Hospital cyber attacks are increasingly hitting patient care

The main risk from hospital cyber incidents is no longer data breaches or IT disruption – it's direct threats to care delivery.

According to a Black Book Research survey of 284 European hospital cybersecurity buyers, 82% rate their 2026 cyber attack concern as very high or extreme, while 74% believe their organization is likely or highly likely to face a major cyber event this year.

And, the researchers found, attacks are no longer viewed primarily as privacy events, compliance events, or IT disruptions – but as threats to the delivery of care.

"Europe's hospitals are operating in one of the most complex cyber-risk environments in the world: nationally connected health systems, public-sector capacity pressure, cross-border supplier ecosystems, aging infrastructure, accelerated cloud migration, strict regulatory accountability, and clinical operations that cannot go offline," said Doug Brown, founder of Black Book Research.

Latest Videos From

"Attackers know the pressure points. They are not only targeting data; they are targeting authentication, availability, recovery windows, third-party dependencies, and the fragile digital workflows that move patients through emergency departments, labs, imaging, pharmacy, theatres, ICUs, and discharge."

As a result, European hospital cybersecurity buying has shifted sharply from breach prevention toward clinical continuity. Two-thirds are investing in identity, IAM, PAM, SSO failover and break-glass access, and 57% in ransomware recovery, immutable backup, and read-only clinical access.

Just over half are looking to network segmentation, zero trust, and ZTNA, 46% to incident-response retainers and crisis-response services, and 45% to third-party supplier and vendor cyber-risk management. Meanwhile, 37% are investing in medical device/IoMT security, and 29% in cyber range, downtime simulation, and resilience exercise services.

However, while 78% of survey respondents said their board receives general cybersecurity risk updates, only 31% receive cyber-resilience metrics tied to clinical continuity.

Only a quarter reported a full clinical downtime simulation within the past 12 months, and 32% said their organization had never conducted a full clinical downtime simulation, had only completed tabletop activity, or did not know when the last exercise occurred.

Worryingly, while 59% of respondents said they were confident that their hospitals could operate safely for 24 hours without core Electronic Health Record (EHR) access, that figure fell to 32% at 48 hours and just 14% at 72 hours.

"The 72-hour number should disturb every hospital board and ministry-level health technology leader in Europe. A hospital that can improvise through the first day of downtime is not necessarily resilient," said Brown.

"By day two and day three, medication reconciliation, laboratory turnaround, radiology workflow, identity access, pharmacy verification, transfer coordination, discharge planning, and backlog reconciliation become patient-safety risks. Cyber resilience is now an operational medicine issue."

The health sector is an increasingly popular target for cyber criminals, thanks to its critical nature. And many attacks have led to problems delivering patient care, including a 2024 ransomware attack on NHS pathology provider Synnovis, and, more recently, an attack on medical technology firm Stryker being described by the firm as 'destructive, not ransomware'.

"In Europe, the cyber battleground has moved from the server room to the bedside," said Brown.