SPEAK WITH AN EXPERT

Why today’s threat actors target healthcare infrastructures

The healthcare sector is seeing an increasing number of cyberattacks – a trend that is not just continuing but is intensifying in 2024. 

This post focuses on the mounting cybersecurity threats facing healthcare organizations and analyzes the perpetrators of these attacks, motives that fuel threat actors, and sector-wide vulnerabilities that have all contributed to the significant increase in attacks. For a wider look into 2024’s top trends, read our threat intelligence mapping report that presents the largest attacks of the past year alongside recommendations to prevent future attacks. 

The healthcare industry is no longer immune

Historically considered to be one of the most safeguarded industries, healthcare institutions are no longer immune to cyberattacks. Advances in technology and the widespread digitization of health records have exposed new attack vectors, and cybercriminals have been quick to exploit these opportunities. The surge in healthcare breaches—a 104% increase in the first half of 2023 alone—underscores the growing trend.

What motivates threat actor groups?

The groups carrying out these cyberattacks are diverse—Advanced Persistent Threat (APT) groups, hacktivists, and ransomware gangs — all with different agendas. APT groups, for example, often use cyberattacks to exert geopolitical pressure or create chaos for political leverage. These sophisticated groups exploit vulnerabilities in the healthcare sector to pressure adversaries or incite societal disruption. Such operations transcend mere data theft and aim to instill fear, chaos, and demoralization—thus making attacks on healthcare an attractive tool in conflicts.  

One example of this APT-backed behavior was the significant breach at the Ziv Medical Center in Israel in November 2023 by Agrius, a group with Iranian ties, which crippled the hospital’s digital infrastructure, and managed to steal sensitive medical information in response to wider geopolitical conflicts. 


Hacktivists, on the other hand, are driven by ideological goals or political and social causes they support. Their primary goals are causing disruption in order to draw attention to matters they are passionate about. Because cyberattacks on healthcare infrastructures often make headlines, hacktivists target the industry to provide them with the high-profile exposure they seek. In 2023, Killnet, a pro-Russian hacktivist group, launched a series of cyberattacks against healthcare providers in multiple countries as a form of protest against these countries’ support of Ukraine. The group employed Distributed Denial of Service (DDoS) attacks to overload and incapacitate hospital networks, thereby impeding their ability to operate effectively.

Ransomware gangs are exploiting healthcare networks

Ransomware gangs, on the other hand, aim for financial gain, exploiting the urgency healthcare providers have in restoring services to cash in on hefty ransoms. Attacks in this field are not only increasingly common but also costly, with the average data breach setting organizations back $10.93 million.

For ransomware criminals, this industry is proving to be a goldmine laden with valuable patient data that is integral to industry and societal function. This makes attacks even more lucrative for threat actors, as victims are more likely to pay swiftly to continue lifesaving services. The extensive range of patient data offers a wealth of exploitation opportunities for threat actors looking to continuously exploit organizations.

The double-extortion tactic of encrypting data and extracting it only magnifies the threat, as it increases the leverage criminals have over their victims, as they now face not just the disruption of their services but also the risk of sensitive data exposure. Such a strategy significantly raises the stakes, as data breaches can lead to regulatory fines, loss of reputation, and legal action, making victims more inclined to meet the attackers’ demands. Even after paying the ransom, victims cannot be certain their stolen data will be deleted, perpetuating a cycle of vulnerability and extortion.

Recent data breaches demonstrate an increase in attacks

In 2023, the sector experienced an onslaught of ransomware attacks, affecting both small community hospitals and colossal healthcare systems alike. HCA Healthcare’s data breach, which affected 11 million people, underscores the vulnerabilities of large entities. However, perhaps the most significant attack unfolded as 2024 began with the ransomware strike on CHANGE Healthcare. ALPHV/BlackCat, a ransomware gang, carried out the attack in February 2024, affecting millions and freezing medical treatment, hospitals, pharmacies services—ushering in what the American Hospital Association declared “the most significant and consequential incident against the U.S. healthcare system in history.” And the year has only just begun. 

How are attacks typically carried out? 

The healthcare sector’s susceptibility to attack is multi-faceted: sensitive data pools, essential services, interconnected systems, and often outdated security in legacy technologies all contribute to a highly vulnerable environment. With threat actors now favoring the exploitation of external vulnerabilities as a principal means to gaining initial access, as opposed to traditional phishing tactics, the reliance on legacy technology exacerbates major security gaps, as these systems often lack contemporary defenses. Additionally, the healthcare ecosystem’s complexity, with its interconnected stakeholders, presents multiple entry points for attackers. This complexity is heightened by the large number of vendors, third-party providers, and affiliate organizations that healthcare institutions work with. Each entity within this network could potentially become a vector for cyberattack, an additional link in the healthcare chain amplifying the potential for exploitation and access to sensitive hospital records.

The healthcare sector’s susceptibility to attack is multi-faceted: sensitive data pools, essential services, interconnected systems, and often outdated security in legacy technologies all contribute to a highly vulnerable environment.

The recent breach involving MOVEIt, which affected various sectors, including healthcare entities, and was orchestrated by the Russian Cl0p group, demonstrates how weaknesses in one system can have cascading effects throughout the sector. 
The group managed to extort approximately 2,700 organizations through the compromise of a singular environment – which in turn jeopardized the data of millions of end-users.

Today’s cyberattacks have extensive consequences

The ripple effects of cyberattacks on critical hospital infrastructures are profound. From operational disruptions to permanent hospital closures, the stakes are high. One example of this can be seen in the recent closure of a US-based hospital due to the extreme fallout brought upon by a ransomware attack. Alongside major disruptions in patient care, hospitals attacked can easily become financially devastated due to insurance payouts, freezes in government funding, potential non-profit status, and other factors that contribute to a very volatile situation.


The cyberattacks that have already taken place in 2024 serve as a stark reminder that the healthcare sector has become a critical battlefield. The sophistication and diversity of attackers, combined with the inherent vulnerabilities of healthcare systems, underscore the critical necessity for robust cybersecurity measures. Protecting patient data and ensuring the continuous operation of healthcare services is not merely an IT concern; it’s a matter of public health and safety. 

The sophistication and diversity of attackers, combined with the inherent vulnerabilities of healthcare systems, underscore the critical necessity for robust cybersecurity measures.

As cyber threats evolve, so must the defenses of healthcare organizations. The stakes are too high to ignore, and the cost of inaction is, quite literally, life-threatening. 

Interested in learning more? Read our full 2024 threat intelligence report.