Cybersecurity for the Healthcare Sector and Hospitals

Resposta direta

To protect a healthcare organization in Brazil, map where the sensitive data resides (medical records, PACS/DICOM exams, genetic data), treated as sensitive personal data by LGPD (Law 13.709/2018, art. 11). Then: segment the clinical network and the IoMT fleet from administrative IT; deploy immutable, offline backups tested against ransomware; activate a 24x7 SOC with detection aligned to MITRE ATT&CK; establish a response plan with a containment SLA and notification to the ANPD; and adapt processing to LGPD, CFM and ANS. Start with the free diagnostic at decripte.com.br/intelligence-center.

Principais conclusões

  • Health data is sensitive personal data under LGPD (Law 13.709/2018, art. 11): medical records, exams, genetic and biometric data require a specific legal basis, granular consent and reinforced technical measures — a leak triggers a duty to notify the ANPD and the data subject.
  • Hospital ransomware is a threat to life, not just to data: the unavailability of medical records, surgical schedules and imaging systems can paralyze care, and double extortion (encryption + exfiltration) forces payment under the blackmail of disclosing intimate exams.
  • The IoMT fleet (infusion pumps, monitors, ventilators, PACS/DICOM, HL7/FHIR) usually runs unpatched legacy systems and protocols without authentication — it must be inventoried, segmented into an isolated clinical VLAN and monitored, never exposed to the administrative network.
  • Healthcare interoperability (RNDS/DATASUS, the TISS standard, HL7/FHIR) broadens the attack surface: poorly authenticated integrations, exposed tokens and endpoints without TLS become entry points and mass exfiltration points for clinical data.
  • Fraud in health plans and TISS billing — fake authorizations, manipulated claim denials, compromised provider credentials — requires access control, an immutable audit trail and transactional anomaly detection, not just a perimeter.
  • Compliance is not a paper checklist: LGPD (ANPD), CFM Resolution 2.314/2022 (telemedicine and medical records), ANS rules and good practices from ISO 27799/HDS and NIST CSF must become operating, auditable technical controls, exercised in incident simulations.

Why the healthcare sector is the preferred target — and what is at stake

The healthcare sector combines, in a single target, everything that makes an organization attractive to cybercrime: extremely high-value data, low tolerance for unavailability and a technology fleet historically underinvested in security. A complete electronic medical record is worth, in the underworld, far more than a credit card number, because it aggregates identity, clinical history, health plan financial data, documents and, frequently, family members' data. Unlike a leaked password, which can be changed, a diagnosis, a genetic test or a mental health history are immutable: once exposed, they follow the patient for the rest of their life. That is why CISA and CERT.br treat healthcare as critical infrastructure, and why Decripte structured a dedicated front for the sector, from the individual practice (MEI) to the large hospital complex (Enterprise).

What sets healthcare apart from almost every other sector is that unavailability has a direct clinical consequence. When ransomware encrypts the medical record system, the hospital loses the history of allergies and medications; when it paralyzes the PACS, the radiologist stops issuing reports; when it takes down the surgical schedule, procedures are postponed. The attack ceases to be an IT problem and becomes a threat to life — and ransomware operators know this, calibrating the pressure precisely on that urgency. It is the only vertical in which information security merges, in practice, with patient safety.

This scenario is aggravated by a structural reality: hospitals and clinics operate heterogeneous fleets, with medical equipment on a 10-to-15-year life cycle running unsupported operating systems, integrated with modern management software and healthtech clouds. On the same network coexist an infusion pump with decade-old firmware and a telemedicine REST API. This patchwork creates lateral movement paths that an attacker methodically exploits — exactly the kind of chain the MITRE ATT&CK catalogs and that a well-instrumented SOC needs to see in real time.

Behind every record is a person. When we talk about risk in the healthcare sector, we talk about the patient whose oncology report, whose serology result or whose psychiatric record could be published on an extortion site for non-payment of the ransom. This is the human — and legal — face of the problem: LGPD exists precisely to protect that data subject, and the organization that fails to protect the data answers for it. Understanding what is at stake is the first step; mapping it concretely is the second, and that is where Decripte's free diagnostic (decripte.com.br/intelligence-center) begins to work.

The healthcare threat map: ransomware, leakage, IoMT and fraud

The most lethal and visible threat is hospital ransomware. The typical attack has evolved into the double extortion model: before encrypting the systems, the criminal group silently exfiltrates medical records, exams and patient databases, so that, beyond demanding a ransom for the decryption key, it can threaten to publish the sensitive data. In healthcare, this second lever is devastating — the blackmail of disclosing intimate diagnoses creates simultaneous clinical, reputational and legal pressure. Entry usually comes from phishing against clinical teams, exposed remote-access credentials (RDP/VPN) or unpatched vulnerabilities; effective defense combines EDR, segmentation, tested immutable and offline backups, and behavioral detection that catches lateral movement before encryption — tactics the MITRE ATT&CK framework maps step by step.

Health data leakage is the second major front, and the most regulated. Here the damage is independent of encryption: exfiltration alone is enough. Data leaks through a healthtech's poorly authenticated API, through a misconfigured storage bucket, through an employee with excessive access, through an insecure integration with a laboratory or through a credential compromised in an infostealer log. Because art. 11 of LGPD classifies health data as sensitive, any incident that exposes it triggers the duty to notify the ANPD and data subjects and can generate sanctions. Decripte monitors precisely this vector — including the presence of the organization's credentials and data in leaks and underground markets — as part of Threat Management.

The third front, frequently neglected, is IoMT — the Internet of Medical Things. Infusion pumps, multiparameter monitors, ventilators, imaging equipment and PACS servers communicate via protocols like DICOM and HL7/FHIR, many without native authentication or encryption, on systems that rarely receive a patch because the update depends on the manufacturer and the device's certification. An exposed DICOM server can reveal medical images to anyone on the internet; a compromised device becomes a pivot point or, in the worst case, has its operation manipulated. The correct response is not to try to 'fix' the device, but to inventory it, isolate it in a segmented clinical VLAN, control the traffic and monitor it — a compensating mitigation approach that Decripte implements in the edge security and network architecture project.

The fourth front is economic: fraud in health plans and billing. The TISS ecosystem — the standard for exchanging information between health plan operators and providers — moves authorizations, approvals and charges that, when attacked, enable billing fraud, fake authorizations, claim-denial manipulation and misuse of provider credentials. Add to this BEC (corporate email compromise) directed at the financial departments of hospitals and operators, with payment fraud and vendor diversion. Fighting this requires role-based access control, multi-factor authentication, an immutable audit trail and transactional anomaly detection — controls that go far beyond the perimeter firewall.

Gestão de Ameaças · Grátis

Os dados da sua empresa de saúde e hospitais já estão expostos? Descubra agora — de graça.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

The regulatory framing: LGPD art. 11, ANPD, CFM and ANS

The legal starting point is LGPD (Law 13.709/2018). Its article 11 classifies data related to health as sensitive personal data, alongside genetic and biometric data, subjecting its processing to a stricter regime: specific legal grounds, a determined purpose, and the obligation to adopt technical and administrative security measures capable of protecting the data from unauthorized access and from accidental or unlawful situations. In practice, this means it is not enough to 'have security' — you must demonstrate it, with a processing inventory, a documented legal basis, auditable controls and accountability. The professional or clinic that processes health data is a controller and answers for that adequacy.

When a security incident occurs that may pose relevant risk or harm to data subjects, LGPD imposes the duty to notify the ANPD (National Data Protection Authority) and the affected data subjects, within a reasonable timeframe, with a description of the nature of the data, the data subjects involved, the measures adopted and the risks. The ANPD has been issuing regulation on incident notification and sanction dosimetry, and the absence or delay of notification is, in itself, an aggravating factor. That is why a healthcare organization's incident response plan must include, from the design stage, the legal notification flow — not as an improvised reaction, but as a rehearsed procedure, with defined responsible parties and deadlines.

On the medical act and the clinical record fall rules from the CFM (Federal Council of Medicine). CFM Resolution 2.314/2022 governs telemedicine and reinforces requirements on the electronic medical record, confidentiality, integrity and security of information exchanged remotely, including storage and protection of the data. Telemedicine platforms and healthtechs must, therefore, reconcile clinical usability with requirements of confidentiality, authentication of the parties, an auditable record of the consultation and protection of the channel — a balance that requires a security architecture designed from the outset (security by design).

For health plan operators, the ANS (National Supplementary Health Agency) framework is added, regulating the exchange of information via the TISS standard and imposing duties of integrity, availability and data protection in the relationship among operators, providers and beneficiaries. Stitching all of this together, international standards serve as a reference of good practice: ISO 27799 translates the controls of ISO 27001/27002 to the context of health information, HDS is a reference for hosting health data, and the NIST CSF organizes the functions of Identify, Protect, Detect, Respond and Recover. Decripte uses these frameworks as the backbone of its LGPD/ISO consulting and its CISO-as-a-Service for the sector.

How Decripte implements security for a healthcare organization

Implementation begins with visibility, which is why the free Threat Management product (decripte.com.br/intelligence-center) is the natural starting point: it maps the organization's exposure surface, identifies vulnerabilities and risks, and monitors threats with a team and artificial intelligence 24x7. For a clinic or hospital, this answers the first critical questions — which assets and ports are exposed to the internet, are there DICOM servers or management panels publicly accessible, are there team credentials leaked in infostealer databases, what is the current risk level. At no cost and with no friction, the diagnostic turns uncertainty into an actionable map, which serves as the basis for prioritizing where to invest first.

From that map, Decripte structures defense in layers. Vulnerability Management organizes a continuous cycle of discovery, prioritization by real risk (not just by theoretical severity) and remediation, essential in an environment with unpatched equipment. Preventive Security with EDR places sensors on clinical and administrative endpoints to detect and block ransomware and lateral movement. Edge Security/WAF protects the scheduling systems, patient portals and telemedicine APIs against the attacks mapped by OWASP. And Pentesting/Offensive Security validates everything in practice, simulating the real attacker to find the compromise path before the criminal does — including specific testing of TISS, RNDS integrations and HL7/FHIR endpoints.

The heart of the operation is the 24x7 SOC. In healthcare, monitoring outside business hours is not a luxury: attacks are triggered in the small hours and on holidays precisely to find the defense asleep. Decripte's SOC correlates events from the clinical network, the segmented IoMT fleet, the endpoints and the cloud, using detection aligned to MITRE ATT&CK to recognize the tactics and techniques of each attack stage — from initial access to exfiltration — and act before encryption. For healthtechs and operators with a strong digital component, this monitoring extends to the APIs and the data pipeline, where much of the modern risk lives.

On top of all this technical foundation, LGPD/ISO Consulting and CISO-as-a-Service stitch together governance: an inventory of sensitive health data processing, definition of legal bases, policies, vendor management (laboratories, healthtechs, clouds), a response plan with a notification flow to the ANPD and simulation exercises. For organizations without a dedicated security leader — the majority of early-stage clinics and healthtechs — CISO-as-a-Service delivers that leadership in a fractional, tailored way. For those operating with digital assets, blockchain or tokenization (an emerging frontier in healthcare), the Web3 front covers the specific risks of that domain.

Gestão de Ameaças · Grátis

Sua operação em saúde e hospitais aguenta um ataque hoje? Comece o diagnóstico gratuito.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Incident response in a hospital environment: every minute counts

In a hospital, the window between the attacker's initial access and the encryption of the medical record can be a matter of hours, and every minute of unavailability has a clinical cost. That is why Decripte offers Incident Response with an SLA of starting the engagement in under 1 hour. When the alarm goes off, the immediate objective is not to understand everything, but to contain: isolate compromised hosts, cut off lateral movement, preserve the systems that still sustain care and prevent encryption or exfiltration from advancing. In a healthcare environment, this containment is executed with surgical care, because shutting down the wrong segment can be as damaging as the attack itself — it is the difference between those who know the sector and those who improvise.

Hospital response has a particularity few sectors share: continuity of care cannot stop while IT recovers. That is why the response plan must be coupled with a clinical contingency plan — manual medical record procedures, alternative flows for releasing exams and medication, internal communication that keeps teams operating with patient safety even with degraded systems. Decripte structures this bridge between the technical response and care continuity, rehearsed in tabletop exercises before the real incident, so the team does not discover the plan on the worst day.

The next phase is eradication and recovery from trusted backups. Here the preparation done before the incident makes all the difference: immutable, offline and regularly tested backups are what allow refusing the ransom and restoring the operation. In parallel, forensic analysis reconstructs the attack's timeline — how they got in, what they accessed, which data was exfiltrated — information indispensable both to close the breach and to fulfill the legal duty to notify the ANPD and data subjects with precision about the nature and extent of the leak.

Finally, every well-handled incident ends in structured learning. The post-incident report feeds the tuning of the defenses, the SOC's detection rules and the governance controls, closing the NIST CSF cycle in the Recover function and feeding back into Protect and Detect. For healthcare organizations, this means emerging from the incident more resilient — and being able to demonstrate to the ANPD, to patients and to the market a posture of continuous improvement, not of negligence. Security maturity is not never being attacked; it is detecting fast, responding well and proving that you learned.

The patient's angle: behind every medical record is a person

It is easy to discuss healthcare cybersecurity in terms of networks, servers and compliance, and forget that every protected record belongs to a real person. When a leak exposes an oncology report, an HIV test result, a mental health history or a genetic test, the harm is not abstract: it is the loss of control over the most intimate information that exists about someone, with the potential for discrimination at work, in the health plan and in personal relationships. For the patient, it is irreversible. LGPD classifies this data as sensitive precisely because it recognizes that human weight — and it is that data subject that the entire security architecture exists to protect.

If you are a patient and suspect your health data has leaked — you received a communication from the clinic, saw your name in an incident news report, or started receiving strange contacts related to your treatment — you have rights. LGPD guarantees the data subject access to information about the processing of their data, the possibility of demanding explanations and corrections and, in relevant incidents, notification by the controller. Keep evidence of the communication you received, be wary of messages that use real information about your treatment to appear legitimate (a common scam after leaks), and change passwords for health portals, enabling two-factor authentication where possible.

This patient angle is, in fact, the best business argument for the healthcare organization. Trust is the central asset of the doctor-patient relationship, and it extends to the handling of data. A clinic that protects data well, that communicates transparently and that responds quickly to incidents builds reputation; one that leaks and tries to hide it destroys it lastingly. Investing in security is not a compliance cost — it is protection of the bond that sustains the business. Decripte helps healthcare organizations be worthy of that trust, in practice and in a demonstrable way.

Both for the individual concerned about their own data and for the healthcare manager who wants to know the organization's real exposure, the path begins in the same place: understanding the concrete risk. Decripte's free Threat Management diagnostic (decripte.com.br/intelligence-center) reveals, at no cost, the attack surface, the vulnerabilities and the presence of data in leaks — turning diffuse concern into a clear action plan. From the neighborhood clinic to the large hospital, from the MEI to the Enterprise, the first step is the same: see what you are not seeing.

Termos do setor

Electronic Patient Record (EPR)
The consolidated digital record of a patient's health information — clinical history, diagnoses, medications, allergies, progress notes and exam results. It is sensitive personal data under LGPD and is subject to CFM confidentiality and storage rules. Its unavailability (through ransomware) or its leakage has direct clinical and legal impact.
PACS / DICOM
PACS (Picture Archiving and Communication System) is the system for archiving and distributing medical images (CT, MRI, X-ray). DICOM is the format and communication standard for those images. Misconfigured DICOM servers exposed to the internet are a recurring vector for exam leakage, since many implementations operate without adequate authentication.
IoMT (Internet of Medical Things)
The set of networked medical devices — infusion pumps, multiparameter monitors, ventilators, imaging equipment. They tend to run unpatched legacy systems and protocols without authentication, which makes them targets and pivot points. The defense is based on inventory, segmentation into an isolated clinical VLAN and monitoring, since many cannot receive a patch.
RNDS (National Health Data Network)
An interoperability platform from DATASUS/Ministry of Health that integrates health data between public and private establishments in Brazil, using standards like HL7 FHIR. It broadens continuity of care, but also the attack surface: poorly protected integrations and tokens can become an entry point or a point of clinical data exfiltration at scale.
TISS standard
Troca de Informações na Saúde Suplementar (Exchange of Information in Supplementary Health) — a standard regulated by the ANS for communication between health plan operators and providers (authorizations, approvals, billing, claim denials). By concentrating financial and eligibility flows, it is a target of fraud: fake authorizations, claim-denial manipulation and misuse of provider credentials require access control and an audit trail.
Sensitive personal data
A category under LGPD (art. 11) covering data on health, sex life, genetic and biometric data, racial or ethnic origin, religious conviction, political opinion and union membership. It receives stricter protection because its leakage carries a high potential for discrimination and irreversible harm. All medical record, exam and diagnosis data falls into this category.

Por onde começar

  1. Inventory and classify health data: map where the electronic medical record, exams (PACS/DICOM), genetic and biometric data reside, and classify them as sensitive data under LGPD art. 11, with a documented legal basis and purpose for each processing operation.
  2. Run the free Threat Management diagnostic (decripte.com.br/intelligence-center) to discover the internet-exposed surface — DICOM servers, management panels, telemedicine APIs, patient portals — and identify team credentials leaked in infostealer databases.
  3. Segment the network: isolate the IoMT fleet (infusion pumps, monitors, PACS, imaging equipment) in a dedicated clinical VLAN, separate from administrative IT and the internet, with traffic control and least-privilege rules between segments.
  4. Deploy immutable, offline backups and test restoration periodically: this is the decisive defense that allows refusing the ransomware ransom and recovering clinical operation without depending on the criminal.
  5. Activate EDR on clinical and administrative endpoints and MFA on all remote access (VPN, RDP, portals), eliminating the most common entry points of phishing and compromised credentials.
  6. Engage continuous monitoring (24x7 SOC) with detection aligned to MITRE ATT&CK, covering network, IoMT, endpoints, cloud and APIs, to see lateral movement before encryption or exfiltration.
  7. Structure the incident response plan coupled with clinical continuity and the ANPD notification flow, with responsible parties, deadlines and a containment SLA, and rehearse it in tabletop exercises before the real incident.
  8. Adapt governance to LGPD, CFM (telemedicine, Resolution 2.314/2022), ANS and good practices from ISO 27799/NIST CSF, with policies, vendor management (labs, healthtechs, clouds) and, if dedicated leadership is lacking, engage CISO-as-a-Service.

Perguntas frequentes

Is health data considered sensitive under LGPD?

Yes. Article 11 of LGPD (Law 13.709/2018) classifies data related to health as sensitive personal data, alongside genetic and biometric data. This means a stricter processing regime: specific legal bases, a determined purpose and reinforced technical and administrative security measures. A leak of this data tends to generate a duty to notify the ANPD and data subjects.

Can a hospital pay a ransomware ransom?

There is no explicit legal prohibition in Brazil, but paying is strongly discouraged: it does not guarantee data recovery or prevent disclosure of what was exfiltrated, it finances crime and can encourage new attacks. The correct strategy is to prevent with immutable, tested backups that allow restoring the operation without negotiating. Payment also does not eliminate the duty to notify the ANPD about the incident.

How do I notify the ANPD of a health data leak?

When the incident may pose relevant risk or harm to data subjects, LGPD requires notification to the ANPD and affected data subjects within a reasonable timeframe, describing the nature of the data, the data subjects involved, the measures adopted and the risks. The ANPD provides its own channel and regulation for this communication. That is why the notification flow must be foreseen in the incident response plan, with responsible parties and deadlines defined before the incident.

What is IoMT and why is it a security risk?

IoMT (Internet of Medical Things) are connected medical devices — infusion pumps, monitors, ventilators, imaging equipment, PACS servers. The risk comes from their running unpatched legacy systems and protocols like DICOM and HL7/FHIR without native authentication or encryption. Because many cannot be updated by the hospital, the correct mitigation is to inventory, isolate in a segmented VLAN and monitor, rather than trying to fix the device directly.

Does LGPD apply to small clinics and individual practices?

Yes. LGPD applies to any organization that processes personal data, regardless of size — from an MEI practice to a large hospital. Professionals and clinics that process health data are controllers and answer for adequacy. The level of measures may be proportional to the risk, but the essential obligations (legal basis, security, incident notification) apply to all. Decripte serves from the MEI to the Enterprise precisely for this reason.

Does telemedicine require specific security care?

Yes. CFM Resolution 2.314/2022 governs telemedicine and reinforces requirements on confidentiality, the electronic medical record, integrity and security of information exchanged remotely. Platforms and healthtechs must ensure authentication of the parties, an encrypted channel, an auditable record of the consultation and adequate protection and storage of the data — ideally with security designed from the outset (security by design), not added later.

How long does Decripte take to respond to an incident in a hospital?

Decripte's Incident Response service has an SLA of starting the engagement in under 1 hour. In a hospital environment, the immediate priority is to contain — isolate compromised hosts and cut off lateral movement — preserving the systems that sustain care. The response is coupled with a clinical contingency plan, so that patient care continues while the technical recovery takes place.

Planos indicados para Saúde e Hospitais

Serviços da Decripte mapeados para as ameaças e regulamentações do seu setor — do diagnóstico gratuito ao SOC gerenciado.

A Decripte implementa a segurança do seu setor — sem você montar um time interno.

Pentest, SOC 24x7, resposta a incidentes e conformidade, com SLA e relatórios executivos. Ou comece de graça vendo o que já vazou da sua empresa.