The Health-ISAC published its 2025 Health Sector Cyber Threat Landscape that underscores the formidable cybersecurity challenges that plagued the health sector in 2024 and anticipates an even more daunting landscape in 2025. Last year, the healthcare sector faced significant challenges as ransomware, nation-state espionage, and Internet of Medical Things (IoMT) vulnerabilities emerged as top concerns. Healthcare systems worldwide struggled with a rise in ransomware attacks, where cybercriminals used increasingly advanced methods to disrupt operations and demand ransoms.
The Health-ISAC 2025 Health Sector Cyber Threat Landscape report highlights the persistent threat posed by nation-state actors, who have intensified their efforts in cyber-espionage, targeting sensitive patient data and valuable intellectual property. Additionally, the proliferation of IoMT devices has introduced a new array of vulnerabilities, necessitating urgent attention and adaptation of security measures. As the sector braces for 2025, the report identifies these threats as top concerns, urging healthcare organizations to bolster their defenses against an evolving threat landscape that shows no signs of abating.
In 2024, the health sector faces a formidable array of cyber threats, with ransomware leading the charge. Ransomware attacks have become increasingly sophisticated, targeting critical healthcare infrastructure and demanding exorbitant ransoms to restore access to vital systems and patient data. Phishing remains a persistent threat, exploiting human vulnerabilities to gain unauthorized access to sensitive information. Compromised credentials, often a result of successful phishing attempts, pose a significant risk as they allow cybercriminals to infiltrate networks undetected.
Also, the reliance on third-party vendors introduces additional vulnerabilities, as breaches in these external systems can cascade into healthcare organizations. Data breaches, a perennial concern, continue to threaten patient privacy and organizational integrity, with attackers seeking to exploit valuable health information.
Looking ahead to 2025, the 2025 Health Sector Cyber Threat Landscape report identified that ransomware deployments are expected to remain the most pressing cyber threat, with attackers refining their tactics to maximize disruption and financial gain. Third-party breaches are anticipated to rise, as healthcare organizations increasingly depend on external partners for services and technology, amplifying the risk of exposure through interconnected systems.
Additionally, data breaches will persist as a critical concern, driven by the lucrative nature of health data on the black market. Supply chain attacks are emerging as a significant threat, with adversaries targeting the complex web of suppliers and vendors to infiltrate healthcare networks. Zero-day exploits, which take advantage of previously unknown vulnerabilities, are expected to become more prevalent, challenging the sector’s ability to defend against novel attacks.
Regarding medical device security, the 2025 Health Sector Cyber Threat Landscape report revealed that manufacturers face the daunting task of integrating security into the design and development process. This challenge is compounded by the need to balance innovation with robust security measures, ensuring that devices are both cutting-edge and resilient against cyber threats.
They must also provide regular and secure updates and patches for medical devices, which is another critical challenge, as these devices often operate in environments where downtime can have serious consequences. Ensuring that updates are timely and do not disrupt clinical operations is essential. Finally, designing for the ongoing security of medical devices over their long operational lifespan presents a unique challenge, as devices must remain secure against evolving threats without compromising functionality or patient safety.
The 2025 Health Sector Cyber Threat Landscape report revealed that healthcare delivery organizations face significant challenges that can severely impact their operations and patient care. Firstly, disruptions in the normal operation of medical technology, such as the loss of diagnostic tools or access to electronic medical records, can lead to critical delays and disruptions. This may necessitate the diversion of patients and ambulances, result in canceled surgeries, or force a reversion to manual procedures, all of which compromise the quality and timeliness of care. Secondly, unauthorized access, theft, or exposure of patients’ personal health information (PHI) poses a grave threat, leading to privacy violations and potential legal repercussions that can damage the organization’s reputation and financial standing.
Lastly, the report identified disruption of overall hospital operations, including administrative processes, scheduling, and communication, can create a chaotic environment that hinders the efficient delivery of healthcare services, ultimately affecting patient outcomes and staff morale. These impacts underscore the critical need for robust systems and protocols to safeguard against such vulnerabilities.
When it comes to the most active ransomware gangs attacking the health sector, the 2025 Health Sector Cyber Threat Landscape report detailed the five most active ransomware groups targeting the health sector in 2024. These profiles are based on comprehensive research conducted by Health-ISAC’s Threat Operations Center, utilizing a proprietary ransomware dataset.
In 2024, Health-ISAC documented 458 ransomware incidents within the health sector. Additional threat actor profiles can be accessed through the Health-ISAC Threat Intelligence Portal (HTIP) knowledge base, offering valuable context to the intelligence shared on the platform. These profiles are regularly updated and maintained by the Threat Operations Center’s intelligence analysts, ensuring that members receive the most current and pertinent information.
In recent times, the health sector has been increasingly targeted by some of the most active ransomware gangs, with LockBit 3.0 leading the charge by attacking 52 entities. The group has been relentless in its pursuit, causing significant disruptions and financial losses. Following closely is INC Ransomware, which has compromised 39 health sector entities, showcasing its growing threat. RansomHub, another formidable player, has attacked 36 entities, further highlighting the vulnerability of the healthcare industry.
Additionally, BianLian, with 31 attacks, and QiLin, with 23, round out the list of top offenders, each contributing to the escalating cybersecurity crisis faced by healthcare providers worldwide. These attacks underscore the urgent need for enhanced security measures and robust defenses to protect sensitive health data from these persistent threats.
The 2025 Health Sector Cyber Threat Landscape report also detailed nation-state activity during the reporting period. Russian nation-state threat actor APT29 has been observed conducting a large cyber espionage campaign leveraging new custom backdoor malware named WINELOADER. APT29 has a track record of targeting various industries, including healthcare and pharmaceuticals, in the U.S. and Europe.
“The group uses a variety of tradecraft, including spearphishing, password spraying, supply chain compromise, and exploitation of public-facing applications to conduct espionage and data exfiltration operations,” according to the report. “Multiple governments have confirmed APT29 is linked to the Russian government. APT29 has remained persistent in its goal of gathering intelligence regarding Russian foreign interests. Members, especially those with significant intellectual property, such as pharmaceutical and biotech organizations, are advised to remain vigilant for any indications of espionage activity in their networks.”
The Health-ISAC report also detailed that Chinese nation-state actors were observed leveraging the Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) to compromise corporate systems and conduct malicious activities such as data exfiltration, file manipulation, and backdoor installations.
“UTA0178 engages in living off the land (LoTL) techniques while also deploying a handful of malware files and tools which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting,” the report added. “Once UTA0178 gains access to the network through ICS VPN applications, its general approach is to move laterally within the network using compromised credentials. Furthermore, attackers would then escalate privileges to other systems using compromised credentials they harvested during the lateral movement phase, often through RDP exposures.”
Health-ISAC members have observed North Korean intelligence operatives masquerading as remote workers to gain entry into health sector organizations. These operatives use AI technology to help shore up the language gap during the interview process and use their technical skills to land the position. Once they gain employment, it has been reported that these intelligence operatives attempt to steal intellectual property or money from the organization that employs them. Health-ISAC also has reported that after North Korean remote workers are discovered masquerading as legitimate employees, they attempt to extort the organization by ransoming stolen data.
In 2024, the Russia/Ukraine war intensified, with Ukraine launching strikes into Russian territory using drones and long-range missiles. Russia responded by considering advanced weaponry and seeking North Korean troops, though their effectiveness was limited. As the conflict continues into 2025, Russia may escalate cyber attacks against NATO infrastructure. Meanwhile, NATO is on high alert for hybrid threats to EU energy infrastructure, with increased sabotage and cyber attacks reported. In the Middle East, the Israeli-Iranian conflict is expected to escalate slowly, with Iran potentially targeting NATO healthcare institutions in response to global tensions.
The 2025 Health Sector Cyber Threat Landscape report noted that the Health-ISAC collects and anonymizes threat information from its member organizations, sharing these insights as indicators of compromise (IOCs) to help protect networks. In 2024, Health-ISAC distributed a total of 4,904 IOCs, with 85 percent related to specific malware and 15 percent linked to threat actor tactics. Notably, while malware IOCs were more numerous, the tactics, including brute-forcing and phishing, proved to be more impactful. The most shared malware IOC was Agent Tesla, with 515 indicators, highlighting the diverse threats faced by member organizations.
“While malware remains the most common indicator shared within the Health-ISAC. membership, there is a significant presence of other attack-based indicators, meaning that members are also likely significantly impacted by non-malware-specific threats,” the report added. “As more IOCs are shared within the membership, it is possible that the gap between malware indicators and tactics-based indicators will shorten to reflect a more comprehensive healthcare threat environment.”
The 2025 Health Sector Cyber Threat Landscape report emphasized the importance of safeguarding patient information due to the rapidly evolving landscape. Cyber threats are not isolated incidents but a collective challenge that demands a unified response.
The Health-ISAC stands as a beacon of collaboration, offering a platform where healthcare organizations can come together to fortify their defenses. Engaging with Health-ISAC is not just about protecting patients; it is about joining a community dedicated to the proactive defense against cybercrime. This collaboration provides early warnings and shared strategies, empowering teams with the knowledge and skills needed to stay ahead of potential threats.
Furthermore, the collective wisdom of industry experts within Health-ISAC enhances organizational resilience, ensuring confident navigation of the complexities of cybersecurity. Moreover, the innovative solutions born from this collaboration pave the way for a more secure and advanced healthcare environment. Embracing the power of community through Health-ISAC is a decisive step towards a safer future for patients and organizations.
