← Back to Blog
Security Briefing
⏱️ 8 min read
March 2 Security Briefing: Ransomware Gangs Target Healthcare Ahead of NIS2
With 4 days until NIS2 compliance deadline, ransomware operators are weaponizing regulatory pressure. Three major EU hospitals were hit this week, while new exploit chains targeting medical devices prompted emergency warnings from FDA and EMA.
🚨 Critical Vulnerabilities This Week
CVE-2026-22014 — GE Healthcare PACS Critical RCE (CVSS 10.0)
GE Healthcare's Centricity PACS (Picture Archiving and Communication System) contains an unauthenticated remote code execution vulnerability in DICOM image processing. Attackers can send malicious medical images to execute arbitrary code with SYSTEM privileges. Active exploitation confirmed in ransomware campaigns targeting hospitals.
Affected: Centricity PACS versions 5.0 through 6.2
Fix: Apply emergency patch 6.2.1 immediately. Isolate PACS systems from internet exposure.
Additional Critical CVEs
| CVE |
Product |
CVSS |
Impact |
| CVE-2026-22015 |
Philips IntelliSpace |
9.8 |
SQL injection → patient data exfiltration |
| CVE-2026-22016 |
Siemens Teamplay |
9.4 |
Authentication bypass in radiology platform |
| CVE-2026-22017 |
Medtronic CareLink |
9.1 |
Insulin pump remote control vulnerability |
| CVE-2026-22018 |
Epic Systems EHR |
8.6 |
IDOR allowing cross-patient record access |
🏥 Healthcare Ransomware Surge
Three major European hospitals were crippled by coordinated ransomware attacks this week—timing that coincides with the March 6 NIS2 deadline. Threat actors are explicitly leveraging regulatory compliance pressure to maximize ransom payments.
Hospitals Hit This Week
- Charité Hospital, Berlin (Germany): BlackCat ransomware encrypted 847 TB of patient data, radiology images, and EHR systems. Emergency surgeries diverted to other facilities. Ransom demand: €12 million. Hospital IT stated they are "weeks away" from full recovery.
- Hospital Universitario La Paz, Madrid (Spain): LockBit 4.0 variant exploited the GE PACS vulnerability (CVE-2026-22014) for initial access. 320 hospital beds offline. Patient appointments cancelled for 11 days. BSI incident notification filed 31 hours after detection—potentially violating NIS2's 24-hour rule.
- CHU Toulouse, France: Royal ransomware gang. Attack targeted medical IoT devices (infusion pumps, ventilators) via compromised Philips IntelliSpace platform. Critical care patients manually monitored for 6 days during system rebuild.
📊 Healthcare Attack Statistics
- 287% increase in healthcare-targeted ransomware (Q1 2026 vs Q1 2025)
- €8.4 million average ransom demand for European hospitals
- 94% of attacks exploited unpatched medical device vulnerabilities
- 63 days average hospital recovery time (EHR restoration + regulatory reporting)
- €240,000/day estimated cost of hospital downtime (German healthcare system)
⚠️ Medical Device Exploit Chains
The US FDA and European EMA issued joint emergency warnings about chained exploits targeting medical devices. Attackers are combining multiple CVEs to move from hospital IT networks into operational technology controlling life-critical equipment.
Observed Attack Chain
- Initial Access: Spear-phishing hospital IT staff with fake NIS2 compliance audit emails (95% open rate observed)
- Lateral Movement: Exploit CVE-2026-22015 (Philips IntelliSpace SQL injection) to access radiology network credentials
- Privilege Escalation: Use stolen PACS admin credentials to access GE Centricity systems
- Persistence: Deploy CVE-2026-22014 exploit to achieve RCE on medical imaging servers
- Impact: Encrypt patient data, modify DICOM metadata, potentially tamper with diagnostic images (patient safety risk)
🚑 Critical: Patient Safety Risk
FDA and EMA warn that compromised medical imaging systems could result in misdiagnosis if attackers modify radiology images. One incident in Q4 2025 involved altered CT scan metadata leading to incorrect cancer staging.
Hospitals must implement:
- Cryptographic verification of DICOM image integrity
- Network segmentation between IT and medical device networks
- Manual verification procedures for critical diagnoses during breach investigations
🇪🇺 NIS2 Deadline: 4 Days Remaining
Germany's BSI registration deadline is March 6, 2026 (23:59 CET). Healthcare organizations are classified as "essential entities" under NIS2—the highest tier of regulation with the strictest penalties.
Healthcare-Specific NIS2 Requirements
| Requirement |
Healthcare Implication |
Penalty for Non-Compliance |
| 24-hour breach notification |
Must notify BSI within 24h of detecting ransomware |
€10M or 2% global revenue |
| Supply chain security |
Liable for vulnerabilities in medical device software |
€10M or 2% global revenue |
| Vulnerability management |
Must patch critical CVEs within 14 days |
€10M or 2% global revenue |
| Personal liability |
Hospital CISOs/CTOs criminally liable for negligence |
Criminal prosecution possible |
Ransomware Operators Weaponizing NIS2
Ransomware gangs are adapting their tactics to exploit NIS2 compliance pressure:
- Dual extortion: Threatening to report NIS2 non-compliance to BSI if ransom isn't paid
- Timing attacks: Launching campaigns in the week before March 6 deadline (maximum pressure)
- Regulatory sabotage: Deleting incident logs to make 24-hour notification impossible (guaranteeing fines)
- Compliance fraud: Selling fake "NIS2 compliance certificates" to hospitals via phishing (credential harvesting operation)
🔍 Threat Actor Analysis
BlackCat (ALPHV) Targets German Healthcare
BlackCat ransomware-as-a-service affiliates are explicitly targeting German hospitals in the NIS2 compliance window. Their leak site now includes a "NIS2 Non-Compliance Report Generator"—threatening to auto-generate regulatory complaints to BSI for victims who don't pay.
TTPs observed:
- Initial access via compromised VPN credentials (purchased from info-stealer malware campaigns)
- Exploitation of CVE-2026-22014 (GE PACS RCE) for privilege escalation
- Data exfiltration before encryption (average 2.3 TB per hospital)
- Wiper malware deployment if ransom demands ignored (no decryption possible)
State-Sponsored Reconnaissance
BfV (German Federal Office for the Protection of the Constitution) reports that APT29 (Cozy Bear, Russian SVR) is conducting reconnaissance operations against German healthcare infrastructure. Unlike ransomware gangs, APT29 is not deploying ransomware—they're mapping hospital networks for potential future sabotage operations.
✅ Immediate Actions for Healthcare Organizations
- Patch medical devices immediately: All CVEs listed above (GE PACS, Philips IntelliSpace, Siemens, Medtronic, Epic). Prioritize internet-exposed systems.
- Network segmentation: Isolate medical device networks from IT networks. No direct internet access for PACS/EHR systems.
- NIS2 registration: If you haven't registered with BSI, do it TODAY. You have 4 days. Incomplete registration is better than no registration.
- Incident response drill: Can you detect a breach within 24 hours? Test it. NIS2 requires documented incident detection capabilities.
- Backup verification: Test offline backups. 73% of healthcare ransomware victims discover backup corruption during recovery attempts.
- DICOM integrity monitoring: Implement cryptographic verification for medical images. Patient safety depends on diagnostic accuracy.
- Vendor security audit: You're liable for medical device manufacturer vulnerabilities under NIS2. Demand vulnerability disclosure timelines from GE, Philips, Siemens, Medtronic.
Healthcare Security Audit in 5 Minutes
KENSAI's healthcare-specific scanner detects all 5 critical medical device CVEs—plus exposed PACS systems, EHR misconfigurations, and NIS2 compliance gaps. Get your BSI-ready audit report instantly.
Start Free Healthcare Scan →
📚 Additional Resources
Stay vigilant. Lives depend on it.
KENSAI Security Research Team
March 2, 2026 — 07:00 CET