. The plan proposes a pan-European Cybersecurity Support Centre to be established by ENISA offering tailored guidance, tools, and training to health entities.
The plan also introduces cybersecurity vouchers to provide financial support to micro, small, and medium-sized hospitals, acknowledging that the resourcing gap is real and will not close through mandates alone. An EU-wide early warning service for the sector is scheduled to be operational by 2026.
These are meaningful steps. But the gap between policy announcement and operational change in hospital environments is measured in years, not quarters. NIS2 now formally covers healthcare, and the obligations are real but enforcement against under-resourced public hospitals creates its own political complexity.
What Actually Reduces Risk in Practice
For organisations working with or within the European healthcare sector, the evidence points clearly toward a small set of high-impact interventions:
- Network segmentation starting with critical clinical systems — not a complete zero-trust overhaul, but isolation of EHR, imaging, and device networks from general administrative infrastructure
- Identity hardening across all remote access — MFA without exceptions, PAM for privileged accounts, and removal of standing vendor access in favour of time-limited, monitored sessions
- Immutable, offline backups with tested recovery procedures — the organisations that recovered fastest from 2025’s incidents had practiced restoring systems before the incident, not during it
- Continuous vulnerability scanning of IoMT and OT devices — given the patching constraints, visibility is the minimum baseline; unmonitored devices are invisible attack surfaces
- Incident response playbooks developed and rehearsed in advance — ad hoc recovery drives average downtime beyond ten days; organisations with practised playbooks compress this significantly
The structural problems will not be solved quickly. But the organisations that close the gap between regulation and operational reality are the ones that keep patients safe when the next attack lands, and there will be a next attack.

