NIS2 and Healthcare: IT Asset Control in Hospitals and Clinics

In May 2017, WannaCry ransomware paralyzed Britain’s NHS. Over 80 healthcare organizations affected, 19,000 appointments canceled, five hospitals diverting ambulances. Estimated cost: £92 million. The reason: thousands of unpatched Windows XP computers nobody had inventoried.

In healthcare, an uncontrolled IT asset isn’t just a financial risk — it can be a risk to patient life.

Why NIS2 applies to healthcare

NIS2 classifies healthcare as an essential entity (Annex I). This includes hospitals, laboratories, research centers, medical device manufacturers, and pharmacies.

• Complete asset inventory as part of risk management measures (Article 21.2)
• Incident management linked to affected assets, with 24/72-hour notification
• Care continuity: plans depending on knowing which assets are critical for patient care
• Supply chain security: control over third-party medical devices connected to the network

Real incidents in healthcare

• HSE Ireland, 2021: Conti ransomware paralyzed systems for months. EHRs became inaccessible. Recovery cost: 600 million euros. Entry point: a workstation without updated antivirus.
• Dusseldorf University Hospital, 2020: Ransomware forced diversion of an emergency patient to a hospital 30 km away. The patient died during transfer. Attackers exploited a VPN device vulnerability the hospital didn’t know was internet-exposed.
• Hospital Clinic Barcelona, 2023: RansomHouse encrypted systems, canceling 150 surgeries and 3,000 consultations. 4.5 TB of patient data exfiltrated.

Why exhaustive asset control is essential

• Connected medical devices (IoMT) are multiplying. Infusion pumps, monitors, imaging equipment — an average hospital has 10,000-15,000 connected devices. Without inventory, they’re security blind spots.
• Equipment moves between departments. A portable ultrasound may be in the ER in the morning and on a ward by afternoon. Without location tracking, finding assets during incidents is impossible.
• Medical devices aren’t easily patched. Many run legacy operating systems. You need to know which ones to apply compensating controls.
• NIS2 audits will ask about every connected device. How many network-connected medical devices? What OS? Last firmware update? If you can’t answer, you have a compliance problem.

What you need to control

• Connected medical devices: Diagnostic equipment, patient monitors, smart infusion pumps
• Clinical IT infrastructure: EHR servers, workstations, wristband printers
• Network equipment: Switches, WiFi access points, segmentation firewalls
• Mobile devices: Nursing tablets, on-call laptops, corporate phones
• Laboratory equipment: Analyzers, sequencers, dispensing robots

Metrica Control gives you complete visibility over every asset in your healthcare facility, with location tracking, incident history, and lifecycle alerts for any NIS2 audit.