BSI sounds the alarm: Healthcare software fails security tests

Three out of four practice systems tested are vulnerable to attacks from the internet, care software has critical gaps. The BSI is sounding the alarm - and shows what is now at stake for medical practices, clinics and care facilities.

In mid-March 2026, the German Federal Office for Information Security (BSI) published results that should make every practice owner, clinic manager and care service manager lose sleep: In three out of four practice management systems (PVS) tested, the concatenation of individual vulnerabilities enabled an attack from the internet. The situation was hardly any better for nursing documentation systems - critical gaps in encryption, authentication and update mechanisms.

Anyone who believes that this is a purely technical problem for the IT department is mistaken. When patient data is leaked, surgeries come to a standstill or care documentation is manipulated, patient safety, liability and, in extreme cases, human lives are at stake.

What the BSI has specifically tested

The BSI has scrutinized the security of central software in the healthcare sector in two independent projects.

In the "SiPra" project (security of practice management systems), the BSI had four commercially available PVS tested by the security company ERNW using penetration tests - in the standard configuration, i.e. the way the systems are typically operated in practices. The result: In three of the four systems, vulnerabilities could be combined into attack chains that would have allowed access from the Internet. The list of flaws reads like a catalog of avoidable errors: lack of encryption during data transmission, outdated cryptographic procedures, bypassable authentication, PVS servers that were directly accessible via the Internet. Particularly explosive: The Yellow List reports that there are currently no binding IT security requirements for practice management systems - the certification of the National Association of Statutory Health Insurance Physicians (KBV) focuses on functional aspects, not security.

In the "DiPS" (Digital Care Documentation Systems) project, the Fraunhofer Institute for Secure Information Technology (SIT) examined three systems used in outpatient care services. The result: 13 vulnerabilities with a high or critical level of severity. These included insecure communication channels, weak authentication, installation packages with embedded database passwords and a lack of checking mechanisms for updates. According to the heise report, 16 out of 52 care services stated in an accompanying survey that they access their systems directly via the internet without a VPN - 25 confirmed that manufacturers or IT service providers have permanent remote access to their network.

Both projects complement the "SiKIS" project on the security of hospital information systems, which was completed in 2025. The pattern is identical across all three areas: user authentication and authorization are the most common problem areas across all products.

Why healthcare data needs a special level of protection

According to Article 9 of the General Data Protection Regulation (GDPR), health data belongs to the "special categories of personal data". It enjoys the highest level of protection known to European data protection law - and for good reason.

Unlike a stolen credit card number, a medical history cannot be blocked and reissued. Diagnoses, treatment histories, psychiatric findings or addictions affect a person's most intimate sphere. On the Darknet, health data records therefore fetch significantly higher prices than financial or credit card data because they can be misused for identity theft, insurance fraud or targeted blackmail.

There is also a special feature of the healthcare sector: the data is not only sensitive - it is critical for the provision of care. If a ransomware attack encrypts a patient database, not only do files come to a standstill, but in case of doubt also operations, emergency rooms and medication plans.

What happens when security fails: real incidents

The risks are no longer theoretical. Several serious incidents in recent years show what happens when IT security is neglected in the healthcare sector.

Düsseldorf University Hospital (2020): In September 2020, Düsseldorf University Hospital was the victim of a ransomware attack. Around 30 servers were encrypted and the hospital had to withdraw from emergency care. A patient with a life-threatening illness could not be admitted and had to be taken to Wuppertal, 30 kilometers away - she died shortly after the delayed admission. The public prosecutor's office opened an investigation into negligent homicide. The gateway: a vulnerability in a Citrix VPN gateway that had been known for months and had not been patched.

Fürth Hospital, DRK-Südwest and others (2019-2020): Düsseldorf University Hospital was not an isolated case. Hackers had already paralyzed Fürth Hospital at the beginning of 2020, before which DRK-Südwest in Neuwied had been hit - eleven hospitals in Rhineland-Palatinate and Saarland were affected.

WannaCry and the British NHS (2017): The WannaCry attack hit the UK's National Health Service (NHS) on a massive scale. Around 20,000 appointments had to be canceled, staff returned to pen and paper and individual emergency departments were rerouted.

CrowdStrike outage (July 2024): Even without a hacker attack, a single faulty update can paralyze hospitals. In July 2024, a faulty CrowdStrike update led to IT outages worldwide - including two hospitals in Lübeck and Kiel having to cancel planned operations.

The figures underpin the trend: according to experts, the healthcare sector is the most severely affected sector among critical infrastructures (KRITIS), and attacks on healthcare facilities have increased massively in recent years.

What penalties apply - and to whom

The regulatory consequences of inadequate IT security in the healthcare sector are considerable - and they affect not only "IT", but also the management personally.

GDPR (Article 83): Violations of the protection of special categories of data can result in fines of up to 20 million euros or four percent of annual global turnover. This is not a theoretical upper limit: in the Netherlands, the HAGA hospital in The Hague was fined 460,000 euros because unauthorized employees were able to access the file of a celebrity - the cause was a lack of access controls and inadequate two-factor authentication. In Portugal, a hospital had to pay 400,000 euros - also due to inadequate authorization. In Germany, the Rhineland-Palatinate state data protection commissioner imposed a fine on Mainz University Medical Center for structural deficits in patient management.

NIS2 Directive: The European NIS2 Directive significantly tightens the requirements once again. Hospitals and healthcare facilities fall under the regulation as "essential facilities". Violations can result in fines of up to ten million euros or two percent of annual turnover. Crucially, the management is expressly personally responsible for compliance with the safety measures.

§ Section 75c SGB V: Since 2022, the German Social Code has required all hospitals - not just KRITIS hospitals - to implement appropriate IT security measures in accordance with the state of the art. The industry-specific security standard (B3S) of the German Hospital Federation serves as a guide.

Criminal dimension: If patients are harmed as a result of inadequate IT security, criminal investigations can be initiated in addition to fines - as the Düsseldorf case has shown. The breach of medical confidentiality (Section 203 of the German Criminal Code) can also become relevant in the event of culpable failure of technical security measures.

What medical practices, clinics and care services should do now

The BSI results make it unmistakably clear: anyone who relies on the security of their software without questioning it is acting negligently. The good news is that the BSI has published specific catalogs of recommendations for both projects, which can be commented on until June 17, 2026.

The SiPra recommendations are primarily aimed at manufacturers: secure standard configurations, server-side access controls, modern encryption. The DiPS recommendations and checklist are aimed at operators and users of outpatient care services - i.e. precisely those facilities that often do not have their own IT department.

Irrespective of this, healthcare facilities should now check three things: Firstly, whether the software used has received up-to-date security patches and whether encryption is state of the art. Secondly, whether access rights are configured according to the need-to-know principle - i.e. only those people who actually need access to patient data for diagnosis, treatment or care. Thirdly, whether the data - patient files, billing information, care documentation - is stored and transferred securely and whether it can be restored quickly in the event of an emergency.

Secure cloud solutions for the healthcare sector: Where SecureCloud can help

The BSI findings reveal a structural problem: many software products in the healthcare sector were designed with functionality in mind, not security. The question of where and how data is stored, transferred and shared is often only asked when it is too late.

SecureCloud has been working with companies and institutions in the healthcare sector for years - from clinics and medical care centers (MVZ) to care facilities and medical technology companies. Our cloud infrastructure is operated exclusively in Germany, is BSI-C5-tested and ISO 27001-certified. There are no technical or legal access options for third countries. Our customers include the German Federal Ministry of Health.

Whether secure data exchange with referring physicians and laboratories (SecureShare), audit-proof collaboration on sensitive documents (SecureWork) or digital signatures for approval processes (SecureSign) - we support healthcare facilities in setting up their data storage in a sovereign, GDPR-compliant and future-proof manner.

If you would like to know how your facility can be secured, please contact us - personally and without obligation.