While the rate of cyberattacks on hospitals has risen dramatically, the severity of the impacts has also grown exponentially. Let’s look at the state of cyber and physical threats in 2025 as well as the opportunities for progress across the health care sector. Hospitals and health systems are learning to better prepare for cyberattacks and maintain clinical continuity and business resiliency during prolonged outages.
1. The Demand for Health Care Records Will Continue
The Cyber Onslaught: Where Do We Stand So Far in 2025?
In late January of this year, we learned that last year’s ransomware attack against UnitedHealth Group subsidiary Change Healthcare exposed the health data of 190 million people — up from previous reports of 100 million. By the end of 2024, 259 million Americans’ health care records had been stolen in part or full (including those through the Change attack).
According to the breach notices filed with the U.S. Department of Health and Human Services Office of Civil Rights1, since 2020 over 500 million individuals — more than the U.S population — have had their health care records stolen or compromised at least once. You would think the market for health care data would be saturated and the bad actors would find little value in continuing their attacks. That thinking would be mistaken. As patients’ health records continue to be updated, so does the data that’s of interest to hackers.
There are two markets for health care records: nation-state and criminal.
Health Care Data Has Tremendous Intelligence Value for the Nation-State Market
Health care records offer the intelligence services of hostile nations — including Russia, North Korea, Iran and China — a treasure trove of data on Americans. These nations go after information on top government officials, top military leaders, law enforcement leaders, federal agents, people involved in sensitive research and intellectual property, and corporate CEOs. They build databases on these Americans’ health conditions, their family members and other contacts, their travels, where they serve, their rank, making these targets susceptible to compromise today and in the future, as in the case of someone who gains a prominent position five years from now.
Health Care Data Is Still Lucrative for the Criminal Market
Cybercriminals use records to commit financial crimes such as using stolen identities to gain access to bank accounts or creating false credit histories. According to analysis by Kroll, a stolen health care record can be worth as much as $1,000 on the black market, making health records far more valuable than financial records. Health care also suffered more breaches than the financial sector last year.
Criminals also hold data for ransom, with the threat of publishing it on the dark web or internet. This is called data extortion. The health care ransomware victim is pressured to pay to obtain the decryption key to unlock the victim organization’s systems, and then again to pay the ransom to keep the patient data from being publicly exposed.
2. The Use of AI Will Accelerate, Driven by Geopolitical Tensions
We’re in the early stages of an AI-fueled arms race, with the bad guys using AI to launch cyberattacks and the good guys using it to defend against those cyberattacks. The level of threat from the cyberattacks will be determined by the geopolitical situation and the approaches the current administration takes in dealing with hostile nation-states and, by proxy, the criminal groups that are provided safe harbor by those nations.
The main geopolitical tensions contributing to this AI cyber war include:
- The war in Ukraine.
- The situation in the Mideast — the Gaza Strip and, by extension Iran, which has a significant cyber offensive capability.
- North Korea’s use of funding from cybercrime (such as the ransoms hospitals paid to the Maui ransomware group) to build its illegal nuclear weapons program and advance its national security objectives.
- Malware from China, which has been found deeply embedded in our critical infrastructure, including water, internet service and telecommunications networks. If China chooses to invade Taiwan, China is poised to detonate that malware — causing massive infrastructure destruction intended to blunt our response. China is our No. 1 cyberthreat.
3. Here’s the Good News: Now That We’re Aware, We Can Prepare to Maintain Continuity of Care
Having witnessed the impact of cyberattacks on clinical processes, building management systems and business operations, the health care field has learned ways to better prepare for future attacks.
- Never before has there been such a robust exchange of cyberthreat intelligence between the government and the private sector, including the health care field. We’re taking a “whole of nation” approach — cooperating to defend against a common threat — just as we did after 9/11.
- The field of cybersecurity has seen some positive technological developments. Experts are using AI to understand how adversaries are penetrating our networks, and they’re developing more effective tools, more quickly, to counter adversaries’ tactics, techniques and procedures.
- Hospitals are now focusing on emergency preparedness — meaning they’re not just focusing on technical defenses to prevent an attack, but also considering how to prepare a response, step-by-step, to maintain clinical continuity. How will they continue to deliver safe and quality care, department by department, function by function, for 30 days or longer?
This planning also entails ensuring their third-party providers are prepared. We know that when business associates, medical device providers and supply chain vendors get hit through insecure technology or an insecure supply chain, hospitals and patients get hit, too. After a recent blood-supply attack, my colleague Scott Gee and I helped the blood community explore downtime procedures, such as how to get around the internet connection that runs the machine that prints the critical labels that go on blood units.
Consider requesting the AHA’s Clinical Continuity of Care Assessment to evaluate your hospital’s readiness to maintain critical clinical and operational functions during a cyberattack and gain practical recommendations.
- Beyond medical technology, there is operational technology. Hospitals must account for the physical impact of a foreign-based cyberattack on their buildings and building management systems, and therefore on security and safety. With everything internet-connected, what happens if operational technology goes down? Below are just some of the impact points:
- Lighting and climate control. Think of the repercussions to your operating rooms.
- Access control. Doors go to the default setting of locked or unlocked.
- Video surveillance, fire alarms and intrusion alarms. Losing access compromises safety.
- Voice over Internet Protocol phones. Staff can’t call critical assistance like police or fire department.
- Computer-controlled elevators. Their default setting is that the elevator goes to the first floor and the doors open, rendering them unusable.
Physical threats also entail the domestic threat of U.S. residents directing misinformed anger at the health care sector. With the murder of the UnitedHealth Group’s CEO Brian Thompson in New York City, there has been a tremendous increase in online vitriol directed at health care and insurance leaders. Hospitals now know that detecting these threats before they escalate into physical action requires thorough online, open-source monitoring.
For help in protecting your patients and operations from physical threats and cyberattacks, check out the trusted providers with vetted services participating in the AHA Preferred Cybersecurity & Risk Provider Program.
Additional Support for Your Security Efforts from the AHA’s Cybersecurity and Risk Experts
Our team offers a wide variety of strategic cybersecurity and risk advisory services to assist AHA members, many of which are included with your AHA membership.
We are also available anytime, including after hours, at no cost should your AHA-member organization need urgent assistance, guidance or introduction to trusted government contacts as the result of a cyber or risk incident.
