MedCity Influencers

Hospital Networks are Becoming Targets in Cyberwarfare, and They’re Unequipped to Deal With It

The question facing hospital cybersecurity leaders today is no longer whether they will be collateral damage in a broader war; it’s how to reckon with adversaries who will target healthcare for ideological or political reasons — hackers may not have any particular interest in quick resolutions. 

In March, a major cyberattack hit Stryker, one of the world’s largest medical technology companies. The group that claimed responsibility, Handala, is linked to Iran, and the hackers were explicit about their reasoning: the attack was retaliation for U.S. military strikes on Iranian targets. A healthcare company was chosen deliberately as a target in an active military conflict.

That simple motivation is what makes this incident worth pondering. State-linked cyberattacks are nothing new, and healthcare has been in their crosshairs before. What has changed, however, is the sheer brazenness of it. 

The question facing hospital cybersecurity leaders today is no longer whether they will be collateral damage in a broader war; it’s how to reckon with adversaries who will target healthcare for ideological or political reasons — hackers may not have any particular interest in quick resolutions. 

presented by

The cold logic behind targeting healthcare

The commercial incentives of targeting healthcare with cyberattacks are well known: hospitals are stores of valuable records, they face a certain level of operational pressure that incentivizes fast ransom payments, and their security teams are under-resourced and stretched thin

But this sector makes an attractive target for state-aligned actors simply because it’s an effective military strategy. Hospitals are civilian infrastructure with a direct bearing on national resilience. Disable them and you unnerve public morale, overwhelm emergency capacity, and generate the kind of civilian pressure that makes sustained conflict politically costly. 

The complication for security teams is that states and hacking groups frequently operate arm in arm, though not openly. Hostile governments covertly back organized criminal infrastructure to conduct cyber operations precisely because it provides plausible deniability. 

presented by

A ransomware group can appear financially motivated while operating with state resources or protection. North Korea’s Maui ransomware campaign is a good example. Active since at least 2021, the campaign targeted U.S. hospitals and healthcare systems, encrypting records, diagnostics, and imaging services. A North Korean government hacker was later indicted for the attacks.

For hospital security leaders, this changing reality means the incident response processes that were built to address financially motivated adversaries need revisiting. Ransomware gangs want a resolution, and prolonged downtime costs them leverage, while hackers looking to steal data likely don’t care either way. A geopolitically motivated actor may want exactly the opposite. 

The target is not just hospital security, it’s the entire supply chain

Part of what makes this threat model effective is that indirect attacks can be just as damaging, if not even more. Modern hospital networks are complex and have multiple external dependencies — pathology providers, device manufacturers, cloud platforms, and payment processors all have a direct effect on operations. Breaching any part of the supply chain can produce consequences inside hospitals that their security system has no ability to prevent or address.

Such supply chain vulnerabilities have already been exploited. In June 2024, a ransomware group called Qilin attacked Synnovis, a pathology services provider for several major London hospitals. The hospitals themselves weren’t breached, but because Synnovis processed roughly 100,000 blood tests a day, the downstream consequences were immediate across the greater London area. Blood transfusions were disrupted, test results stopped flowing, and operations were canceled. In at least one case, a patient was pulled from the table moments before open-heart surgery because the blood bank system was down.

The Qilin ransomware cybercrime gang is said to operate freely from within Russia. The former head of the U.K.’s National Cyber Security Centre stated that the group was unlikely to have known they would cause such severe healthcare disruption, and that they were mainly looking for a ransom. 

But within weeks of the attack, Qilin justified the operation to the BBC as a form of political protest, revenge for the U.K.’s involvement in an undisclosed war. 

A year later, it emerged that a patient had died during the attack, partly due to delays in blood test results.

That’s the stark reality facing hospitals today. Even if we assume, generously, that Qilin didn’t fully anticipate the full impact of their attack, the result was a gridlocked hospital system and a patient casualty. 

A state-sponsored group that does understand the importance of its target and targets those dependencies on purpose wants such outcomes from the start. 

What hospitals need to do differently

The examples above point to the same operational gap: most hospital cybersecurity systems were built to respond to a different kind of threat actor. Perimeter defense, patching cycles, and compliance reporting are often designed with financially motivated adversaries in mind, or are meant to safeguard patient or hospital data from thieves. That model needs updating.

To properly protect against politically motivated actors, hospitals must reevaluate their security stance as it relates to third-party dependencies. Security teams need a clear picture of which external relationships, if disrupted, would hamper care delivery, and what IT operations could look like without them.

Continuity planning needs a similar rethink. Most downtime planning assumes systems will be unavailable for hours, but a committed threat actor with more sinister motivations, especially during wartime, could take systems down for days. Clinical and operational leadership need to get ahead of such scenarios. When systems go down in a real incident, the people responsible for patient safety must have a plan for maintaining patient care.

The third gap is intelligence. Generic cybersecurity feeds cover the landscape broadly, but aren’t built to surface the specific threat actor behaviors, attack patterns, and vendor vulnerabilities that matter to healthcare. Sector-specific information sharing networks exist to close that gap, providing early warning and peer experience from organizations that have already navigated these incidents. A hospital without access to that information sharing community is likely to make decisions with significantly less information than it could have.

Lastly, it’s important to revisit the basics of security. When done well, a robust security system that covers the technicals properly will be well-positioned to defend against all kinds of attacks and motivations, regardless of who the threat actor is or what they are targeting. 

Besides strengthening security posture, security teams can’t close all of these gaps on their own. Dependency mapping, continuity planning, and intelligence access are all operational and governance matters. They require decisions that only executive and board-level leadership can make. 

The stakes are already clear

The recent Stryker attack and the Synnovis case in 2024, are real examples of healthcare infrastructure being used to create real harm during conflict, and patients ended up paying the price. 

Healthcare has spent years building the digital ecosystem that makes modern care possible. Every nation-state with a strategic reason to apply pressure, whether the conflict is active today or not, has that infrastructure on its list of targets.

The healthcare industry needs to reckon with that threat directly, at the leadership level, and reject the comfort of assuming it won’t happen to them.

Photo: Traitov, Getty Images

Errol Weiss joined Health-ISAC in 2019 as its first Chief Security Officer and created a threat operations center headquartered in Orlando, Florida to provide meaningful and actionable threat intelligence for IT and infosec professionals in the healthcare sector.

Errol has over 25 years of experience in Information Security beginning his career with the National Security Agency (NSA) conducting penetration tests of classified networks. He created and ran Citigroup’s Global Cyber Intelligence Center and was a Senior Vice President Executive with Bank of America’s Global Information Security team.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.