The healthcare sector continues to be a popular target of malicious cyberactivity, ranging from opportunistic attacks by cybercriminals to targeted attacks conducted by nation-state actors. While the majority of attacks may focus on data theft, the United Nations also recently warned that attacks can be ‘issues of life and death.’ This is due to the dangers of vulnerabilities that threat actors may exploit to render both IT and OT systems unusable, which can pose a significant risk to patient care.

Ransomware and extortion attacks in healthcare

Our own research from 2023 and 2024 has shown that the healthcare sector is one of the top three targeted sectors globally when it comes to ransomware attacks. This is also reflected in Microsoft’s recent report on the threats to the healthcare sector, which found a 300% increase in ransomware attacks against the sector in 2024 when compared to 2015. In fact, 2024 has been deemed the worst year for the healthcare sector in terms of data breaches.

One of the most high-profile ransomware attacks in 2024 was the ALPHV ransomware attack against the United States healthcare company, Change Healthcare. The attack caused widespread network disruptions for many healthcare providers, with over 100 critical applications impacted, leading to a knock-on effect that resulted in patients being unable to access medications and medical services. Another notable example is the Qilin ransomware attack against the UK-based pathologist, Synnovis. The attack impacted multiple NHS trusts in London, as well as primary care services, resulting in a delay of thousands of blood tests, cancer diagnostics, and elective surgeries. In both cases, the attackers also stole gigabytes of personally identifiable and protected health information of patients, with the Change Healthcare incident ultimately impacting about 190 million individuals.

These examples demonstrate how impactful a ransomware attack can be on healthcare operations and patient privacy. Such attacks also put the targeted organisations in an ethical dilemma, as refusing to pay the demanded ransom may prolong the recovery efforts, whereas paying the ransom only encourages actors to continue their attacks.

Vulnerability Exploitation in healthcare

In both the Change Healthcare and Synnovis incidents, the ransomware actors exploited known vulnerabilities in the companies’ systems, highlighting the vulnerability of healthcare infrastructure to cyberattacks. While phishing remains a favoured initial access vector, threat actors are increasingly exploiting both known and zero-day vulnerabilities to gain access to healthcare systems and the data these organisations hold. An example of this is the exploitation of a then-zero-day, tracked as CVE-2023-34362, in the MOVEit Transfer file-sharing platform by the Clop ransomware gang in 2023. The group exploited the SQL injection flaw to steal data from hundreds of organisations globally, including multiple healthcare entities. This mass-exploitation resulted in numerous health data breaches via a supply-chain vector, where the software tool used by organisations was compromised rather than their network being targeted directly. Threat actors also commonly target vulnerabilities in VPN appliances and network gateways, such as Fortinet, Citrix, and Cisco products, to gain initial footholds into hospital networks, especially where devices had not been promptly updated. And while these vulnerabilities are not medical or healthcare-specific products per se, it demonstrates the opportunistic approaches threat actors take in their attacks. Health IT stacks often include legacy systems that are harder to update, with healthcare organisations also relying on a vast amount of different technologies, which often results in delayed updates, making them an attractive target.

Not only vulnerable IT systems, but also vulnerable OT systems pose a significant risk to healthcare organisations. Many medical devices now connect to networks and hospitals rely on industrial control systems for critical functions like ventilation, power management, and laboratory automation. Dozens of high-severity vulnerabilities have recently been identified in medical devices, often stemming from legacy design decisions like hardcoded passwords or outdated libraries. For example, a May 2025 ICS-CERT advisory warned of multiple vulnerabilities impacting  Pixmeo OsiriX MD, which an attacker could exploit to  cause memory corruption, resulting in a denial-of-service condition or enable them to steal credentials. Fortunately, to date, no notable attacks on medical OT systems have been observed, however, that does not mean such issues should be overlooked. Threat actors could easily pivot to an OT network to maintain long-term persistence and in worst-case scenarios tamper with diagnostic results, alter treatment devices, or shutdown life support systems.

Other risks associated with medical devices

Healthcare organisations typically use Digital Imaging and Communications in Medicine (DICOM) for medical image sharing, with vulnerabilities regularly discovered in DICOM. While attacks remain mostly hypothetical, the impact could be immense, as attackers could alter CT or MRI scans through image tampering attacks, for example by injecting a fake tumour or hiding a real one. At present, one of the biggest threats to DICOM is unintentional exposure of DICOM servers, leaving patient data freely available on the internet. Moreover, the niche use of DICOM has also been exploited by threat actors to deliver malware, as was observed in February 2025 by Forescout. The researchers identified 29 malware samples purporting to be Philips DICOM Viewer instances that deployed ValleyRAT, a backdoor malware used by the China-based advanced persistent threat actor (APT), Silver Fox. Additional healthcare systems were later also discovered to have been targeted with malware, including Siemens syngo fastView DICOM viewers, which were infected with the Floxif backdoor, Mindray CMS instances infected with the suspected Chinese backdoor Panda Burning Incense, and two botnet samples abusing credentials for GE Healthcare MUSE Cardiology Information Systems.

Nation-state actors targeting the healthcare sector

Much of the current cyber threats against the healthcare sector relates to cybercriminal activity like ransomware and extortion attacks, or confidential data leaks due to insecure storing of data. However, nation-state activity has also regularly targeted the sector, including in collaboration with ransomware gangs, blurring the line between espionage and cybercrime. In August 2024, the United States Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center warned of continued activity by the Iran-linked APT Pioneer Kitten, who is believed to obtain and develop network access to organisations, including ones in the healthcare sector, with the access then handed off to ransomware affiliates for ransomware deployment. An older example is the North Korean-linked Maui ransomware, which was used to target US hospitals in 2021 and 2022. Other countries’ APTs, such as Chinese actors, have historically hacked healthcare research institutions, for example to steal COVID-19 vaccine research and development in 2020, and this threat persists into 2025 as high-value biomedical research and pharmaceutical data remain targets. Such nation-sponsored operations tend to be less frequent than criminal attacks, but they add to the threat landscape complexity.

Conclusion: Threats on the healthcare sector

The various vulnerabilities in healthcare systems and types of data these organisations hold means the healthcare sector will remain an attractive target for both cybercriminals and nation-state actors. The consequences of a successful attack can range from theft of millions of medical records to the halting of patient care services across an entire region. Cybersecurity in healthcare is now directly tied to patient safety, making it imperative that healthcare organisations treat cybersecurity as a core component of patient care. This means staying vigilant about the latest threats, investing in resilient infrastructure, and practicing robust incident response.

Fortunately, awareness and defences are gradually improving, with many healthcare providers already investing in stronger cybersecurity controls, such as zero-trust network architectures, better segmentation of medical devices, robust backup and incident response plans, and continuous staff training against phishing. Governments have also issued stricter guidelines, such as the requirement to report breaches in a specific timeframe and to harden critical systems, while international efforts like threat intelligence sharing through organisations like Health-ISAC and government CERTs are helping to disseminate warnings about active threats.

To learn how Silobreaker’s threat intelligence for the healthcare sector can help you stay ahead of the latest trends and attacks facing your sector, request a demo today.