Critical Infrastructure Research · 2025 · KIT OCI

German Telehealth Infrastructure: Structural Mapping for Threat Modeling

A KIT doctoral researcher needed a structural baseline before she could model cybersecurity risk in German hospital networks. I mapped three digitised care delivery architectures to give her that foundation under the EU NIS2 framework.

Role Research Assistant
·
Client OCI KIT
·
Year 2025
·
Focus Literature research

Research questions

Three questions for the threat model

  • Architecture: How are systems connected, and where do data dependencies concentrate?
  • Criticality: Which operations are time-critical, and what does disruption cost clinically?
  • Regulatory exposure: Which operators carry NIS2/KRITIS obligations, and how does that shape their architecture?

In healthcare, IT availability is a clinical metric. Disruption is measured in minutes, and the consequence is measured in neurological damage, not just data loss.

Network architectures

Three integration models, three structural profiles

Three models, each representing a distinct integration strategy: vertical, horizontal, and networked. Scope limited to regional care delivery networks. The national TI, gematik, and ePA layers are excluded.

Research Network Robert Bosch Hospital Mobile Nurse Mobile Nurse
PORT Stuttgart

Vertical Integration

Shared DB GP Clinic Pediatrics Psychiatry Social Services Midwifery Physio
PORT Hohenstein

Horizontal Community Integration

Hub Hub Hub
NEVAS Bavaria

Regional Network Coordination

Structural comparison

Security-relevant dimensions across the three models

Dimension PORT Stuttgart PORT Hohenstein NEVAS Bavaria
Integration type Vertical — hospital campus Horizontal — community multi-agency Regional hub-and-spoke network
Network nodes 1 center + RBK hospital campus 13 departments + county agencies 19 hospitals (3 hubs + 16 spokes)
Population served ~22,500 ~3,700 2.9 million
Time-criticality Moderate — chronic care coordination Low — scheduled primary care Extreme — stroke "golden hour"
Data sensitivity Ambulatory + inpatient EHR convergence Multi-disciplinary community records Acute neurological + imaging data
External connections Bosch Health Campus research network County health office, public agencies 19 inter-hospital video/data links
NIS2 exposure (indicative) Likely essential entity (via RBK hospital, subject to NIS2UmsuCG thresholds) Likely important entity (subject to operator size thresholds) Likely essential entity (subject to formal classification)
Structural concern (literature-indicated) Research network boundary Rural IT resource constraints (ENISA 2023) 16 spoke hospitals with variable IT maturity (ENISA 2023)
Active since 2022 September 2019 2014

NEVAS Bavaria — structurally most complex

A 19-hospital network where availability is a patient safety constraint

NEVAS connects 3 stroke centers with 16 regional hospitals via 24/7 video and data links. Regional hospitals lack round-the-clock neurologists. Remote experts fill that gap during the critical "golden hour."

NEVAS Bavaria patient journey — clinical workflow from spoke hospital through treatment decision to hub transfer and recovery
NEVAS patient pathway — from spoke hospital CT imaging and video consult with hub neurologist, through treatment decision, to mechanical thrombectomy at the hub center and rehabilitation referral.

Three structural characteristics matter most for threat modeling:

Structural
Extreme time-criticality. Stroke efficacy drops by the minute. Network downtime cuts regional access to specialist intervention immediately.
Structural
Distributed entry points. 19 interconnected IT environments, 19 entry vectors. Smaller regional hospitals typically have lower security maturity and can propagate compromise to hubs.
Structural
Protocol dependency. Manipulated treatment protocols or corrupt diagnostics data could warp clinical decisions across the network before detection.

PORT Stuttgart — research network exposure

Hospital campus integration with an external research boundary

PORT Stuttgart sits inside Robert Bosch Hospital and connects to the Bosch Health Campus research ecosystem. Structurally, this creates a dual-domain environment: KRITIS-governed clinical operations alongside a research network with different security standards.

Structural
Research-clinical boundary. Research network traffic converging with clinical infrastructure creates a trust boundary problem. If insufficiently segmented, the research connection becomes a lateral movement path into clinical systems.
Structural
Mobile endpoints. Community Health Nurses conduct home visits with mobile devices. Endpoint security depends on consistent device management and remote access policies.
Structural
Vertical integration (asset). Embedding within RBK hospital means security governance falls under existing KRITIS obligations, providing a higher baseline than a standalone center.

PORT Hohenstein — rural security maturity gap

Cross-agency data sharing in a resource-constrained environment

PORT Hohenstein serves ~3,700 people across 13 departments and integrates with county agencies including long-term care coordination and the county health office. Multiple entities access health records in an environment with limited IT security resources.

Structural
Cross-agency data sharing. Health data flows between GP, psychiatry, physiotherapy, midwifery, social services, and county agencies. Each integration point is a potential confidentiality or integrity risk.
Structural
Rural IT maturity. Smaller rural facilities consistently rank below urban hospitals in security investment and incident response. A structural gap across European healthcare, not specific to Hohenstein.
Structural
Lower operational criticality. Scheduled primary care tolerates availability disruption better than acute care. Backup workflows exist. Less time-pressure than NEVAS.

Structural observations

What the mapping identified as relevant for threat modeling

Integration architecture shapes the structural preconditions for security risk

Vertical integration (PORT Stuttgart) concentrates connectivity at the campus boundary. Horizontal integration (PORT Hohenstein) distributes access across agencies with varying IT resources. Network coordination (NEVAS) creates interconnection across 19 IT environments. Threat modeling needs to be architecture-specific.

Availability outranks confidentiality in time-critical networks

Standard frameworks prioritise CIA in that order. In stroke networks like NEVAS, availability is paramount. A ransomware attack causing 6-hour downtime during a stroke event has immediate, irreversible clinical consequences. Different from administrative systems.

Spoke hospitals in distributed networks warrant further security assessment

In NEVAS, the 16 spoke hospitals are the most numerous interconnection points. ENISA's 2023 report identifies smaller facilities as generally having lower IT security maturity across Europe. Whether that holds for NEVAS specifically is an open question for the doctoral researcher's subsequent assessment.

NIS2 entity classification depends on operator-specific thresholds

NIS2 classifies healthcare as essential, but entity classification under Germany's NIS2UmsuCG depends on operator-specific criteria (turnover, employee count). The structural differences between models are relevant context, but formal classification was outside this mapping's scope.

Implications for the OCI research

A baseline that enables the right questions

This was scoped as infrastructure mapping, not security assessment. The researcher needed to know what is connected, what is time-critical, and what is regulated before applying her security framework.

The deliverable gives her three things: a typology of network architectures for scoping threat models, a mapping of NIS2 entity obligations per operator, and identification of NEVAS as the highest-priority case where availability risk and life-safety consequences converge.

Scope limitations. Literature-based and descriptive. Not a security assessment, penetration test, or formal threat model. Risk badges reflect structural characteristics, not validated ratings from STRIDE or OCTAVE. The national TI, gematik, and ePA are excluded. Actual protocols, authentication mechanisms, and segmentation architectures remain open questions for fieldwork.

This pattern (diverse architectures, variable security maturity, harmonised NIS2 obligations) is not unique to Germany. It is how healthcare digitalisation has proceeded across the EU: driven by clinical need, not security design.

Sources & References
  1. Masouris et al. (2024) — Telemedical Stroke Care, NEVAS network
  2. Gesundheitszentrum Hohenstein — PORT primary care center
  3. Bosch Health Campus — PORT Stuttgart context
  4. NEVAS network — SAGE Journals
  5. PORT Gesundheitszentrum — Hausarztpraxis
  6. PORT Gesundheitszentrum — Bosch Health Campus
  7. Community Health Nursing — Bosch Health Campus
  8. NEVAS DSG Certification — LMU Klinikum
  9. PMC — Integrated Care Models in Germany
  10. ENISA (2023) — Health Sector Threat Landscape Report, European Union Agency for Cybersecurity
  11. EU Directive 2022/2555 (NIS2) — measures for a high common level of cybersecurity across the Union
  12. BSI (2022) — IT-Grundschutz für Krankenhaus-Informationssysteme, Bundesamt für Sicherheit in der Informationstechnik
Critical Infrastructure Healthcare Cybersecurity NIS2 Directive KRITIS Network Topology Analysis Threat Modeling Context KIT OCI

Next Project

Mercedes-Benz E-Wagon — A Station-Based Sharing System for Factory Floor Mobility

Ethnography on the factory floor — personas, journey maps, and service design for e-trolley sharing.

Read case study →