--- title: Healthcare date: 2026-04-27T13:16:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/verticals/healthcare" section: Verticals Pages --- Secure, data-sovereign solutions for the healthcare sector # Data protection and compliance in the hospital, without compromise. Hospital IT now has to satisfy radiation-protection retention law, GDPR, recognized IT-security baselines, and the requirements for essential entities under NIS2 at the same time. FAST LTA delivers the storage infrastructure that covers all four on a single platform. [Request a consultation ](https://www.fast-lta.de//en/fast/contact/general "Request a consultation") ![An isometric hospital 202604241659 1 | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/An_isometric_hospital_202604241659-1.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1777280307&s=7e24b06586d8027ba578ba3cf1228556) ### The problem: hospital IT under pressure, with NIS2, GDPR, and retention duties all at once [\#](#the-problem-hospital-it-under-pressure-with-nis2-gdpr-and-retention-duties-all-at-once "The problem: hospital IT under pressure, with NIS2, GDPR, and retention duties all at once") Across the EU, hospitals above nationally defined thresholds count as essential entities under the NIS2 Directive (in Germany, the long-standing critical-infrastructure threshold of 30,000 inpatient cases per year). They must take, and be able to demonstrate, appropriate technical measures for IT security. At the same time, national radiation-protection law requires that radiological images be kept unaltered. In Germany, §85 of the Radiation Protection Act (StrlSchG) sets the retention periods, and a useful distinction applies: - **Diagnostic radiological images:** 10 years - **Radiotherapy records:** 30 years These periods run far beyond the purchase cycle of typical storage hardware. On top of this come medical professional secrecy, GDPR Article 9 on the protection of special categories of personal data, and, in Germany, the Hospital Future Act (KHZG), a national funding program that makes investment in IT security a precondition for grants. Hospitals are also a preferred ransomware target: attackers know that an administrative standstill is not an option in clinical operations, which raises the pressure to pay. According to the Sophos State of Ransomware 2024, 56% of organizations whose data was encrypted paid a ransom, and attackers often stay undetected in the network for weeks. An organization that cannot show a demonstrably separated, immutable backup in this situation has no real choice left. The challenge is not a lack of storage. It is a lack of storage that meets every regulatory requirement at once, and provably so. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### Immutable Storage Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ## Silent Cubes: Compliant PACS and RIS archiving Silent Cubes set the write protection directly in the hardware controller, independent of the operating system, administrator rights, or firmware. No user, software error, or attack can change or prematurely delete a record once it has been archived. The retention period is configured at the device level, not in a policy file. You can set different retention periods for diagnostic and therapeutic records. **PACS integration:** Silent Cubes are compatible with leading PACS and RIS systems from the major healthcare vendors, including GE Healthcare, Siemens Healthineers, Dedalus, and CompuGroup Medical. Archiving runs over standardized interfaces, with no change to existing clinical workflows. **Capacity and service life:** The storage media are designed for an operating life of at least thirty years, so a single device cycle can be planned to cover the longest statutory retention period in full. [Find out more ](https://www.fast-lta.de//en/products/silent-cubes "Find out more") ![SCDS HU Pro HWWORM | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/SCDS-HUProHWWORM.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772121892&s=9e9f51c50282d0054642755ea718461b) --- ![X60802x SBMA1x SBP frontal2x Air Gap | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/X60802xSBMA1xSBP-frontal2xAirGap.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772468089&s=648f39bb328f5d8c494ebe5e2dcba9bb) ## Silent Brick System: Ransomware resilience for clinical operations Healthcare providers are squarely in the sights of ransomware attackers. The failure of clinical IT systems is not tolerable, and attackers exploit that pressure deliberately. An organization that cannot show a secured recovery point during an attack has no option independent of negotiation. The Silent Brick System protects backup data through physical network separation at the hardware level. After a backup job completes, the Silent Brick Max Air severs the network connection entirely: no protocol, no port, no API endpoint stays active. Ransomware spreading through the hospital network finds no access path to the isolated Bricks. The Silent Brick System is compatible with the backup solutions common in healthcare, including Veeam, Commvault, and Acronis. It complements existing backup infrastructure without replacing proven software. **Suitability for critical-infrastructure environments:** The Silent Brick System is suitable for environments that operate as essential entities under NIS2 and meets recognized IT-security baselines such as ISO/IEC 27001 (in Germany, BSI IT-Grundschutz). For evidence requirements, FAST LTA can provide conformity documentation on request. **National IT-security funding (Germany):** Germany's Hospital Future Act (KHZG), funding area 10 (IT security), explicitly covers measures that improve IT-security architecture. Hardware-based air-gap backup is an eligible investment under that program. Comparable national funding schemes exist in several member states. ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) [Find out more ](https://www.fast-lta.de//en/products/silent-brick-system "Find out more") --- ## Silent AI: Clinical knowledge management, without the cloud Treatment protocols, internal guidelines, medication information, billing rules: in hospitals, critical knowledge is spread across dozens of systems and document stores. AI-assisted search could unlock this knowledge, but cloud AI services are ruled out for patient data and clinical information on data-protection grounds. Silent AI runs entirely on premises, inside your own infrastructure. Patient data, treatment records, and clinical knowledge bases never leave the hospital network. The solution connects existing systems through 15+ connectors, including SAP, SharePoint, and specialized healthcare document-management systems, and cites the source documents behind every AI answer. The EU AI Act classifies AI applications in healthcare as high-risk under Annex III. Running Silent AI on premises greatly simplifies the risk management required under Article 9: data flows are fully controllable, access is loggable, and third-party processing is eliminated. ### EU AI Act The EU AI Act is the world's first comprehensive legislative regulation of AI systems, in force since August 2024. It classifies AI applications by risk level and sets concrete requirements for transparency, control, data protection and human oversight for high-risk systems. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/eu-ai-act) [Find out more ](https://www.fast-lta.de//en/products/silent-ai "Find out more") ![2026 SAI frontal | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/2026-SAI-frontal.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772122968&s=9c06679cda8115826b582a2405de8be0) --- ### Compliance at a glance [\#](#compliance-at-a-glance "Compliance at a glance") RegulationRequirementFAST LTA solution**Radiation-protection retention law** (national law under EU Directive 2013/​59/​Euratom; in Germany §85 StrlSchG)Diagnostic images 10 years, radiotherapy records 30 years, unalteredSilent Cubes with hardware WORM; retention configurable per document type; 30+ year retention at device level**GDPR Art. 9 & Art. 32**Special categories (health data); technical measures for integrity and confidentialityHardware WORM (integrity) plus physical air gap (protection from unauthorized access); data stays on premises**GDPR Art. 17**Right to erasure after the retention period expiresControlled release after the retention period; full logging**NIS2 Directive (EU 2022⁄2555)**Appropriate organizational and technical measures for essential entitiesSilent Brick System with physical air gap; Silent Cubes with hardware WORM; suitable for essential-entity environments**ISO/IEC 27001 (and BSI IT-Grundschutz)**Protection of archived data from manipulation; system hardeningHardware immutability and network separation meet the requirements without an extra software layer**EU AI Act**High-risk AI in healthcare (Annex III); risk management under Art. 9Silent AI: on-premises operation, no third-party processing, full control over data flows**National IT-security funding (e.g. Germany KHZG, funding area 10)**Evidence of IT-security measures as a funding preconditionDocumented ISO 27001 conformity; FAST LTA supports the evidence process ### Example: district hospital, 400 beds [\#](#example-district-hospital-400-beds "Example: district hospital, 400 beds") A district hospital with 400 beds and around 35,000 inpatient cases per year counts as an essential entity under NIS2 (in Germany, above the critical-infrastructure threshold). Radiology runs a PACS system with a growing legacy data set: X‑ray images from the past twenty years that still have to be kept for another decade. The central backup environment runs on Veeam but is fully network-attached. **Starting point:** The IT manager has to demonstrate to the supervisory authority that backup data cannot be compromised during an attack. The data protection officer requires an tamper-proof, immutable archive for PACS data. The national IT-security funding project is approved but not yet fully implemented. **Solution with FAST LTA:** - Silent Brick System with Max Air Bricks as an air-gap backup target for Veeam: daily backups with physical separation after the job completes; no change to the existing backup software - Silent Cubes as the PACS archive platform: hardware-WORM archiving of X‑ray and image data; 30-year retention at device level; integration into the existing PACS over standard interfaces - Silent AI as an on-premises knowledge base for clinical guidelines and internal procedures: no cloud component, full GDPR compliance **Result:** Demonstrable NIS2 readiness, gap-free fulfillment of radiation-protection retention law, an available recovery point for the ransomware case, and a fully documented IT-security funding measure. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ## Frequently asked questions for healthcare providers #### Do Silent Cubes fully meet radiation-protection retention requirements? National radiation-protection law requires that radiological images be kept and not altered during the retention period. In Germany, §85 of the Radiation Protection Act (StrlSchG) sets the periods: diagnostic images for 10 years, radiotherapy records for 30 years; the underlying EU basis is Directive 2013/59/Euratom. Silent Cubes meet both through hardware WORM: write protection is set directly in the storage controller at device level, independent of the operating system, user privileges, or software configuration. You can configure different retention periods for the two document types. No administrator and no attack can change or delete an archived record within the protection period. FAST LTA provides technical conformity documentation on request for evidence toward authorities. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) #### Is the Silent Brick System compatible with our existing Veeam backup? Yes. The Silent Brick System integrates as a backup target in Veeam Backup & Replication over standard protocols (FC, iSCSI, NFS, SMB, S3), with no change to your existing backup configuration. The physical network separation by the Silent Brick Max Air happens automatically after the backup job completes. Restores are triggered through the same Veeam infrastructure, with no new tool and no changed processes. Tested compatibility also exists with Commvault and Acronis. #### Does our hospital count as an essential entity under NIS2, and what duties follow? Hospitals above nationally defined thresholds are treated as essential entities under the NIS2 Directive (in Germany, operators above 30,000 inpatient cases per year). They must take appropriate technical and organizational measures, demonstrate their implementation periodically, and report significant incidents to the competent authority. The Silent Brick System is suitable for these environments. FAST LTA supports hospitals in preparing the evidence documentation for supervisory audits. ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) #### Can we use national IT-security funding for FAST LTA products? In Germany, the Hospital Future Act (KHZG), funding area 10 (information security), explicitly covers measures that improve IT-security architecture, including air-gap backup and compliant archiving. The Silent Brick System and Silent Cubes are eligible investments under that program. Comparable national schemes exist in other member states. FAST LTA advises on formulating the technical requirements and the evidence for your funding application. #### How do we make sure Silent AI does not transmit patient data to the cloud? Silent AI runs exclusively on premises as an appliance in your data center. There is no cloud connection, no external AI provider, and no transmission of queries or documents to third parties. All AI processing happens inside your hospital network. There is no third-party processing within the meaning of GDPR Article 28. We recommend documenting the deployment together with your data protection officer, and FAST LTA provides technical evidence material for this. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) Made in EuropeISO 27001NIS2-readySuitable for essential-entity environmentsRadiation-protection retention compliant2,500+ customers since 2008 ## Would you like a consultation? More than 2,500 organizations and public bodies rely on FAST LTA, including hospitals, clinics, and healthcare providers that have to meet radiation-protection retention law, GDPR, and NIS2 requirements every day, and prove it. FAST LTA is developed and manufactured in Munich. Personal advice from FAST LTA engineers: not a sales call, but a technical conversation. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) [Book an appointment ](https://www.fast-lta.de//en/fast/contact "Book an appointment") ![IMG 2890 | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/IMG_2890.jpeg?w=480&q=80&auto=format%2Cavif&fit=crop&dm=1772121888&s=0c638fe89d7898eb9954357a941dd820)René Weber Senior Pre-Sales Engineer