OT vulnerabilities increasingly leave health care open to attacks that can cause ‘lethal’ disruptions, report warns
Cyberattacks on health care not only pose increasing danger to hospitals and related facilities with “the massive, unpredictable cost of systemic operational failure” but have caused “lethal” disruptions that are connected to increases in heart attack incidents at spillover facilities and other causes of death, a new review of incidents and threats says.
The health care sector remains the costliest sector for data breaches for the 15th year in a row at an average of $10.22 million per incident, Trellix said in its Healthcare Cybersecurity Threat Intelligence Report that analyzed 2025 incidents. This comes down to an average of $1.9 million per day in lost revenue and recovery expenses — and for 76% of health care organizations, recovery from a major attack has taken more than 100 days.
Health care providers experienced more breaches, with 360 reported compared to 101 reported by business associates, but the latter type of attack tended to affect more people.
Cascading effects from attacks targeting various interconnected systems were the prevailing trend during the year, Trellix said — “a shift where breaches in administrative networks or non-clinical Operational Technology (OT) systems, such as a building’s HVAC, could paralyze an entire health system’s clinical workflow.”
“Research confirmed that hospitals affected by cyberattacks, including cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC) incidents, saw a 29% increase in mortality rates for inpatients, and neighboring hospitals experienced an 81% surge in cardiac arrest cases due to emergency diversions,” the report said.
Electronic health records now fetch about 20 times the price of a stolen credit card on the dark web, selling for about $60 each. The company noted that its researchers also “observed a threat actor offering medical records for a U.S. healthcare provider for $250 per compromised account in late 2023, demonstrating that specialized or high-integrity clinical datasets can command prices far exceeding general blackmarket averages.”
Attackers also evolved last year from “simple encryption to ‘triple extortion’ data theft, service disruption, and individual patient harassment,” Trellix said. “The Ransomware-as-a-Service (RaaS) ecosystem underwent a violent reorganization following the high-profile fallout of the Change Healthcare breach, leading to more aggressive, affiliate-centric models.”
The company said it identified 109 unique campaigns “specifically engineered to compromise healthcare infrastructure” last year, including notorious threat actors Qilin, INC Ransom, Devman2, Medusa, Interlock, RansomHub, Cl0p and Rhysida. Newcomer Sinobi, believed to have emerged in July, “rapidly established itself as a significant threat with 21 observed attacks,” or 4.9% of all health care attacks. “Their rapid emergence and immediate focus on specialized firms like biotech suggest either experienced operators launching a new brand or sophisticated initial access capabilities,” the report notes.
Phishing remains the primary entry point for breaches, with attacker now using “‘AI Transformation’ and ‘Regulatory Compliance’ themes to trick administrative staff.”
Nearly all hospitals manage at least one device with a known exploited vulnerability, the report warned, with medical devices including infusion pumps, medical imaging equipment that often operates on outdated systems and patient monitors that keep watch on vital signs harboring an average of 6.2 software bugs each. “A significant security hole at many hospitals is the reliance on legacy devices that were designed without security in mind,” Trellix noted.
A Ponemon Institute/Proofpoint survey last fall found that the negative impacts caused by cyberattacks included delayed intake of patients, increased hospital stays and more complications from medical procedures, with 29% of healthcare IT and cybersecurity professionals surveyed reporting an increase in mortality rate, The HIPAA Journal reported.
A UC San Diego study documented the effect on neighboring medical facilities that don’t directly come under attack but experience a surge of patients from the attacked hospital — leading to the increase in cardiac arrest cases and lower survival rates.