Cyberattacks targeting healthcare organizations are rising, and the financial and operational toll they take is growing. A recent report from Proofpoint found that 92% of healthcare organizations reported experiencing a cyberattack in 2024, up from 88% in 2023, while the average cost of the most expensive attack was $4.7 million. While safeguarding sensitive patient data remains a top concern, malicious actors leverage artificial intelligence (AI) and machine learning technologies to make threats more complex. Leadership needs to understand why healthcare organizations are targeted, how they are targeted, and how they can mitigate cyber threats in 2025.
Why Are Healthcare Systems Targeted? Greg Young, vice president of cybersecurity at Trend Micro, says an organization’s most significant vulnerability is simply being in the healthcare industry. “The amount of key data within these organizations is a treasure trove to cybercriminals,” he says. “It’s also an industry known for paying ransoms. This all leads to increased attacks.” He adds that adversaries will target any weaknesses or gaps in the security controls of healthcare organizations. Lack of funding or security expertise could continue contributing to successful breaches in 2025. “Healthcare organizations must revisit their entire cybersecurity strategy for threats ranging from ransomware to phishing and cloud vulnerabilities, often caused by weak controls,” he says.
Sandeep Kumbhat, field CTO at Okta, says cyber threats endanger patient privacy and can disrupt operations by shutting down systems and impacting clinical outcomes. “Cyberattacks also significantly strain healthcare finances due to rising HIPAA violation fines and costly breach remediation efforts,” he adds. “Regulatory fines increase for organizations repeatedly breached, and startups face funding challenges if they fail to prioritize robust cybersecurity measures.”
The Top Cybersecurity Threats for 2025 - The top threats facing healthcare organizations include ransomware, breaches caused by cloud vulnerabilities and misconfigurations, bad bot traffic, and phishing. Phishing is getting a boost by applying AI and large language models. “Ransomware and phishing are ongoing concerns for the industry,” says Derek Manky, chief security strategist and global vice president of threat intelligence at Fortinet’s FortiGuard Labs. He says that as AI-driven tools become increasingly ubiquitous, cybercriminals are using the technology to inform the reconnaissance and weaponization phases of the cyber kill chain. “As a result, threat actors are executing targeted attacks quickly and more precisely,” Manky says.
Ransomware Threats - Healthcare organizations face two pressing ransomware threats, according to Kumbhat. One involves mass data attacks targeting cloud backups, logs, and archives. “Rather than targeting individual patient data, attackers aim to capture large-scale historical data to extort entire organizations,” he says.
The second threat is session-based attacks resulting in authentication or identity management. “Compromised patient sessions, often due to insufficient security measures, allow attackers to pinpoint individuals or specific groups, leading to targeted ransomware campaigns,” Kumbhat explains.
He says both threats underscore the need for strong data lifecycle security and identity management solutions in healthcare. “Healthcare is a top target for ransomware because they have the crown jewel of data from a patient care perspective,” Kumbhat adds.
Greg Young, Vice President of Cybersecurity at Trend Micro, says, “Healthcare organizations must revisit their entire cybersecurity strategy for threats ranging from ransomware to phishing and cloud vulnerabilities, often caused by weak controls.”
Cloud Vulnerabilities and Misconfigurations—Young explains that cloud vulnerabilities and misconfigurations can expose healthcare organizations to data breaches and unauthorized access, jeopardizing sensitive patient information and compliance with regulations. These misconfigurations can be addressed with a cloud security posture management tool, ideally integrated into a modern cybersecurity platform.
He also suggests that healthcare organizations map their digital supply chains, noting that third parties must be assessed at contract issuance and renewal for their security posture as part of the selection process. “Ideally, the supply chain map can include software bills of materials, the ingredients list for software to help identify risks in their own software and third-party software,” he says.
Bad Bot Traffic - Bad bot traffic consists of automated programs that mimic human behavior online, often used in attacks such as credential stuffing, data scraping, and denial-of-service attacks. In healthcare, these bots can target patient portals or steal sensitive data, posing significant security risks to systems and patient privacy. Manky says that there are several steps teams should take to avoid falling victim to automated threats. These include harnessing AI to gain greater visibility across the attack surface, detect computerized attacks, and remediate incidents faster. “Healthcare organizations are also increasingly embracing a unified cybersecurity platform that converges networking and security solutions,” he says.
Phishing—Kumbhat says cybercriminals use deceptive emails or messages to trick employees into revealing credentials or clicking malicious links. This leads to unauthorized access to electronic health records, financial data, or confidential information. Phishing is everywhere.”
Young adds that in attacks against healthcare, AI is primarily used to enhance phishing effectiveness. “Healthcare has so much personal information, and with phishing already an effective attack strategy, improving on it is worthwhile for malicious actors,” he says. In this case, AI creates more convincing phishing messages by farming information from public sources, social media, and data collected from other victims. It can help attackers avoid making the mistakes that quickly reveal a message as phishing. “We’re not seeing attackers using AI for anything extraordinarily complex and expensive,” Young says. “Why bother when phishing and conventional vulnerability-focused malware work so well?”
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments