In his latest American Hospital Association (AHA) Cyber Intel blog, John Riggi, AHA national advisor for cybersecurity and risk, examines the state of cyber and physical threats in 2025 as well as the opportunities for progress across the health care sector. He explains the ways in which hospitals and health systems are learning to better prepare for cyberattacks and maintain clinical continuity and business resiliency during prolonged outages.
1. The Demand for Health Care Records Will Continue
The Cyber Onslaught: Where Do We Stand So Far in 2025?
In late January of this year, we learned that last year’s ransomware attack against UnitedHealth Group subsidiary Change Healthcare exposed the health data of 190 million people — up from previous reports of 100 million. By the end of 2024, 259 million Americans’ health care records had been stolen in part or full (including those through the Change attack). This, sadly, is a new record, one far exceeding the previous record set just last year of 138 million Americans having their health records stolen through hacks. The most significant hacking threats originate primarily, but not exclusively, from Russia, China, North Korea and Iran — and they often provide safe harbor for the hackers to operate from their territories.
According to the breach notices filed with the U.S. Department of Health and Human Services Office of Civil Rights1, since 2020 over 500 million individuals — more than the U.S population — have had their health care records stolen or compromised at least once. You would think the market for health care data would be saturated and the bad actors would find little value in continuing their attacks. That thinking would be mistaken. As patients’ health records continue to be updated, so does the data that’s of interest to hackers.
There are two markets for health care records: nation-state and criminal.
Health Care Data Has Tremendous Intelligence Value for the Nation-State Market
Often overlooked is the fact that the health care records of Americans contain valuable data points that are of interest and value to hostile foreign intelligence services — including Russia, North Korea, Iran and China. Health care records offer a treasure trove of data on Americans, data that could be exploited by foreign intelligence services. Examples of this data include their personally identifiable information, contact information, occupations and medical conditions. These nations may target the health information of persons of interest in the government, the military and the private sector alike. The information could be leveraged for potential intelligence collection activities or compromise, currently and in the future. Hacked health information will have lasting intelligence value, as in the case of someone who gains a prominent position with a security clearance five years from now.
Health Care Data Is Still Lucrative for the Criminal Market
Cybercriminals use hacked health care records to commit financial crimes such as health care fraud, including fraudulent billing of health insurance providers. They also use the stolen personally identifiable information contained in health care records to gain access to individual bank accounts, or apply for fake loans and credit cards. According to analysis by Kroll, a health care record can be worth as much as $1,000 on the black market, making health records far more valuable than stolen credit card numbers or other financial records. The primary reason for this is that health care records have enduring value. Unlike a credit card number, a patient cannot change their health care records. For example, a patient cannot change their diagnosis or an image from a CT scan if they have been compromised. These factors contributed to the health care sector suffering more breaches than the financial sector last year.
Often hackers steal data not with the intent to sell it or use it for other crimes, but to hold it for ransom. They threaten to publish the data on the dark web or sell it to other criminals unless a ransom is paid by the hacked victim organization. This is called data extortion and we are seeing this trend continue and perhaps increase in 2025.
Most concerning is the continuation of cross-border ransomware attacks targeting health care providers and health care mission-critical third-party services, technology and supply chain. Ransomware is a type of malware that encrypts data, files and systems, often forcing targeted organizations to shut down their internal computer networks and disconnect from the internet. The ensuing loss of access to on-premises and cloud-based information, medical and operational technologies has caused significant disruption and delay to health care delivery, resulting in a risk to patient and community safety.
Encryption-type ransomware attacks are often accompanied by data theft and data extortion attacks as well. The foreign ransomware groups, primarily Russian-speaking, pressure the victims to pay a ransom for a decryption key to unlock the victim organization’s systems, and then again to pay a second ransom to keep the patient data from being publicly exposed.
2. The Use of AI Will Accelerate, Driven by Geopolitical Tensions
We’re in the early stages of an artificial intelligence-fueled arms race, with the bad guys using AI to launch cyberattacks and the good guys using it to defend against those cyberattacks. The level of threat from the cyberattacks will be significantly influenced by the geopolitical situation and the approaches the current administration takes in dealing with hostile nation-states and, by proxy, the criminal groups that are provided safe harbor by those nations.
The main geopolitical tensions contributing to this AI cyber war include:
- The war in Ukraine.
- The situation in the Mideast — the Gaza Strip and, by extension Iran, which has a significant cyber offensive capability.
- North Korea’s use of funding from cybercrime (such as the ransoms hospitals paid to the Maui ransomware group) to build its illegal nuclear weapons program and advance its national security objectives.
- Malware from China, which has been found deeply embedded in our critical infrastructure, including water, internet service and telecommunications networks. According to the federal government, if China chooses to invade Taiwan, China is poised to detonate that malware — causing massive infrastructure disruption and societal chaos intended to blunt our response to defend Taiwan. The Chinese government remains our No. 1 strategic cyberthreat.
3. Here’s the Good News: Now That We’re Aware, We Can Prepare to Maintain Continuity of Care
Having witnessed and battled the impact of cyberattacks on clinical processes, building management systems and business operations, the health care field has learned ways to better prepare for future attacks.
- Never before has there been such a robust exchange of cyberthreat intelligence between the government and the private sector, including the health care field. We’re taking a “whole of nation” approach — cooperating across the field, with other sectors, with other nations and the government to defend against a common threat — just as we did after 9/11.
- The field of cybersecurity has seen some positive technological developments. Experts are using AI to understand how adversaries are penetrating our networks, and they’re developing more effective tools, more quickly, to counter adversaries’ tactics, techniques and procedures.
- Hospitals are now focusing on emergency preparedness — meaning they’re not just focusing on technical defenses to prevent an attack, but also considering how to prepare a response, step-by-step, to maintain clinical continuity. How will they continue to deliver safe and quality care, department by department, function by function, for 30 days or longer? As they have said for years, “It’s not a matter of if, but when” we experience a cyberattack. In 2025, the question needs to be more to the point: “When we are attacked, will we be ready?”Clinical continuity planning also entails ensuring their third-party providers are prepared. We know that when business associates, medical device providers and supply chain vendors get hit through insecure technology or an insecure supply chain, hospitals and patients get hit, too. After a 2024 blood supply ransomware attack that disrupted network-connected machines that print critical labels for blood units, my colleague Scott Gee and I helped the blood community and affected hospitals understand the nature of the threat and identify downtime procedures to help mitigate the impact.
To read the full blog article, click here.
