Why Italian hospitals became a top target for cybercriminals
Healthcare has always handled some of the most sensitive data imaginable — from genetic information to mental health records. In 2023, cybercriminals took notice on an unprecedented scale. According to the Clusit 2024 report, healthcare was the single most targeted sector globally, accounting for roughly 14% of all serious cyber incidents tracked during the year. Attacks against the sector grew by approximately 30% compared to the previous year, and a staggering 83% of those were classified as high or critical severity.
For Italian hospitals specifically, the numbers paint an even more alarming picture. Italy saw a 65% year-over-year surge in total cyberattacks, with healthcare representing around 9% of all incidents targeting Italian organisations. The country now absorbs roughly 11% of all global attacks tracked by Clusit — a disproportionate share for a nation of its size.
But these are not just statistics. Behind every percentage point are real hospitals forced to turn away patients, print medical records by hand, and watch stolen data appear on dark web marketplaces.
A year of ransomware attacks on Italian healthcare
The wave of attacks that hit Italian hospitals in 2023 and early 2024 reads like a crisis timeline. In May 2023, the ASL 1 Abruzzo regional health authority suffered one of the most devastating breaches in Italian healthcare history. The Monti ransomware group exfiltrated and published 522 GB of deeply sensitive patient data, including HIV status records, genetic information, and mental health files. Healthcare services across the L’Aquila region were crippled for weeks.
Just one month later, hospitals in the Milan metropolitan area — ASST Rhodense, including facilities in Garbagnate and Rho — were hit by ransomware that forced emergency services to reroute patients to other structures. In October, the Rhysida ransomware group struck the University Hospital of Verona, knocking IT systems offline and forcing clinical staff back to paper-based workflows. November brought yet another incident, this time targeting the Policlinico and Baggiovara hospitals in Modena, claimed by the Hunters International group.
The attacks continued into 2024. In April, Synlab Italia, a major diagnostic laboratory network serving hospitals across the country, was paralysed by the Black Basta ransomware group. Laboratory testing and diagnostics were suspended for weeks, and patient data was eventually published online.
Why hospitals are particularly vulnerable
Italian public hospitals face a combination of structural weaknesses that make them attractive targets. Legacy IT systems are widespread — many facilities still run outdated and unpatched operating systems. Cybersecurity budgets in Italian healthcare average less than 1% of total IT spending, well below the European average. The fragmented governance model, where each regional health authority (ASL) manages its own infrastructure, creates inconsistent security postures across the country.
Add to this a severe shortage of dedicated cybersecurity professionals in the public health sector, and it becomes clear why incident detection times remain dangerously slow. In several of the cases above, breaches were only discovered after stolen data surfaced on criminal forums.
What the NIS2 directive changes for healthcare organisations
The regulatory landscape is shifting. The NIS2 Directive, which EU member states were required to transpose into national law by October 2024, classifies healthcare as a “sector of high criticality.” This means hospitals, pharmaceutical companies, reference laboratories, and medical device manufacturers now face binding cybersecurity obligations across the European Union.
Italy transposed NIS2 through a legislative decree in late 2024, designating the ACN (Agenzia per la Cybersicurezza Nazionale) as the competent national authority. The practical implications for healthcare organisations are significant.
Key obligations under NIS2
Under the new framework, covered entities must implement formal risk management measures, maintain business continuity plans, and conduct regular security audits. Incident reporting timelines are strict: a 24-hour early warning must be issued after discovering a significant incident, followed by a full notification within 72 hours.
Supply chain security is another critical requirement. Hospitals that rely on third-party vendors for diagnostics, laboratory services, or medical devices — as the Synlab case illustrated — must now assess and manage risks across their entire supply chain.
Perhaps most importantly, NIS2 introduces management accountability. Senior executives and board members can be held personally liable for cybersecurity failures, with penalties reaching up to 10 million euros or 2% of global annual turnover for essential entities.
Practical lessons for European SMBs
While the Clusit report focuses heavily on healthcare and public administration, the implications extend well beyond hospitals. Any European SMB that handles sensitive data, operates in a regulated sector, or serves as a supplier to critical infrastructure should take notice.
The attack patterns used against Italian hospitals — ransomware delivered through phishing emails, exploitation of unpatched vulnerabilities, and compromise of third-party providers — are exactly the same techniques used against small and medium businesses every day. The difference is that a hospital attack makes national headlines, while an SMB breach often goes unnoticed.
Three steps every business should take now
Assess your exposure honestly. Many organisations overestimate their readiness. If your last security audit was more than a year ago, or if you have never conducted a formal risk assessment, you are likely more vulnerable than you think. The Clusit data shows that the gap between perceived and actual security posture is one of the biggest risk factors for Italian organisations.
Invest in the basics before buying advanced tools. Patch management, multi-factor authentication, network segmentation, and regular offline backups remain the most effective defences against ransomware. Most of the Italian hospital attacks exploited known vulnerabilities that had available patches.
Prepare for incident response, not just prevention. The organisations that recovered fastest from the 2023 attacks were those with tested incident response plans and pre-established relationships with cybersecurity response teams. Build your response plan before you need it, because the Clusit data makes one thing clear: the question for European organisations is no longer if an attack will happen, but when.
The road ahead for cybersecurity in Europe
The Clusit 2024 report serves as both a warning and a call to action. With cyberattacks against Italy growing at more than twice the global rate, and healthcare bearing some of the heaviest consequences, the status quo is no longer sustainable. NIS2 provides the regulatory framework, but compliance alone will not be enough. Organisations across Europe — from hospitals to SMBs — need to treat cybersecurity as a core business function, not an IT afterthought.
The data from Italian hospitals in 2023 tells a story that every European business leader should read carefully. These attacks did not succeed because of sophisticated, nation-state-level techniques. They succeeded because of unpatched systems, weak access controls, and a persistent underinvestment in security fundamentals. Those are problems every organisation can start solving today.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.