How healthcare organizations can stop cyberattacks before they damage patients and drain budgets.
By Dirk Schrader, VP of Security Research and Field CISO in EMEA, Netwrix
LinkedIn: Dirk Schrader
LinkedIn: Netwrix Corporation
Healthcare has always been a mission-driven industry, but it also sits at the intersection of some of the most aggressive cyber threats. Patient records are among the most valuable assets on the black market, and clinical operations are among the least tolerant of downtime. This creates an environment where even a short disruption can have disproportionate consequences on every level of severity, from people’s health to business continuity, both of which go hand in hand in this industry. To care for patients properly, healthcare organizations should better understand the reality of today’s security threats in the industry and how they can fight them.
Escalating Costs of Cyber Incidents
New data confirms that the financial toll of cyberattacks on healthcare organizations is growing rapidly. Nearly half of healthcare providers surveyed reported at least one security incident in the past year. Among those, the severity of losses has escalated:
- The percentage of organizations reporting costs above $200,000 jumped from 5% in 2024 to 19% in 2025, nearly a fourfold increase.
- Losses above $500,000 grew from 2% last year to 12% this year, signaling that more organizations are suffering high-impact breaches.
- By contrast, across all industries in 2025, only 13% reported losses above $200,000 and 6% above $500,000.
Healthcare is clearly bearing a disproportionate share of the impact. This disparity is not accidental. Attackers understand that clinical services cannot be delayed for long, and that pressure makes providers more likely to pay ransoms or absorb costly recovery measures.
Threats Driven by Compromised Identity
The same survey highlights that phishing, ransomware, and account compromise remain the most common threats. Nearly one-third of healthcare respondents (31%) reported incidents involving compromised user or admin accounts. This pattern underscores the central role of identity in modern cyberattacks.
What has changed in the past year is the role of artificial intelligence in accelerating these threats along the ever-increasing dependency on IT itself. More than a third of healthcare IT and security professionals (37%) said AI-driven attacks had already forced them to strengthen defenses. AI tools are enabling attackers to craft more convincing phishing campaigns, automate credential stuffing, and identify weaknesses at a pace that outstrips manual defenses.
Hidden Risks in Application Workflows
While ransomware and stolen credentials dominate headlines, healthcare organizations cannot ignore more subtle but equally dangerous risks. Business logic vulnerabilities—errors in the way applications and SaaS platforms handle data flows—are increasingly being exploited.
A common example involves poorly validated patient record systems. If records are accessed by predictable URL parameters, altering a single digit may allow unauthorized users to view sensitive information. In another sector, similar flaws were exploited to manipulate booking systems or payment discounts. In healthcare, such flaws could expose records across entire patient populations.
These vulnerabilities are difficult to detect with automated scanning tools because the application still “works” as designed. Identifying them requires thorough documentation of workflows, human-led testing, and collaboration between development and security teams.
Strengthening Defenses with Practical Measures
To protect patients, healthcare organizations need a layered approach that focuses on identity and data, while also addressing less obvious risks. The following measures can help close the gap between attackers and defenders, especially when they are aligned to critical processes and assets:
- Zero Trust Security. Adopting a Zero Trust model means eliminating assumptions about trust within the network. Every user, device, and application must be verified continuously. In a clinical setting, this could involve revalidating clinician access during a shift when accessing different systems, ensuring that credentials are not misused. Zero Trust helps contain attackers by preventing them from moving laterally across the network if they gain initial access.
- Identity Protection. Since so many attacks begin with compromised credentials, healthcare organizations must prioritize identity security. Multifactor authentication (MFA) should be mandatory for all accounts, especially administrative and clinical applications that store protected health information (PHI). Privileged access management (PAM) can ensure that accounts with elevated rights are tightly monitored and only active when needed. Regular credential hygiene, such as disabling dormant accounts and enforcing password resets, reduces the attack surface.
- Role-Based Access Control. Implementing role-based access control (RBAC) ensures that each employee has only the permissions necessary for their role. A nurse should not have the same access rights as a billing administrator, and a contractor should never have permanent access to sensitive systems. Mapping access rights to job functions makes it easier to audit permissions and prevents the accumulation of excessive privileges that attackers can exploit.
- Business Logic Testing. Healthcare IT systems are complex, often integrating electronic health records (EHRs), scheduling platforms, billing systems, and third-party SaaS applications. Each of these has its own business logic, which can be manipulated if not secured. Regular security testing should go beyond code reviews and include workflow validation. For example, testers should check whether modifying input parameters or skipping steps in a workflow exposes sensitive data or allows unauthorized actions.
- Data Security Posture Management (DSPM). Sensitive data now lives across on-premises databases, cloud storage, SaaS platforms, and collaboration tools. Shadow data (sensitive information created or stored outside of sanctioned systems) is a growing problem. DSPM tools provide continuous discovery and classification of data, identifying where sensitive information resides, who has access, and whether it is overexposed. For healthcare organizations, this visibility is essential for compliance with HIPAA and for reducing the risk of exposure through unmanaged repositories.
- Continuous Monitoring. Traditional security tools often detect threats only after damage has occurred. Continuous monitoring provides real-time visibility into unusual activity, such as large data downloads, repeated failed login attempts, or unexpected access outside of normal working hours. By correlating this behavior with user roles and historical activity, healthcare organizations can more effectively distinguish between normal usage and active threats.
Preparing for AI-Driven Attacks
AI is not only a tool for defenders but also a force multiplier for attackers. Healthcare organizations should anticipate AI-generated phishing campaigns that are nearly indistinguishable from legitimate communications, or brute-force credential attacks executed at unprecedented speed. Defensive tools that leverage AI for anomaly detection, behavior analytics, and automated response can help close the widening speed gap between attackers and defenders.
Cybersecurity as a Patient Safety Priority
Cybersecurity in healthcare is more than a regulatory or financial concern. It is integral to patient safety. A ransomware attack that disables access to EHRs or imaging systems can delay critical diagnoses and treatment. A breach that exposes personal and medical histories undermines trust between patients and providers.
The sector’s growing exposure to identity-based threats, compounded by AI-driven attack methods, demands a shift in strategy. Healthcare leaders must treat cybersecurity not as an IT project but as a core component of clinical resilience.
By strengthening identity protections, validating application workflows, managing data exposure, and preparing for AI-enabled adversaries, healthcare organizations can protect not only their bottom line but also the well-being of the patients who rely on uninterrupted care.