COMMENTARY: Healthcare has been under cyberattacks for some time, and it’s only getting more intense. A joint alert from the American Hospital Association (AHA) and Health-ISAC recently warned of a potential terrorist threat against U.S. hospitals.
While the FBI found no credible evidence of pending attacks, experts cautioned that viral threats like these can still inspire malicious attacks and add to the broader cybersecurity crisis already under way: a crisis that resulted in 734 large healthcare data breaches in 2024 alone.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Clearly, the healthcare sector faces a growing wave of threats, and the tactics are only getting more advanced with the rise of AI. The sector must respond with speed, coordination, and a fundamentally stronger cybersecurity posture.
Cyber threats are getting smarter
Healthcare has become one of the most attractive targets for cybercriminals for a number of reasons. Hospitals are more likely to pay ransoms quickly because they require real-time access to data and systems to deliver patient care. Add in sensitive patient information, aging infrastructure, and often underfunded IT and InfoSec departments, and attackers see a poorly secured network with high-reward extortion potential
Unfortunately, today’s threats often go far beyond simple ransomware. Cybercriminals are now exploiting supply chain relationships to compromise third-party vendors and software providers to reach hospitals indirectly. Hackers also exploit zero-day vulnerabilities, software flaws that let attackers get a foothold inside critical systems before anyone knows what’s happening.
What’s more, extortion campaigns don’t just encrypt files: they steal data, threaten to leak that data, and pressure victims publicly.
Unfortunately, there’s just so many examples to talk about. In 2023, the BlackCat ransomware group (also known for the 2024 Change Healthcare incident) struck a U.S. hospital. When that hospital refused to pay the ransom, clinical patient photos and sensitive PHI were leaked online in efforts by the cybercriminal gang to force the hospital to pay the ransom.
The stakes are high. Cyberattacks can compromise electronic health records (EHRs), manipulate connected medical devices, or trigger cascading outages through shared IT infrastructure. A breach at one facility can quickly become a sector-wide crisis that negatively impact patient outcomes.
What hospital cybersecurity should look like
With growing threats on every side, hospitals should prioritize updating outdated perimeter defenses. A modern security posture starts with adopting a zero-trust architecture in which no user or device gets trusted by default. Instead, users must verify their identities each time they connect with hospital systems. Organizations should pair zero-trust with endpoint detection and response (EDR) systems. These tools continuously monitor all devices, including laptops, servers, and medical equipment, for unusual behavior. If a device starts acting suspiciously — for example, accessing files it shouldn’t or connecting to an unfamiliar server — EDR tools can alert security teams, isolate the device, and stop the attack before it spreads.
Network segmentation offers another critical defense. Instead of allowing the free movement of data across an entire hospital network, segmentation breaks the network into smaller zones based on function or sensitivity. For example, security teams shouldn’t put the systems that control MRI machines on the same segment as the hospital's public Wi-Fi. With segmentation, if attackers break into one segment, they can’t easily reach the rest.
Next, identity and access management (IAM) ensures that only the right people can access sensitive systems. Hospitals should limit access based on roles. For example, a billing administrator shouldn’t have access to medical device controls. Strong IAM includes features like multifactor authentication, role-based permissions, and automatic access removal when employees leave or change roles.
Finally, no hospital should face these threats alone. Sharing intelligence and best practices among hospitals ensures that everyone has the knowledge they need to protect themselves. By sharing data on indicators of compromise (IOCs) — such as IP addresses used in attacks, as well as attacker tactics, techniques, and procedures (TTPs) — hospitals can help each other identify threats faster and respond more effectively. These exchanges of information can happen through secure online communities and trusted digital networks. One hospital’s sharing can prevent others from falling victim to the same campaign.
Building resilience means more than just reacting to the latest breach. It requires overhauling outdated systems, adopting modern security frameworks, and actively participating in intelligence sharing networks. As cyber threats evolve, healthcare providers face a critical choice: adapt or leave their systems, staff, and patients dangerously exposed.
Errol Weiss, chief security officer, Health-ISAC
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
