Cybersecurity in Swiss Healthcare: Protection for Hospitals and Practices

Q: Why Is Healthcare a Preferred Attack Target?

See section: Why Is Healthcare a Preferred Attack Target?

Q: What Regulatory Requirements Apply to Healthcare?

See section: What Regulatory Requirements Apply to Healthcare?

Q: How Should Swiss Hospitals Structure Their IT Security?

See section: How Should Swiss Hospitals Structure Their IT Security?

Q: How Do You Protect Medical Devices from Cyberattacks?

See section: How Do You Protect Medical Devices from Cyberattacks?

Q: How Do Medical Practices and Outpatient Facilities Protect Their Data?

See section: How Do Medical Practices and Outpatient Facilities Protect Their Data?

Q: What Role Does Security Awareness Play in Healthcare?

See section: What Role Does Security Awareness Play in Healthcare?

Q: How Do You Prepare for a Cyber Emergency?

See section: How Do You Prepare for a Cyber Emergency?

Q: How Is Healthcare Cybersecurity Evolving?

See section: How Is Healthcare Cybersecurity Evolving?

+124% cyberattacks on Swiss healthcare facilities between 2023 and 2025 (NCSC). CHF 6.2 million average breach cost in healthcare, the highest across all industries (IBM, 2025). For Swiss hospitals, practices, and healthcare providers, cybersecurity is a patient safety issue.

Below: sector-specific threats, regulatory requirements (EPD, nDSG, medical device security), and proven protection measures for patient data and medical infrastructure.

Why Is Healthcare a Preferred Attack Target?

Healthcare combines several factors that make it particularly attractive to cybercriminals:

High Data Value: Medical data is up to ten times more valuable on the black market than credit card data. A complete patient record (name, date of birth, AHV number, diagnoses, insurance data) fetches prices of USD 250–1,000 per record.

Time-Critical Systems: Hospitals cannot afford to shut down systems for weeks or months. This dependency makes them ideal ransomware victims — 67% of Swiss hospitals affected by ransomware paid the ransom (NCSC, 2025).

Heterogeneous IT Landscape: The typical Swiss healthcare facility operates a mix of modern cloud systems, outdated on-premise applications, and medical devices with embedded operating systems that in some cases no longer receive security updates.

IT Staff Shortage: 78% of Swiss hospitals report that they do not have sufficient qualified IT security personnel (H+ Industry Study, 2025).

“A cyberattack on a hospital is not a purely technical matter — it directly threatens the health and lives of patients. The experiences of recent years show that no Swiss hospital is immune to such attacks.” — Prof. Dr. Antoine Geissbuhler, President Swiss Health ICT

Case Studies from Switzerland

The following incidents illustrate the real threat landscape:

Hirslanden Group (2020): Ransomware attack on Switzerland’s largest private hospital group. Recovery took several weeks and caused estimated costs exceeding CHF 10 million.
Wetzikon Hospital (2024): A phishing attack led to the exfiltration of patient data from over 15,000 patients. The hospital had to switch to emergency operations for over three days.
Multiple Medical Practices, Canton Zurich (2025): A coordinated ransomware campaign hit six medical practices simultaneously through a shared IT service provider. The practices were unable to operate for an average of 8 days.

What Regulatory Requirements Apply to Healthcare?

Swiss healthcare is subject to a complex web of data protection and security regulations that affect healthcare facilities of all sizes.

New Data Protection Act (nDSG) — Special Provisions

The nDSG, in force since 1 September 2023, places special requirements on the processing of health data, as these are classified as “particularly sensitive personal data”:

Explicit Consent: Processing health data generally requires explicit consent from the data subject unless a legal basis exists.
Data Protection Impact Assessment (DPIA): A DPIA is mandatory for most processing activities in healthcare.
Reporting Obligation: Breaches of data security that pose a high risk to affected individuals must be reported to the FDPIC without delay.
Technical and Organisational Measures (TOMs): Healthcare facilities must demonstrably implement appropriate technical and organisational measures to protect patient data.
Data Processing Agreements: IT service providers with access to patient data must be contractually bound to data protection requirements (data processing agreements).

Electronic Patient Dossier (EPD) — Security Requirements

The EPD is a central element of digitisation in Swiss healthcare. The technical and organisational requirements for EPD security are defined in the EPDG and EPDV:

Identification and Authentication: Two-factor authentication (2FA) for all access to the EPD. Approved identification means must comply with the requirements of the EPDV-EDI.
Access Logging: All access to EPD data must be comprehensively logged and retained for at least 10 years.
Encryption: End-to-end encryption for all EPD data in transit and at rest.
Certification: EPD reference communities must demonstrate ISO 27001 certification and undergo regular penetration testing.
Patient Control: Patients must have full control over their EPD data at all times, including the ability to grant and revoke access rights.

Cantonal Health Laws

In addition to federal law, various cantons have enacted their own data protection and IT security requirements for healthcare facilities. For example, the Canton of Zurich has required all public hospitals to undergo annual cybersecurity audits and appoint an IT security officer since 2024.

How Should Swiss Hospitals Structure Their IT Security?

An effective cybersecurity architecture for Swiss hospitals must account for the particular challenges of healthcare: critical availability requirements, a heterogeneous IT landscape, and the handling of highly sensitive patient data.

Network Segmentation — The Most Important Foundation

Segmenting the hospital network is the single most effective measure against the spread of cyberattacks:

Medical Devices (IoMT): Isolated network segment with strict firewall rules. Medical devices may only interact with defined communication partners.
Clinical Systems (HIS, PACS, LIS): Dedicated segment with controlled interfaces to other systems.
Administration: Separate segment for ERP, HR, and financial systems.
Guest Network: Fully isolated Wi-Fi for patients and visitors.
OT Systems: Building automation, lifts, and other operational technology in a dedicated, shielded segment.

Endpoint Protection and Patch Management

The greatest challenge in healthcare is patch management for medical devices:

Standard Systems (PCs, Servers): Automated patch management with a maximum delay of 48 hours for critical patches.
Medical Devices: Many medical devices run on outdated operating systems (Windows XP, Windows 7) that no longer receive security updates. Compensating measures are required: network isolation, application whitelisting, and virtual patching.
Medical IoT Devices: Infusion pumps, patient monitors, and other connected devices require specific protection strategies as conventional endpoint protection software cannot be installed.

Identity and Access Management (IAM)

In hospital operations, multiple people often share a computer — a significant security risk. Recommended measures:

Single Sign-On (SSO) with badge-based authentication for fast, secure user switching
Role-Based Access Control (RBAC) based on clinical role
Privileged Access Management (PAM) for IT administrators
Multi-Factor Authentication (MFA) for all remote access and administrator access
Regular recertification of all access rights (at least semi-annually)

Backup and Recovery

Ransomware resilience starts with a solid backup strategy:

3-2-1-1 Rule: Three copies on two different media types, one offsite, one offline (air-gapped).
Immutable Backups: Unalterable backups that cannot be deleted even with a compromised administrator account.
Recovery Tests: Monthly recovery tests for critical systems, including full system restoration.
Recovery Time Objective (RTO): For life-critical systems (e.g., emergency department, intensive care unit) a maximum of 4 hours.

How Do You Protect Medical Devices from Cyberattacks?

The security of connected medical devices (Internet of Medical Things, IoMT) is one of the greatest challenges in healthcare. A typical Swiss hospital with 300 beds has an estimated 3,000–5,000 connected devices in operation.

The Particular Risks of Medical Devices

Long Lifecycles: Medical devices typically have a service life of 10–20 years, while IT systems are replaced every 3–5 years.
Regulatory Constraints: Changes to medical device software may require recertification under MDR, which delays security updates.
Proprietary Systems: Many devices run on proprietary operating systems for which no standard security tools are available.
Patient Safety: A faulty security update on a ventilator or infusion pump can be immediately life-threatening.

Recommended Protection Strategy

Asset Inventory: Complete recording of all connected medical devices with firmware versions, network connections, and risk classification.
Network Isolation: Microsegmentation for medical devices by risk class and clinical function.
Monitoring: Specialised IoMT security platforms that detect anomalous behaviour of medical devices without disrupting clinical operations.
Procurement Process: Integration of cybersecurity requirements into the procurement process for new medical devices (Security by Design).
Vulnerability Management: Regular vulnerability scanning and collaboration with manufacturers for security updates.

For a professional assessment of the security posture, we recommend a specialised cybersecurity assessment by experienced security experts.

How Do Medical Practices and Outpatient Facilities Protect Their Data?

While hospitals often have dedicated IT departments, medical practices and outpatient facilities are particularly vulnerable. A survey by FMH and HIN shows that 43% of Swiss medical practices have no contingency plan for cyberattacks.

Basic Protection Measures for Medical Practices

Even with a limited budget, medical practices can achieve an appropriate security level:

Managed Security Service: An external IT security provider handles monitoring and patch management. Cost: from CHF 200 per month per workstation.
Email Security: Professional email filtering and anti-phishing solution. HIN (Health Info Net) offers services specifically tailored to healthcare.
Encryption: Full encryption of all endpoints (laptops, tablets) and external storage media.
Backup: Automated, encrypted cloud backup with daily backups and monthly recovery testing.
Access Control: Individual user accounts for all employees, no shared passwords.
Awareness Training: At least annual security awareness training for all employees, including phishing simulations.
Physical Security: Lockable server rooms, screen lock after 2 minutes of inactivity, no unattended patient data.

Cybersecurity Costs for Medical Practices

Measure	Monthly Cost (Solo Practice)	Monthly Cost (Group Practice)
Managed Security Service	CHF 400–800	CHF 1,200–3,000
Email Security (HIN)	CHF 50–100	CHF 150–400
Backup Solution	CHF 100–200	CHF 300–600
Awareness Training	CHF 50–100	CHF 150–300
Cyber Insurance	CHF 100–250	CHF 300–800
Total	CHF 700–1,450	CHF 2,100–5,100

For a thorough overview of cybersecurity costs, we recommend the cost guide by Alpine Excellence.

What Role Does Security Awareness Play in Healthcare?

The human factor is particularly critical in healthcare. The high workload, time pressure, and the multitude of IT systems used in daily clinical operations increase susceptibility to social engineering attacks.

Particularities in Healthcare

Shift Operations: Security awareness training must be offered for various shifts and must not disrupt clinical operations.
Diverse Professional Groups: From doctors to nursing staff to administrative employees — each group has different IT usage patterns and risk profiles.
Time Pressure: In emergency situations, security protocols are often bypassed. Training must account for this reality and demonstrate pragmatic solutions.
High Turnover: Regular onboarding of new employees into security processes is essential.

Recommended Awareness Programme

An effective security awareness programme for healthcare facilities includes:

Basic Training: 60-minute e-learning upon starting employment, adapted to the respective professional group.
Phishing Simulations: Monthly, realistic phishing simulations with immediate feedback.
Short Courses: Quarterly 15-minute microlearning modules on current threats.
Specialist Training: Annual in-depth training for IT staff, managers, and data protection officers.
Incident Response Exercises: Semi-annual tabletop exercises for the crisis team.

How Do You Prepare for a Cyber Emergency?

A documented and regularly tested incident response plan is vital for healthcare facilities — in the truest sense of the word.

Special Requirements in Healthcare

Patient Safety First: The incident response plan must prioritise clinical care. In an emergency, fallback procedures for manual documentation and communication must be ready.
Reporting Obligations: FDPIC (for data breaches), cantonal physician (for patient safety threats), NCSC (for critical infrastructure), and potentially law enforcement authorities.
Communication: Transparent communication with patients, referring physicians, and media. A communication plan must be prepared.
Business Continuity: Defined procedures for operations without IT systems (paper documentation, manual medication dispensing, telephone communication).

Emergency Checklist

Incident Detection: Incident identified and classified
Containment: Affected systems isolated, spread stopped
Patient Safety: Clinical care ensured, manual fallback procedures activated
Notifications: FDPIC, cantonal physician, NCSC, and potentially law enforcement informed
Forensics: Evidence secured for later analysis
Recovery: Gradual restoration of systems from clean backups
Communication: Patients, employees, and public informed
Lessons Learned: Post-incident review and adjustment of security measures

How Is Healthcare Cybersecurity Evolving?

Telemedicine and Remote Access

The COVID-19 pandemic has greatly accelerated telemedicine in Switzerland. 62% of Swiss doctors now offer video consultations (FMH, 2025). This creates new attack surfaces:

Secure video conferencing solutions with full-chain encryption
VPN or zero trust access for remote access to clinical systems
Secure messaging platforms for communication between providers (e.g., HIN Messenger)
Patient identification during telemedicine consultations

AI in Medicine — New Security Risks

The increasing use of AI in medical diagnostics and treatment planning brings new cybersecurity challenges:

Adversarial Attacks: Manipulation of AI-assisted diagnostic systems through targeted input modifications
Data Poisoning: Corruption of training data for medical AI models
Model Stealing: Theft of proprietary medical AI models through API-based attacks
Privacy Risks: Extraction of patient data from AI models through membership inference attacks

Frequently Asked Questions (FAQ)

Does my medical practice need a data protection officer?

Under the nDSG, appointing a data protection advisor is voluntary but recommended. For facilities that process extensive health data (hospitals, group practices), a data protection officer is de facto necessary to meet compliance requirements.

How often should a hospital conduct penetration tests?

At least annually for all externally exposed systems and after every significant change to the IT infrastructure. For EPD reference communities, penetration tests are mandatory as part of ISO 27001 certification. Critical clinical systems should additionally be tested semi-annually.

What should I do in the event of a ransomware attack on my hospital?

Immediately activate the crisis team, isolate affected systems, and ensure clinical care through manual fallback procedures. Paying ransom is not recommended by the NCSC or law enforcement. Instead: report to the NCSC, initiate forensic investigation, and restore from clean backups.

Which cyber insurance is suitable for healthcare facilities?

Specialised cyber policies for healthcare should cover at minimum: business interruption, incident response and forensics costs, notification of affected patients, regulatory fines, and reputation management. Premiums for a Swiss hospital with 200 beds typically range from CHF 50,000–150,000 per year.

Is the use of cloud services permitted for patient data?

Yes, under strict conditions. Data must be processed in Switzerland or in a country with an adequate level of data protection. A data processing agreement must be in place, and technical measures (encryption, access control) must correspond to the protection requirements of health data. For EPD data, additional EPDG requirements apply.

How do I integrate cybersecurity into the procurement process for medical devices?

Define cybersecurity minimum requirements as mandatory criteria in tenders: current operating system support, regular security updates, encrypted communication, ability for network isolation, and compatibility with common monitoring tools. Require a Software Bill of Materials (SBOM) from the manufacturer and a defined vulnerability disclosure process.

Conclusion: Cybersecurity as a Foundation of Patient Safety

In Swiss healthcare, cybersecurity is inseparable from patient safety. A successful cyberattack can lead not only to data losses and financial damage but in the worst case endanger human lives. The increasing digitisation through EPD, telemedicine, and connected medical devices continuously expands the attack surface.

Swiss hospitals and medical practices that invest in cybersecurity today protect not only their data and reputation but fulfil their most fundamental duty: the protection of their patients. The measures described in this guide — from network segmentation to employee awareness to the incident response plan — form the foundation of a resilient healthcare infrastructure.