Top Cyber Threats in Healthcare

Cybersecurity is now a patient care risk.

Healthcare is under attack. It’s not because the hackers are brilliant. It’s because we’re predictable and driven by profit.

Patient records are gold. Clinical systems are fragile. Every solution is a snowflake. Security programs are scattered.

Attackers don’t need zero-days. They only need shared logins, unpatched devices, and policies in PDFs instead of practice.

This isn’t just about stolen data. It’s about canceled surgeries. Diverted ambulances. Lost trust. Cyberattacks in healthcare have real-world, real-time consequences.

Regulators have stopped being patient.

Federal enforcement is now a reality. The Department of Health and Human Services (HHS)  and the Office for Civil Rights (OCR) have taken action against 22 covered entities over the past year, with settlements already reached in several cases[1]. (U.S. Department of Health and Human Services, n.d.) At the same time, proposed updates[2] to the HIPAA Security Rule are advancing and are expected to become enforceable this year.

This is not simply about compliance. This is about demonstrable cyber risk governance and accountability.

When cybersecurity fails, care delivery fails. That’s not theoretical. That’s a patient care risk.

Risk cannot be eliminated, but it can be governed and managed. Healthcare organizations move from reacting to leading not by adding more controls, but by continuously measuring, reviewing, and reporting their performance against objectives.

 

The Cost of Being Number One

Healthcare is not just the most frequently breached industry[3]. It is also one of the most exposed when incidents occur. The consequences extend beyond data loss and regulatory fines. They include service disruptions, patient safety and privacy risks, legal liability, reputational damage, and long-term operational impact.

Most healthcare breaches are not new attacks. They are the result of known, repeatable weaknesses that hackers exploit because they work. Phishing leads to credential misuse. Inadequate segmentation allows lateral movement. Vendor portals lack visibility or control. Backups are present but untested. Risk is known but not governed.

The regulatory consequences are increasing. The Office for Civil Rights has made clear through recent enforcement actions that it expects organizations to go beyond documentation. Policies must be implemented, controls must be in place, and actions must be traceable to risk. Where alignment is missing, enforcement follows.

The operational costs are harder to measure, but no less real. Ransomware attacks have forced hospitals to cancel surgeries and divert ambulances. Downtime from cyber incidents disrupts care, delays diagnostics, and increases clinical workload. Staff morale suffers. Patients lose trust. These are not technology problems. They are system level failures in resilience and oversight.

Healthcare organizations do not need more headlines. They need better alignment between what they know, what they say, and what they do. Being the number one target means accepting that breach attempts will continue. What matters is how the organization responds, and whether its governance framework is strong enough to withstand not just the attack, but the scrutiny that follows.

 

Top Cyber Threats in Healthcare

The following threats are not abstract. They are documented, repeatable, and avoidable. Each represents a convergence of technical vulnerability and governance failure, and each has resulted in real-world consequences for healthcare organizations.

  1. Unauthorized Access

Unauthorized access often originates from within the organization in the form of privilege abuse. Threat actors exploit weak access controls, shared credentials, or excessive privileges to access protected health information. These incidents are frequently categorized as misuse, credential theft, or internal data snooping.

  • In 2024, the U.S Department of Health and Human Services imposed a civil monetary penalty of $1,190,000 on Gulf Coast Pain Consultants for multiple unauthorized access violations by a former contractor. Regulators cited a longstanding pattern of noncompliance and failure to safeguard patient data.(U.S. Department of Health and Human Services, 2024)

Impact: Regulatory penalties, privacy violations, reputational harm

Attack Vector: Privilege abuse, stolen credentials, weak authentication

 

  1. Phishing, Ransomware and Downtime

Ransomware remains one of the most damaging forms of attack in healthcare. It disables access to EHRs, imaging platforms, and critical infrastructure, disrupting care delivery and forcing diversion of patients.

  • In 2023, a ransomware attack against Prospect Medical Holdings disrupted operations across 30 hospitals in six states. The incident forced emergency departments to close, ambulances to be diverted, and surgeries to be delayed. The attackers reportedly exfiltrated sensitive patient information leading to long-lasting operational and reputational fallout. (Associated Press, 2023)

Impact: Clinical disruption, delayed care, regulatory investigation, reputational fallout

Attack Vector: Email phishing, credential theft, vulnerable remote access

 

  1. Unsecured IoT and Medical Devices

    Healthcare organizations often operate numerous connected medical devices that lack basic security controls. These devices may run on outdated operating systems, be unmanaged by IT, and offer limited visibility for logging or monitoring. The exposures are not theoretical. They provide persistent footholds for attackers to bypass perimeter defenses, evade monitoring, and access sensitive clinical systems. In an environment where uptime equals care delivery, device compromise is not just a technical problem, it is a patient safety event.

  • In 2024, Censys researchers identified over 14,000 internet-exposed healthcare systems globally, with nearly half located in the U.S. These exposures included DICOM servers used for medical imaging and EMR/HER login portals. Many of these systems lacked basic security measures, and were deployed without adequate access controls, making them susceptible to unauthorized access and data breaches.(Censys, 2024)
  • Another investigation found that over 50 percent of connected medical devices in hospitals were running outdated or unsupported operating systems, with limited visibility into their behavior or lifecycle.(Cynerio, 2022)

Impact: Lateral movement, data exfiltration, operational disruption, patient safety risk

Attack Vector: Direct network access, exposed interfaces, internal pivoting, vulnerable protocols

 

  1. Third-Party Compromise

    Most healthcare organizations are deeply dependent upon external vendors for everything from imaging and lab results to billing, data hosting, and care coordination. Many of these vendors have direct access to sensitive patient data or network resources. Despite this, oversight is often inconsistent or entirely absent. Risk is accepted by default, rather than managed with intent.

  • In 2023, the exploitation of a vulnerability in Progress Software’s MOVEit Transfer application led to a widespread data breach affecting numerous healthcare entities. Notably:
    • Centers for Medicare & Medicaid Services (CMS): Nearly 950,000 Medicare beneficiaries in Wisconsin had their personal information compromised due to a breach involving their contractor, Physician Services Insurance Corp.(HIPAA Journal, 2023)
    • Welltok: The healthcare IT firm reported that data for approximately 14.7 million individuals was exposed, affecting patients from organizations like Corewell Health and Priority Health.(HIPAA Journal, 2023)

Impact: Large-scale data exposure, regulatory investigations, reputational damage, breach reporting obligations

Attack Vector: Vendor portals, weak authentication, unmonitored APIs, remote access misconfigurations

 

  1. Unenforced or Dormant Controls

In many healthcare environments, security programs exist more on paper than in practice. Policies may require encryption, access reviews, or incident response testing, but without implementation, performance metrics, and audit, these policies create a false sense of compliance. Breaches often expose the disconnect between what leadership believes is in place versus reality.

  • In 2019, the University of Rochester Medical Center (URMC) agreed to a $3 million settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) following the loss of an unencrypted flash drive and the theft of an unencrypted laptop containing electronic protected health information (ePHI). Despite previous OCR investigations and technical assistance, URMC had failed to implement encryption mechanisms and conduct enterprise-wide risk analysis, leaving patient data vulnerable.(Thompson Coburn LLP, 2019)

This incident underscores that having policies is insufficient; without enforcement, integrated governance, and regular audits, organizations remain exposed to significant risks. This kind of incident is not a gap in technology. It is a breakdown in governance. The tools and policies may exist, but without operational accountability, they remain dormant. And once a breach occurs, investigators and regulators focus less on intentions and more on what can be proven.

 

What the Threats Reveal About Healthcare Cyber Risk Governance

The threats facing healthcare are not new. They are persistent because the failures behind them are systemic. Breaches tied to stolen credentials, unpatched devices, and vendor exposure do not stem from technical wizardry. They stem from misalignment between what is written, what is deployed, and what is enforced.

What the threat landscape reveals is not just a set of attack patterns. It reveals a governance gap.

Policies, standards, and guidelines exist, but they are not mapped to technical controls and control owners. Controls exist, but not owned, and are not monitored for effectiveness. Critical systems operate outside of inventory, outside of IT visibility, and outside of accountability. This is not due to a lack of frameworks or guidance, it is due to the fragmentation of ownership across security, compliance, clinical operations, and executive leadership. This isn’t a failure of knowledge. It’s a failure of integration.

Across healthcare organizations, the most common breakdowns trace back to the following patterns:

  • Unauthorized access reflects the absence of meaningful access governance and administration.
  • Ransomware disruption reveals weak operational continuity and response discipline.
  • Unsecured medical devices expose the lack of compensating controls for unmanaged systems.
  • Third-party breaches highlight the illusion of delegated accountability.
  • Dormant policies signal that compliance is often disconnected from operational enforcement.

As HHS and OCR have ongoing enforcement actions against 22 healthcare providers, the consequences are measurable in regulatory penalties, operational disruptions, reputational loss, and declining trust. (U.S. Department of Health and Human Services, n.d.) The root cause is structural. Security failures in healthcare persist not because the threats are too advanced, but because the organization lacks a model to govern them across roles, systems, and environments.

This is why traceability matters. Without a clear line between policy, control, and evidence, security becomes a performance, not a practice. Healthcare organizations must now evaluate not just whether a policy exists, but whether the appropriate supporting controls are implemented, measured, and aligned with risk

This is not reinvention, it is alignment. Cyber risk governance is not about adding burden, it is about removing uncertainty. When cyber risk governance is strong, security improves, accountability increases, and breach response becomes an exercise in execution, not explanation.

 

What Traceability Really Means

Traceability means you can link:

  • Policy → to the control it mandates
  • Control → to the risk it mitigates
  • Control Owner → to the mandated control
  • Risk → to the risk owner and business impact
  • Gaps → to a risk, documented decision or roadmap

If any part of that chain is missing, governance is broken

 

Why the HIPAA Update Changes the Game

For years, HIPAA has been treated as a regulatory floor, a checklist of minimum expectations. That era is ending. The proposed update to the HIPAA Security Rule signals a shift from suggestive guidance to enforceable expectations, and from policy paperwork to operational proof.

The update does not introduce radically new ideas. Instead, it closes the distance between what healthcare organizations say they do, and what they are expected to demonstrate. It moves enforcement from theory to practice.

 

What’s Different Now:

  • Audit-Ready Accountability:

    The revised rule increases the expectation that organizations can prove not just that policies exist, but that controls are enforced, measured, and monitored. Documentation must reflect reality, not aspiration.

  • Modern Threat Acknowledgement:

    The update explicitly accounts for current attack methods such as ransomware, third-party compromise, and persistent access abuse. These are no longer edge cases; they are core scenarios regulators expect to be addressed.

  • Risk-Based Control Expectations:

    Flexibility remains, but only within a clear risk management framework. Covered entities must align controls with risk, and must be able to show how they did it.

  • Stronger Expectations Around Third Parties:

    Business Associate Agreements (BAAs) will not be a shield. Covered entities are being held responsible for the systems, data flows, and controls they extend to partners. Enforcement already reflects this.

  • Alignment with Broader Frameworks:

    The updates move HIPAA into closer alignment with modern security frameworks such as NIST CSF 2.0, NIST 800-53, CIS, and the HICP guidance. This supports a more integrated governance model across clinical, operational, and enterprise environments.

 

What OCR Wants to See

OCR is looking for:

  • Evidence of technical controls aligned to HIPAA safeguards
  • Risk assessments with action plans, not just findings
  • Documentation that reflects reality, not templates
  • Visibility into third-party access and oversight
  • Incident response tested, not just written

 

 

Why It Matters:

Regulators have already begun enforcing based on these expectations, even before the rule is finalized. The shift is not just regulatory; it’s cultural. Compliance now demands execution, not just intention. Documentation must reflect operational reality.

That doesn’t mean controls must exist for every policy. In a mature governance model, policies define intent, the lack of supporting controls identifies risk. The key is visibility. If a control is missing, that gap should be documented, tied to a specific business risk, and prioritized for remediation or acceptance.

For CISOs and executive leaders, this is the moment to unify business risk appetite with cyber risk management. Organizations that succeed will not be those with the longest policies, rather those that can show how their policies map to risk, to control decisions, and to business outcomes. They must be able to show evidence that they considered the risks, the related impacts, and consideration of reasonable controls to reduce risk to an acceptable level; acceptable not only to the organization, but acceptable to those that could be harmed.  It is a balance of risk and reward.

 

CISO Priorities That Actually Move the Needle

  1. Operationalize Policy

  1. Policies are not governance unless they map to something real. Every policy statement, from encryption to access control to vendor oversight, should be traceable to:
    • Supporting controls and control owners
    • Status of supporting controls
    • A verification mechanism, preferably integrated metrics

If a policy statement has no corresponding control or performance measure, it is a risk, not a control. Treat it as such. The job is not to close the spreadsheet; it’s to prove the control exists and works.

 

  1. Build Ransomware Resilience

Backups are not a plan. Business and patient care continuity is. CISOs must take ownership of patient care continuity during a ransomware event; even if business continuity is technically another team’s job. At a minimum:

    • Test failover and recover paths for clinical systems
    • Document what systems must remain operational during “downtime”
    • Define workarounds for diagnostics, prescribing, and communication

If ransomware disables access to EHR, imaging, or lab systems, care cannot stop. Resilience is not how quickly you restore IT, it’s how you maintain patient care in the event of a crisis.

 

  1. Get a Handle on IoMT (Internet of Medical Things)

IoMT (Internet of Medical Things) refers to the growing ecosystem of connected medical devices; infusion pumps, imaging systems, monitors, and other clinical technologies, that often operate on outdated platforms, lack basic security controls, and pose significant risk to care continuity if compromised. You will not patch every device. That is not the goal. What you can do is:

    • Identify unmanaged, high-risk, or high-privilege devices
    • Ensure included in device inventory and asset lifecycle management
    • Segment those devices wherever technically feasible
    • Apply compensating controls (monitoring, alerts, physical safeguards)
    • Contain what cannot be secured, and document the risk

Do not pretend these devices are covered by traditional IT practices. Build a risk register and show what you’ve done, and what remains.

 

  1. Audit Third-Party Access

Most covered entities have vendors with unmonitored, persistent access. That is no longer defensible. As part of managing supply chain and third-party risk you must be able to show:

    • Who has access
    • What they can access
    • How that access is monitored
    • What happens when there is a breach
    • That the supplier has implemented controls commensurate with your policy

BAAs are not a shield. Your vendor’s risk is your risk. Proving third-party access governance in your Identity and Access Management program is not optional. Healthcare organizations must be able to demonstrate, not just claim, that they are actively overseeing how vendors and partners access their systems and data. It’s a test you will be asked to pass.

 

  1. Engage Clinical Leadership

Cybersecurity is no longer just a technical domain. It is a dimension of patient safety. When downtime affects prescribing, diagnostics, records access, or patient procedures, the impact is not theoretical.Involve clinical leadership in your governance model:

    • Include them in risk assessments
    • Build tabletop exercises that involve care disruptions
    • Align on what “essential” looks like during an incident

    If clinicians are surprised by your incident plan, it will fail. If they helped shape it, they will defend it.

     

    Quick Wins

    • Audit and restrict persistent third-party access
    • Run one realistic ransomware tabletop involving clinicians
    • Identify and segment 10 high-risk unmanaged devices
    • Document and own one known gap in a policy-control mapping
    • Show one aligned metric from policy statement to technical control to risk status
    • Visibility into third-party access and oversight
    • Incident response tested, not just written

     

     

    The Cyber Risk Governance Shift

    The conversation around cybersecurity has changed. It’s no longer a question of what controls are needed, it’s whether the organization can prove they are implemented and effective. Cyber risk is no longer owned only by IT. It’s distributed across business units, clinical leaders, compliance teams, and the board. And now, everyone is accountable.

    This is the shift:
    Cybersecurity is not just a technical challenge; it is a governance function.

     

    From Controls to Exposure

    Healthcare CISOs are being asked a different set of questions than they were just a few years ago. It’s no longer “do we have a firewall?” or “are we using MFA?” It’s:

        • Can you show how this control reduces risk more than the weight impact of the risk?
        • What are the risks to the Mission, our Goals, and our Objectives?
        • What are the risks to Regulation Compliance or Patient Care?
        • Is there a policy that governs it?
        • For implemented controls can we measure their effectiveness?
        • What risks do not have an approved remediation project?
        • How are we tracking on our approved remediation projects? (plan to actual)
        • How do we get better insight to our unknown risks?

     

    Security teams must be able to link their activities to business exposure. Not just controls, but business outcomes.

     

    From Security to Cyber Risk Governance

    Board members are asking about cyber risk, not just breaches. Regulators are asking about control alignment, not just policy presence. And the gap between compliance and reality is closing fast.

    To lead through this shift, CISOs must:

        • Frame cyber risk in terms of business impact, not just technical detail
        • Own the traceability between HIPAA expectations and real controls
        • Quantify the risk of gaps, not just track them
        • Demonstrate that governance is active, not theoretical

     

    The difference between a breach and a crisis is governance. When leadership has clear visibility into what risk exists, what’s being done, and what still needs attention, a breach is manageable. Without it, even a minor incident can spiral into legal, reputational, and operational collapse.

    HINT: Let’s stop presenting technical details to non-technical executives and managers.

     

    Cyber Risk Governance, Not Compliance Theater

    Security programs that exist to check boxes will fail. They will fail under pressure, fail under audit, and fail when the breach comes. The era of compliance theater, of documenting policies no one enforces and managing risk only when regulators ask, is ending. What comes next is cyber risk governance aligned to mission, objectives, and obligations.

    Healthcare CISOs are not being asked to eliminate risk. They are being asked to understand it, explain it, and lead through it. Leadership does not expect perfection. It expects clarity, ownership, and progress.

    The Reality:

        • You cannot secure every device
        • You will not close every gap
        • You will be breached. If not this year, then soon.

     

    But you can govern. You can demonstrate that the organization’s risks are known, prioritized, and addressed with intent. You can prove that when a control is missing, it’s acknowledged and tracked, not ignored. That is the difference between failure and resilience.

     

    What Boards and Regulators Want:

        • To see that risk is being measured and managed, not guessed at
        • To understand who owns which decisions
        • To know that the organization can respond with speed and discipline, not chaos and finger-pointing
        • To trust that security is not just an IT project, but a part of how the organization functions
        • To know what risks do not have an approved remediation project?
        • To know how we are tracking on our approved remediation projects? (plan to actual)
        • To know how we get better insight to our unknown risks?

     

    The Path Forward

    Risk cannot be eliminated, but it can be managed and governed. And in healthcare, governance is what separates organizations that recover from an incident and those that collapse.

    Compliance is a floor. Executives and Security Leadership have an obligation to perform their duty of care.  This will involve real risk assessments that consider impacts to the Mission, the Objectives, Obligations, and Harm caused by the how the organization is managed. While we are not able to eliminate all risk, we do need to consider foreseeable harm and treat with reasonable controls.

    HINT: The cure should not be worse than the disease.

    CISOs who lead with that mindset won’t just pass audits. They’ll earn trust. They will be Teflon.

     

    Conclusion and Key Takeaways

    The healthcare sector faces a defining moment. Cyber threats are persistent, enforcement is escalating, and trust, from patients, regulators, and boards, is increasingly tied to cybersecurity performance. The top threats facing healthcare are not new. They are visible, repeatable, and driven by systemic weakness in governance, not gaps in awareness.

    This is no longer just about HIPAA Compliance. It’s about leadership and cyber resilience. The organizations that succeed will be those that:

        • Understand that security risk in healthcare is systemic, not speculative
        • Go beyond HIPAA Controls and embrace real risk management
        • Recognize that a missing control is not a failure, but need to be able to present the story
        • Treat cybersecurity as a patient safety issue, not just vulnerability management
        • Show boards and regulators proof, not plans, with controls mapped to risks, risks mapped to projects, and traceability of ownership with progress status
        • Executives should be able to make informed decisions about cyber risks

    CISOs are not being asked to eliminate risk. Nor should they be expected to own it. Their role is to govern it. To surface it clearly, align it with mission, purpose, objectives, and obligations, and ensure decisions are made with full context. True ownership lives with the business, where the authority, funding, and accountability for risk ultimately reside.

    Cybersecurity is now a core function of healthcare leadership. Not because of what it protects, but because of what it enables. And what it enables is care.

     

     

     

    Work Cited

    Associated Press. (2023). Ransomware attack delays patient care at hospitals in multiple states. Retrieved from AP News: https://apnews.com/article/ransomware-attack-hospitals-emergency-rooms-0841defe1b881b71eccb8826ed46130e

    Censys. (2024, March 6). Thousands of healthcare systems exposed online. Retrieved from CyberScoop: https://cyberscoop.com/medical-devices-online-health-censys/

    Cynerio. (2022). The state of healthcare IoT device security: 2022 report. Retrieved from Cynerio: https://www.cynerio.com/landing-pages/the-state-of-healthcare-iot-device-security-2022

    HIPAA Journal. (2023, October 13). CMS contractor Wisconsin Physicians Service reports data breach from MOVEit hack. Retrieved from HIPAA Journal: https://www.hipaajournal.com/cms-wisconsin-physicians-service-moveit-hack/

    HIPAA Journal. (2023, October 26). Welltok data breach impacts more than 8.5 million individuals. Retrieved from HIPAA Journal: https://www.hipaajournal.com/welltok-data-breach/

    Thompson Coburn LLP. (2019, November 11). $3 million HIPAA fine highlights dangers of unencrypted devices. Retrieved from Password Protected: https://www.passwordprotectedlaw.com/2019/11/unencrypted-hipaa/

    U.S. Department of Health and Human Services. (2024, 3). HHS OCR imposes penalty against Gulf Coast Pain Consultants. Retrieved from HHS.gov: https://www.hhs.gov/about/news/2024/12/03/hhs-ocr-imposes-penalty-against-gulf-coast-pain-consultants.html

    U.S. Department of Health and Human Services. (n.d.). EMR in healthcare: Cybersecurity challenges and insights. Retrieved from HHS.gov: https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf

    U.S. Department of Health and Human Services. (n.d.). Resolution agreements and civil money penalties. Retrieved from Office for Civil Rights: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

     

    Additional Reference

    Duty of Care Risk Analysis Standards body. DOCRA – DOCRA

    The Sedona Conference (Commentary on a Reasonable Security Test, Feb 2021: The Sedona Conference®

    Reasonable Risk SaaS (duty of care risk analysis automation): Home – Reasonable Risk

    Duty of Care Risk Analysis inventors: Cyber Security Services & Risk Management | Reasonable Security

    CIS RAM v2.1 Risk Method based on the Duty of Care Risk Analysis standard: CIS Risk Assessment Method (RAM) v2.1 for CIS Controls v8

    [1] https://www.hhs.gov/ocr/newsroom/index.html

    [2] HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information | HHS.gov

    [3] Kroll Data Breach Outlook 2025 Healthcare Most Breached Industry