Case Study - European Hospital Network Passes HIPAA

INDUSTRY & CONTEXT

A European hospital network with operations in three countries, managing approximately 4,200 endpoints including clinical workstations, medical imaging systems, nurse call infrastructure, and administrative devices

The organisation was subject to NIS2 (healthcare sector, mandatory) and GDPR, and had received regulatory notification of an upcoming NIS2 assessment. A parallel concern was the increasing frequency of ransomware targeting hospital systems across Europe.

Where others focus on the obvious, we uncover what’s hidden behind closed doors.

The problem

Four issues put HIPAA-Equivalent Audit at risk:

• Patch success rate of 68%, the lowest-achieving OS category was legacy Windows 7 systems integrated with radiology and laboratory equipment under OEM restrictions. These systems had not received a documented patch review in 14 months.

• Asset inventory: 4,200 documented endpoints. Tanium discovery found 5,050, an 850-device gap that included medical devices with network connectivity, biomedical equipment in clinical areas, and contractor maintenance tablets.

• NIS2 Article 21(2)(e) compliance: the organisation had no capability to produce documented patch management evidence on demand. The upcoming NIS2 assessment would specifically test this capability.

• Ransomware exposure: two neighbouring hospital systems in the same country had experienced ransomware incidents in the preceding 18 months. The organisation's security team had no confidence in their ability to detect or contain a similar attack within the clinical environment.

The solution

NOHDE deployed Tanium AEM managed service at with SOC monitoring engagement:

Complete estate discovery across all three country operations. 5,050 endpoints identified and classified by location, clinical function, OS version, and patch status.

OEM-restricted systems: Tanium documented the patch restriction, recorded the risk justification, and established a compensating control record for NIS2 Article 21(2)(e) compliance, the accepted approach for systems that cannot be patched due to vendor restrictions.

Patch orchestration established for all patchable systems, with maintenance windows coordinated with clinical operations scheduling to avoid disruption to patient care.

During month 3 of operation, Tanium detected anomalous process execution on an administrative workstation consistent with ransomware lateral movement behavior. The endpoint was isolated within 4 minutes. Investigation across the full 5,050-endpoint estate was completed in under 8 minutes. No clinical systems were affected. No patient care was disrupted.

The outcome

NOHDE Network Passes HIPAA-Equivalent Audit and Blocks Ransomware Lateral Movement

NIS2 assessment passed

No major findings on patch management or incident detection

Patch success rate:

96%+ for patchable systems within 120 days

Asset inventory gap closed:

850 previously unmanaged devices brought into managed scope

Ransomware containment:

Isolated in 4 minutes, full estate investigated in 8 minutes, zero clinical impact

OEM-restricted system compliance:

Documented risk register with compensating controls, accepted by NIS2 assessor

Why Tanium

The 4-minute containment time was only possible because Tanium had complete, real-time visibility of every endpoint and could execute remote isolation without requiring physical access to a clinically occupied ward.

A reactive investigation, waiting for alerts to escalate through a traditional SIEM pipeline, would have taken hours and almost certainly resulted in wider clinical system impact.

We Establish Security as a Verifiable and Enduring Foundation, not a Reactive Layer.

While many invest in what’s clear,
we dig deeper into the secrets behind closed doors.

We offer services from advanced threat detection to strong data protection,
keeping your business secure in a complex cyber landscape.