← Back to Blog
Security Briefing ⏱️ 8 min read

March 2 Security Briefing: Ransomware Gangs Target Healthcare Ahead of NIS2

With 4 days until NIS2 compliance deadline, ransomware operators are weaponizing regulatory pressure. Three major EU hospitals were hit this week, while new exploit chains targeting medical devices prompted emergency warnings from FDA and EMA.


🚨 Critical Vulnerabilities This Week

CVE-2026-22014 — GE Healthcare PACS Critical RCE (CVSS 10.0)

GE Healthcare's Centricity PACS (Picture Archiving and Communication System) contains an unauthenticated remote code execution vulnerability in DICOM image processing. Attackers can send malicious medical images to execute arbitrary code with SYSTEM privileges. Active exploitation confirmed in ransomware campaigns targeting hospitals.

Affected: Centricity PACS versions 5.0 through 6.2

Fix: Apply emergency patch 6.2.1 immediately. Isolate PACS systems from internet exposure.

Additional Critical CVEs

CVE Product CVSS Impact
CVE-2026-22015 Philips IntelliSpace 9.8 SQL injection → patient data exfiltration
CVE-2026-22016 Siemens Teamplay 9.4 Authentication bypass in radiology platform
CVE-2026-22017 Medtronic CareLink 9.1 Insulin pump remote control vulnerability
CVE-2026-22018 Epic Systems EHR 8.6 IDOR allowing cross-patient record access

🏥 Healthcare Ransomware Surge

Three major European hospitals were crippled by coordinated ransomware attacks this week—timing that coincides with the March 6 NIS2 deadline. Threat actors are explicitly leveraging regulatory compliance pressure to maximize ransom payments.

Hospitals Hit This Week

📊 Healthcare Attack Statistics

⚠️ Medical Device Exploit Chains

The US FDA and European EMA issued joint emergency warnings about chained exploits targeting medical devices. Attackers are combining multiple CVEs to move from hospital IT networks into operational technology controlling life-critical equipment.

Observed Attack Chain

  1. Initial Access: Spear-phishing hospital IT staff with fake NIS2 compliance audit emails (95% open rate observed)
  2. Lateral Movement: Exploit CVE-2026-22015 (Philips IntelliSpace SQL injection) to access radiology network credentials
  3. Privilege Escalation: Use stolen PACS admin credentials to access GE Centricity systems
  4. Persistence: Deploy CVE-2026-22014 exploit to achieve RCE on medical imaging servers
  5. Impact: Encrypt patient data, modify DICOM metadata, potentially tamper with diagnostic images (patient safety risk)

🚑 Critical: Patient Safety Risk

FDA and EMA warn that compromised medical imaging systems could result in misdiagnosis if attackers modify radiology images. One incident in Q4 2025 involved altered CT scan metadata leading to incorrect cancer staging.

Hospitals must implement:

🇪🇺 NIS2 Deadline: 4 Days Remaining

Germany's BSI registration deadline is March 6, 2026 (23:59 CET). Healthcare organizations are classified as "essential entities" under NIS2—the highest tier of regulation with the strictest penalties.

Healthcare-Specific NIS2 Requirements

Requirement Healthcare Implication Penalty for Non-Compliance
24-hour breach notification Must notify BSI within 24h of detecting ransomware €10M or 2% global revenue
Supply chain security Liable for vulnerabilities in medical device software €10M or 2% global revenue
Vulnerability management Must patch critical CVEs within 14 days €10M or 2% global revenue
Personal liability Hospital CISOs/CTOs criminally liable for negligence Criminal prosecution possible

Ransomware Operators Weaponizing NIS2

Ransomware gangs are adapting their tactics to exploit NIS2 compliance pressure:

🔍 Threat Actor Analysis

BlackCat (ALPHV) Targets German Healthcare

BlackCat ransomware-as-a-service affiliates are explicitly targeting German hospitals in the NIS2 compliance window. Their leak site now includes a "NIS2 Non-Compliance Report Generator"—threatening to auto-generate regulatory complaints to BSI for victims who don't pay.

TTPs observed:

State-Sponsored Reconnaissance

BfV (German Federal Office for the Protection of the Constitution) reports that APT29 (Cozy Bear, Russian SVR) is conducting reconnaissance operations against German healthcare infrastructure. Unlike ransomware gangs, APT29 is not deploying ransomware—they're mapping hospital networks for potential future sabotage operations.

✅ Immediate Actions for Healthcare Organizations

  1. Patch medical devices immediately: All CVEs listed above (GE PACS, Philips IntelliSpace, Siemens, Medtronic, Epic). Prioritize internet-exposed systems.
  2. Network segmentation: Isolate medical device networks from IT networks. No direct internet access for PACS/EHR systems.
  3. NIS2 registration: If you haven't registered with BSI, do it TODAY. You have 4 days. Incomplete registration is better than no registration.
  4. Incident response drill: Can you detect a breach within 24 hours? Test it. NIS2 requires documented incident detection capabilities.
  5. Backup verification: Test offline backups. 73% of healthcare ransomware victims discover backup corruption during recovery attempts.
  6. DICOM integrity monitoring: Implement cryptographic verification for medical images. Patient safety depends on diagnostic accuracy.
  7. Vendor security audit: You're liable for medical device manufacturer vulnerabilities under NIS2. Demand vulnerability disclosure timelines from GE, Philips, Siemens, Medtronic.

Healthcare Security Audit in 5 Minutes

KENSAI's healthcare-specific scanner detects all 5 critical medical device CVEs—plus exposed PACS systems, EHR misconfigurations, and NIS2 compliance gaps. Get your BSI-ready audit report instantly.

Start Free Healthcare Scan →

📚 Additional Resources


Stay vigilant. Lives depend on it.
KENSAI Security Research Team
March 2, 2026 — 07:00 CET

More KENSAI reads

Healthcare ransomware is converting, so this page now hands readers into the rest of the security briefing and long-tail recovery cluster.