Three reports released this week show that supply chain cyberattacks were the most likely to disrupt care delivery, with cloud account compromises emerging as the most prevalent threat to healthcare organizations.
Findings from new cybersecurity reports this week highlight the type and impacts of escalating cyberthreats against U.S. healthcare organizations and their business partners.
The reports – one from the Health Information Sharing and Analysis Center and two from security research firms the Ponemon Institute and Comparitech – show that cyberattacks continue to directly disrupt patient care and lead to serious clinical consequences. The attacks are becoming more frequent attacks and more costly.
But there is some good news, researchers show. Providers and health technology companies can help mitigate the risks by working to address employee negligence and filling leadership gaps. And embedding artificial intelligence into cybersecurity is helping to improve cyber defenses and sometimes alleviates strained security budgets.
The new reports also include data about the highest rates of breaches and the most prolific threat actors, including SafePay, INC and Qilin, and spotlight some common vulnerabilities being actively exploited in clinical infrastructure networks.
“This year’s findings are a wake-up call for the healthcare industry; the root cause of many incidents lies in human factors – negligence, insider risk and gaps in cyber awareness,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Cyberattacks are now routinely affecting patient safety, and while security spending is up, many organizations still lack clear leadership and internal expertise to meet the challenge.”
Rising costs, care disruptions
While Q3 of this year showed a decrease in overall ransomware incidents when compared to the previous quarter, ransomware events have seen a consistent upward trend over previous years.
Health-ISAC said Wednesday in its third-quarter threat insight report for members that it expects 2025 to surpass 2024 in both healthcare and total breaches across sectors, with 4,040 incidents recorded in the first half of the year and another 1,930 recorded in Q3. The health sector saw a total of 394 cyber breaches through the end of September.
The organization said it issued 359 targeted alerts specific to its members with vulnerable infrastructure to help those teams mitigate exploits and actively exploited vulnerabilities.
The fourth annual joint healthcare survey report from cybersecurity and compliance company Proofpoint and the Ponemon Institute said ransomware, cloud compromise, supply chain and business email compromise (BEC) attacks increased the number of patient care disruptions this year.
Most organizations surveyed – 93% – experienced an average of 43 cyberattacks in the past 12 months, according to the Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2025 report, also released on Wednesday.
Cyberattacks that caused patient care disruptions increased by 3% this year, affecting 72% of healthcare organizations experiencing cyberattacks, up from 69% last year, based on a final sample of 677 surveys completed by IT security practitioners in U.S. healthcare organizations.
“This disruption had severe clinical consequences: 54% reported increased medical procedure complications, 53% reported longer patient stays, and 29% reported a rise in mortality rates as a direct result,” Proofpoint and Ponemon said in the report.
While supply chain, BEC and cloud attacks posed major threats to patient safety, each causing specific care issues, supply chain attacks were the most likely to impact patient care, with 87% of affected organizations reporting disruption, according to the survey data.
BEC was most likely to cause delays in procedures and tests, resulting in poor outcomes (65%), while ransomware was most likely to result in longer lengths of stay (67%) and patient diversions (50%).
Cloud account compromises were the most prevalent threat, with 72% of organizations affected, according to the report – 61% reporting increased complications in procedures.
While cyberattack frequency is high, Ponemon’s survey study also found ransomware payments increasing this year.
The average cost of the most significant healthcare cyberattack so far in 2025 decreased to $3.9 million compared to last year, Proofpoint and Ponemon said.
However, ransomware remains a major financial threat, with 33% of victims surveyed indicating that their organizations paid a ransom, and the average payment increased to $1.2 million, up from $1.1 million in 2024.
October is Cybersecurity Awareness Month, and that offers “an ideal opportunity to highlight the healthcare industry’s unique security risks, in particular the dual threat we collectively face from the highly valuable patient data held in our health IT systems, as well as the critical dependencies that directly impact patient care,” according to a statement this past week from the HIMSS EHR Association’s Privacy & Security Workgroup.
“Health data is a top target for nefarious actors, and a single cyber incident can cause lasting harm by disrupting operations, delaying treatments and jeopardizing lives. To reduce the industry’s risk profile,” said EHRA leaders, noting that the trade group “advocates for stronger protections and realistic, risk-based implementations of security safeguards that enhance resilience without overwhelming resource-constrained hospitals, health systems and other provider organizations.”
Third-party attacks still increasing
When asked to name the top six cybersecurity threats their organizations were most concerned about, 29% of respondents in the latest annual Ponemon survey cited third-party data misuse.
Interestingly, Comparitech said in its latest global healthcare sector ransomware report, also released on Wednesday, that attacks on healthcare businesses rose by 30% in 2025.
The research firm said it evaluates confirmed ransomware attacks, based on public disclosures and acknowledgments that match ransomware group claims, and also unconfirmed attacks.
There were 293 ransomware attacks on hospitals, clinics and other direct care providers in the first three quarters of the year, according to the firm’s count, with U.S. providers experiencing the overwhelming majority of these, followed by Australia (attacks on the country’s providers increased by 83%), Germany and the United Kingdom.
The U.S. remains at the top of this list, too, followed distantly by Italy and India, for another 130 attacks on health sector business partners, including pharmaceutical/medical manufacturers, medical billing providers and health tech companies.
More than 7.4 million records were known to have been breached in confirmed provider attacks globally, with an average ransom demand of $514,000, Comparitech found. More than 6 million records in confirmed third-party business attacks globally on the healthcare sector had an average ransom demand of $532,000, according to the report.
Last year, the healthcare sector experienced the most third-party attacks.
On the report’s list of top five ransom demands, a Rhysida ransomware-as-a-service (RaaS) threat actor demanded $1.15 million for the July attack on Cookeville Regional Medical Center, which caused a technical outage that lasted for several days, while the Medusa ransomware group put a $1 million price tag on 213GB of allegedly stolen data in an attack on SimonMed Imaging U.S. operations in January.
Interlock has breached the most patient records from healthcare providers, at 2,735,407, though Qilin is claiming it stole the most data, more than 11TB, with 8TB from the thwarted Oct. 3 attack on Israel’s Shamir Medical Center, Comparitech said. That ransomware group, responsible for an attack on blood suppliers last year, has reportedly demanded $700,000 for the data to be deleted from its leak site, the firm said.
Targeting clinical apps, endpoint security
The most common themes facing Health-ISAC members include open and exposed databases, exposed remote access tools, vulnerable Citrix Netscaler infrastructure and active exploitation of Cisco Adaptive Security Appliances (ASAs).
The most common bugs are Citrix Netscaler infrastructure, open and exposed databases, remote access tools and actively exploited Cisco ASA.
“NetScaler [Application Delivery Controller] and NetScaler Gateway (secure remote access) are widely used in the health sector to manage and secure access to critical clinical applications, especially those hosted via Citrix Virtual Apps and Desktops, such as electronic health records,” said Health-ISAC. “Reliance on NetScaler for critical data access means that vulnerabilities in the platform pose a significant risk to healthcare operations and patient data.”
Of note, just before the U.S. government shutdown on Sept. 29, Health-ISAC learned that vulnerabilities affecting Cisco ASA 5500-X Series devices are now being actively exploited: CVE-2025-20333, CVE-2025-20362 and CVE-202520363.
These vulnerabilities exist in most member environments, according to the report, and successful unauthenticated threat actors can gain access to endpoints beyond the firewall and execute arbitrary code.
The report ends with a profile of SafePay, a closed collective and not a ransomware-as-a-service group with affiliates, that has become a highly aggressive and prolific threat actor since it emerged last year.
“Since the beginning of their operations, the group has systematically targeted a diverse range of organizations within the health sector, from digital health solution providers to hospitals.”
Comparitech’s report included the group in its list of the most prolific ransomware strains with the highest number of claims against healthcare companies, just behind INC (which reportedly sold its ransomware source code in hacking forums last year and may be linked to SafePay) and Qilin and followed by RansomHub and Medusa.
Use of AI up, challenges persist
Proofpoint and Ponemon noted that insider risk and human negligence are also driving patient data loss and care disruption.
Of those surveyed, 96% of organizations experienced at least two incidents of data loss/exfiltration involving sensitive data over the past two years, with an average of 18 incidents per organization. Respondents cited employee failure to follow policies (35%) and employees unintentionally sending protected data to the wrong recipient by email (25%).
More than half of respondents (55%) said data loss incidents disrupted patient care, and of those, 54% saw increased mortality rates.
On the plus side, budget concerns are a declining barrier as more than half of Ponemon’s responding organizations (57%) said they are embedding AI in security, with the majority of those (55%) reporting that they find the assistive technology very effective in improving cybersecurity postures.
Of note, 60% also said they struggle to protect sensitive data used by AI systems.
Health IT security professionals continue to indicate a persistent lack of expertise (43%) and leadership (40%) as primary barriers to an effective cybersecurity posture.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
