On 13 January 2026, ransomware hit AZ Monica hospital in Antwerp. Within hours, staff cancelled over 70 surgeries, evacuated seven patients in critical condition, and shut down emergency services across two campuses. MRI and CT scanners went dark. The attack forced a complete server shutdown that lasted days.
This was not an isolated incident. Belgian healthcare organisations faced an average of 2,620 cyberattacks per week in Q2 2025. The question is no longer whether hospitals will be targeted, but whether their architecture can limit the damage when attackers get in.
How Zero Trust could have contained the AZ Monica attack
- Replace VPN access with identity-based application tunnels that hide internal infrastructure from attackers.
- Isolate web browsing in cloud containers so phishing links never reach hospital endpoints.
- Place medical imaging equipment behind hardware-based network isolation to prevent lateral movement.
- Segment the network by default so infections cannot spread from one device to the next.
- Implement device posture checks to block unmanaged or compromised devices from connecting.
- Maintain centralised logging for rapid incident detection and NIS2 compliance.
What happened during the attack
The attack began in the early morning hours, a transition period between night and day shifts when detection is typically slower. IT staff detected unusual encryption activity on central servers around 06:32. The response was immediate and severe: a complete shutdown of all IT infrastructure on both campuses.
The operational impact was significant. Radiology lost access to the PACS system, rendering imaging equipment unusable. Seven patients requiring continuous digital monitoring had to be transferred to other hospitals under Red Cross supervision. Emergency services went into divert mode, redirecting ambulances across the province.
This kind of forced shutdown reveals a fundamental problem. When an organisation cannot contain an infection to its origin point, the only option is to pull the plug on everything. That decision protected patient data but paralysed patient care.
Why traditional IT security fails in hospitals
Most healthcare organisations still rely on perimeter defence: firewalls at the network edge, VPNs for remote access, and network segmentation to separate departments. This model assumes attackers can be kept outside. Once they breach that perimeter, the internal network is often flat and open.
VPNs grant too much access
Traditional VPNs connect users to network segments rather than specific applications. An attacker with stolen credentials can use that tunnel to scan for other systems, locate backup servers, and move toward domain controllers. The VPN essentially treats a compromised laptop like a trusted workstation sitting in the hospital data centre.
In Q3 2025, nearly 48% of ransomware incidents traced back to compromised VPN credentials. Many hospitals still run legacy SSL-VPN concentrators that are visible on the public internet and vulnerable to credential stuffing attacks.
Flat networks enable lateral movement
Segmentation sounds effective until you examine how it works in practice. Network segments often share common infrastructure. Administrative workstations frequently have access to multiple zones. Protocols like SMB and RDP remain open between segments to support legitimate workflows.
Ransomware exploits these conditions. Once inside, attackers enumerate the network, identify high-value targets like domain controllers and backup systems, and move laterally until they can encrypt everything simultaneously. The AZ Monica shutdown suggests this lateral movement was already underway when staff detected the threat.
Medical devices are blind spots
MRI scanners, CT machines, and patient monitors typically run legacy operating systems. Manufacturers often prohibit security patches or endpoint agents to maintain device certification. These devices communicate using protocols like DICOM and HL7 that were designed without authentication or encryption.
A compromised workstation on the same network segment can probe these devices, inject malicious data, or use them as stepping stones to reach other systems. Left unprotected, a single vulnerable imaging device can become the pivot point for an entire hospital compromise.
How Zero Trust architecture changes the equation
Zero Trust starts from a different assumption: the network is already compromised. Every access request must be verified based on identity, device status, and context. Nothing is trusted by default.
Application-level access replaces network tunnels
Zero Trust Network Access (ZTNA) connects users to specific applications rather than network segments. The underlying infrastructure remains invisible. Attackers with stolen credentials can reach only the applications that user was authorised to access. They cannot scan the network, locate backup servers, or move toward domain controllers because those systems simply do not exist from their perspective.
This approach makes the entire hospital infrastructure dark to external probes. There are no open ports to discover, no VPN concentrators to attack, and no network paths to enumerate.
Browser isolation stops the initial infection
Many attacks begin with a phishing link. A staff member clicks through, and malware downloads to their workstation. From there, the infection spreads.
Remote Browser Isolation (RBI) breaks this chain by executing web content in disposable cloud containers. Users see an interactive stream of the page, but no active code reaches their device. If someone clicks a malicious link, the malware runs inside the container and is destroyed when the session ends. The hospital workstation remains clean.
Hardware isolation protects medical equipment
Devices that cannot run security agents need a different approach. Network Isolation Access Controllers (NIAC) sit between medical equipment and the rest of the network as hardware-based gatekeepers. They permit only the specific traffic flows each device requires, like DICOM images to the PACS server on the appropriate port, and block everything else.
Even if ransomware takes over the administrative network, it cannot reach imaging equipment behind NIAC controllers. The infection stops at the hardware boundary. Scanners continue operating, and patient care continues.
Micro-segmentation limits the blast radius
In a properly segmented Zero Trust environment, devices cannot communicate with each other by default. A reception workstation has no reason to connect to the pharmacy database. A laptop in administration cannot reach the surgical scheduling system. Peer-to-peer traffic is blocked.
When ransomware infects a single device, it finds itself isolated. There are no SMB shares to encrypt on neighbouring machines, no RDP sessions to hijack, no path to the domain controller. The infection affects one device instead of the entire hospital. A total shutdown becomes unnecessary.
NIS2 compliance requires this architecture
The NIS2 directive came into force in Belgium in October 2024. Hospitals are classified as essential entities, subject to the strictest obligations. Board members can face personal liability for inadequate security measures. Fines can reach EUR 10 million or 2% of global revenue.
NIS2 Article 21 requires risk analysis, incident handling capabilities, business continuity planning, and supply chain security. Zero Trust architecture directly addresses these requirements.
Centralised logging provides the visibility needed to detect incidents and meet the 24-hour reporting obligation to the Centre for Cybersecurity Belgium. ZTNA enables secure third-party access for equipment vendors without granting them network-level privileges. Hardware isolation demonstrates that critical medical systems can continue operating during an attack.
Implementing these controls creates documented evidence of due diligence. When regulators ask what measures were in place, the organisation can demonstrate state-of-the-art protections aligned with Zero Trust principles.
What the scenario comparison reveals
Consider the likely attack path at AZ Monica: attackers gained initial access through compromised credentials or a phishing email, scanned the network to identify targets, moved laterally to reach servers and medical systems, then deployed ransomware across everything they could reach.
With Zero Trust architecture, that chain breaks at multiple points. ZTNA would have limited initial access to specific applications rather than the network. Browser isolation would have stopped malware delivery via phishing. Micro-segmentation would have prevented network scanning and lateral movement. Hardware isolation would have kept medical imaging equipment operational.
Instead of a hospital-wide crisis requiring patient transfers and surgery cancellations, the incident would have been contained to a single compromised device. IT staff would have isolated that device, investigated the breach, and continued normal operations.
FAQ
Can mid-sized hospitals implement Zero Trust without major projects? Yes. Start with ZTNA for remote access and critical applications. Add browser isolation for staff web browsing. Deploy NIAC hardware for high-value medical equipment. Each component delivers immediate value while building toward comprehensive coverage.
Does Zero Trust require replacing existing firewalls? No. Zero Trust adds identity-based controls and isolation capabilities to existing infrastructure. Firewalls continue handling north-south traffic while ZTNA and micro-segmentation address the internal network.
How does this help with NIS2 compliance? Zero Trust provides documented evidence of least-privilege access, continuous verification, incident containment capabilities, and secure supply chain management. Centralised logging supports the 24-hour incident notification requirement.
What about devices that cannot run security agents? NIAC hardware provides network-level isolation for medical imaging equipment, IoT devices, and legacy systems. These devices are protected without requiring any software installation on the devices themselves.
How long does implementation take? Initial deployment for remote access and web security can complete within weeks. Full coverage including medical device isolation scales over months based on the organisation’s complexity and priorities.
Prevent the next hospital crisis
The AZ Monica attack demonstrates what happens when traditional perimeter security fails. Hospitals cannot afford days of downtime, patient transfers, and cancelled surgeries. The architecture that enabled this crisis is still running in healthcare organisations across Europe.
Zero Trust provides a different model. Identity-based access, browser isolation, and hardware-level protection create multiple barriers that attackers must overcome. When one control fails, others contain the damage. Operations continue even during an active incident.
Book a demo to see how cloud-managed SASE can protect your healthcare organisation without adding operational complexity.
