By SOCRadar Research
Like other critical infrastructures, the healthcare industry is frequently targeted by cyberattacks. The attacks in the healthcare vertical have begun to increase in recent years due to security vulnerabilities triggered by changes in procedures during the covid 19 pandemic and increased digitalization. According to the IBM Security X-Force Threat Intelligence Index 2022 report, healthcare was the sixth most attacked industry in 2021.
Cyberattacks are especially harmful in the healthcare industry due to the nature of healthcare. Attacks can directly endanger patients’ health and safety, in addition to system and information security. Beyond financial and reputational loss, cyberattacks can cause life-threatening effects.
Primary Targets in the Healthcare Industry
The primary targets in the healthcare industry can be categorized as follows;
- Hospitals
- Medical Devices
- Health Insurance
- Biotechnology Industries
- Pharma& Chemicals
- Other end users
Healthcare organizations are prime targets for cyberattacks as they hold large amounts of patient data. Recently, the focus of cybercriminals has shifted from large hospitals to smaller healthcare providers, such as small or rural hospitals or private clinics.
The most apparent reason for targeting smaller healthcare providers is the perception that they are less likely to invest in cybersecurity programs and have a weaker cyber defense. However, the media and law enforcement interests are likely to be less.
Medical devices are one of the healthcare industry’s weak points against cyber criminals. Healthcare digitalization is rising, and providers employ more connected medical devices daily. The devices can vary from wearable IoMT (Internet of Medical Things) devices such as patient tracking wristbands, pacemakers, and insulin pumps to medical devices such as ventilators, portable X-ray machines, and vital signs monitors. The devices interact through a network, providing physicians with critical patient information. Updates are required to keep them operational and secure like any other digital device. Cybercriminals can abuse unpatched and insecure medical devices as entry points.
According to Cynerio and Ponemon Institute’s ‘The Insecurity of Connected Devices in Healthcare 2022‘ survey, 56% of respondents have encountered at least one cyberattack involving connected devices in the recent 24 months.
The Rise of the Cyberattacks in the Healthcare Industry
The main reasons for the rising cyberattacks in the healthcare industry are as follows;
– The expansion of cloud-based solutions
– Increase in usage of connected devices
– Personal Health Information (PHI) is more valuable on the black market than credit cards or Personal Identifiable Information (PII)
– Choosing the ransom payment as a first option for the healthcare providers because of the continuity of the systems is vital
– Inadequate security controls in medical devices
– Security measures that are put in the background due to insufficient awareness of cyber security and the workload of healthcare professionals. Cyber security is not the priority for most employees and C-suite executives.
– Usage of outdated technologies
– Complex and extensive supply chain of the healthcare systems
Common Cyber Attack Vectors in the Healthcare Industry
The 2021 HIMSS (Healthcare Information and Management Systems Society) Healthcare Cybersecurity Survey report published in early 2022 underlined the most significant security incident was phishing attack (45%) and ransomware attack (17%) for the healthcare industry in 2021. Also, the initial points of compromise for the most significant security incident were phishing (71%). According to data from the SOCRadar XTI platform, the number of healthcare industry-related postings shared on underground forums increased by 1.04% in 2022 compared to 2021. So, the interest of threat actors in healthcare continued unabated in 2022. However, the number of ransomware attacks on the healthcare industry increased by 81.1% in 2022 compared to 2021. The distribution of ransomware attacks in the healthcare industry detected by SOCRadar dark web analysts in 2021 and 2022 is as follows.

The increase in ransomware attacks on the healthcare vertical has also led official institutions to react. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint cybersecurity advisory about the Daixin Team Ransomware Group (AA22-294A) and the Hive Ransomware (AA22-321A) Group. The advisories dated 21 October 2022 and 17 November 2022 both stated that the groups are targeting the healthcare and public health industries.
The US (United States) Department of Health and Human Services (HHS) also warned about the Royal ransomware threat to the Healthcare and Public Healthcare (HPH) industry. On 7 December 2022 (report number: 202212071400).
Ransomware is one of the most popular types of healthcare threats. Threat actors realize the importance of minimizing operational disruptions in healthcare and consider healthcare providers closer to paying the ransom. In this context, double extortion tactics, threatening to expose sensitive data in addition to encrypting, can be used. Additionally, the healthcare industry’s low tolerance for disruptions to critical systems can lead to triple extortion, in which DDoS (Distributed Denial of Service) attacks are combined with ransom demands.
Healthcare is one of the critical industries most vulnerable to data breaches. Many systems, such as Hospital Information Systems (HIS), are used by healthcare providers to store sensitive data. Personal Health Information (PHI) is valuable on the black market due to its non-changeability. Personal health history (symptoms, illnesses, surgeries, etc.) cannot be changed, unlike other personal information (credit card information, credentials, etc. As a result, threat actors have a greater motivation to target medical databases.
Notable Cyberattacks on the Healthcare Industry in 2022
Considering the SOCRadar XTI platform database, almost 400 dark web posts related to the healthcare industry have been reported in 2022 so far. The most active threat actors were ‘LeakBase‘ and ‘Kelvinsecurity.’ SOCRadar research team analysis revealed that cyberattacks in the healthcare industry are mostly focused on Asia, North America, and Europe.


In 2022, 163 ransomware attacks against the healthcare vertical have been reported, and the most active ransomware group was LockBit ransomware. More information about the active ransomware groups and notable cyberattacks on the healthcare industry in 2022 can be reached on SOCRadar’s blog post.
Lessons Learned from Cyberattacks in the Healthcare Industry
Lesson 1: Small hospitals and clinics are targeted since they are considered more accessible options for attackers. Most minor medical institutions need more human resources and resources to implement the latest cybersecurity precautions. To fill this gap, institutions will require external support from security companies.
Lesson 2: Connected medical devices are one of the healthcare industry’s most severe security weak points. Connected medical devices will be more secure when they are listed in the digital asset inventory and their network activity is monitored and encrypted. It is also crucial to use network segmentation to prevent these devices from accessing critical databases. Also, it is essential to follow the security updates of the devices regularly.

Herein, SOCRadar Attack Surface Management (ASM) solution ‘AttackMapper’ can help organizations gain additional visibility and monitoring of all digital assets in an automated manner.
Lesson 3: To pay close attention to phishing attacks, which are the first point(s) of compromise for many attacks. People are vulnerable to attacks such as phishing and social engineering. The risk factor should be reduced by training that increases the cybersecurity awareness of healthcare professionals.

SOCRadar Digital Risk Protection (DRP) solution ‘RiskPrime’ builds on industry-leading instant phishing domain identification, internet-wide scanning, and compromised credential detection technologies.
Lesson 4: Ransomware attacks are one of the most common cyberattacks in the healthcare industry. Identifying the security vulnerabilities commonly used against the healthcare industry for ransomware attacks and taking proper precautions is crucial. To save data, apply the 3-2-1 backup strategy the Cybersecurity and Infrastructure Security Agency (CISA) advised.

SOCRadar Dark Web News module continuously reports the latest ransomware attacks. For more details on the Medibank ransomware incident, a prominent ransomware attack in the healthcare industry in 2022, click here.
Lesson 5: Encryption is one of the effective ways to prevent a threat actor from accessing sensitive data in healthcare systems. Encryption must be utilized during data storage and transmission to mitigate data breaches.
In addition to any organization’s cybersecurity threats, healthcare providers must handle industry-specific challenges. They must protect networks, databases, and endpoints from internal and external cyber threats. They are also responsible for the availability of medical services, the proper operation of medical systems and equipment, and the security and integrity of patients’ and employees’ private financial and medical information.
It is essential to increase security visibility to provide a solid cyber security posture. With Attack Surface Management, you can identify and monitor all digital assets 24/7 and detect security vulnerabilities proactively.
Using Cyber Threat Intelligence (CTI) solutions is also critical to identify, mitigate, and remediate security risks effectively. In particular, CTI tools that provide intelligence from the dark web can offer an early warning of PHI data leaks for predictive measures.