[Updated] 3 Must-know Cyber and Risk Realities: What’s Ahead for Health Care in 2025

Apr 03, 2025 - 10:49 AM by
John Riggi, National Advisor for Cybersecurity and Risk, AHA
2025-cyber-blog-feb-900x400.jpg

While the rate of cyberattacks on hospitals has risen dramatically, the severity of the impacts has also grown exponentially. Let’s look at the state of cyber and physical threats in 2025 as well as the opportunities for progress across the health care sector. Hospitals and health systems are learning to better prepare for cyberattacks and maintain clinical continuity and business resiliency during prolonged outages.

1. The Demand for Health Care Records Will Continue

The Cyber Onslaught: Where Do We Stand So Far in 2025?

In late January of this year, we learned that last year’s ransomware attack against UnitedHealth Group subsidiary Change Healthcare exposed the health data of 190 million people — up from previous reports of 100 million. By the end of 2024, 259 million Americans’ health care records had been stolen in part or full (including those through the Change attack). This, sadly, is a new record, one far exceeding the previous record set just last year of 138 million Americans having their health records stolen through hacks. The most significant hacking threats originate primarily, but not exclusively, from Russia, China, North Korea and Iran — and they often provide safe harbor for the hackers to operate from their territories.

According to the breach notices filed with the U.S. Department of Health and Human Services Office of Civil Rights1, since 2020 over 500 million individuals — more than the U.S population — have had their health care records stolen or compromised at least once. You would think the market for health care data would be saturated and the bad actors would find little value in continuing their attacks. That thinking would be mistaken. As patients’ health records continue to be updated, so does the data that’s of interest to hackers.

There are two markets for health care records: nation-state and criminal.

Health Care Data Has Tremendous Intelligence Value for the Nation-State Market

Often overlooked is the fact that the health care records of Americans contain valuable data points that are of interest and value to hostile foreign intelligence services — including Russia, North Korea, Iran and China. Health care records offer a treasure trove of data on Americans, data that could be exploited by foreign intelligence services. Examples of this data include their personally identifiable information, contact information, occupations and medical conditions. These nations may target the health information of persons of interest in the government, the military and the private sector alike. The information could be leveraged for potential intelligence collection activities or compromise, currently and in the future. Hacked health information will have lasting intelligence value, as in the case of someone who gains a prominent position with a security clearance five years from now.

Health Care Data Is Still Lucrative for the Criminal Market

Cybercriminals use hacked health care records to commit financial crimes such as health care fraud, including fraudulent billing of health insurance providers. They also use the stolen personally identifiable information contained in health care records to gain access to individual bank accounts, or apply for fake loans and credit cards. According to analysis by Kroll, a health care record can be worth as much as $1,000 on the black market, making health records far more valuable than stolen credit card numbers or other financial records. The primary reason for this is that health care records have enduring value. Unlike a credit card number, a patient cannot change their health care records. For example, a patient cannot change their diagnosis or an image from a CT scan if they have been compromised. These factors contributed to the health care sector suffering more breaches than the financial sector last year.

Often hackers steal data not with the intent to sell it or use it for other crimes, but to hold it for ransom. They threaten to publish the data on the dark web or sell it to other criminals unless a ransom is paid by the hacked victim organization. This is called data extortion and we are seeing this trend continue and perhaps increase in 2025.

Most concerning is the continuation of cross-border ransomware attacks targeting health care providers and health care mission-critical third-party services, technology and supply chain. Ransomware is a type of malware that encrypts data, files and systems, often forcing targeted organizations to shut down their internal computer networks and disconnect from the internet. The ensuing loss of access to on-premises and cloud-based information, medical and operational technologies has caused significant disruption and delay to health care delivery, resulting in a risk to patient and community safety.

Encryption-type ransomware attacks are often accompanied by data theft and data extortion attacks as well. The foreign ransomware groups, primarily Russian-speaking, pressure the victims to pay a ransom for a decryption key to unlock the victim organization’s systems, and then again to pay a second ransom to keep the patient data from being publicly exposed.

2. The Use of AI Will Accelerate, Driven by Geopolitical Tensions

We’re in the early stages of an artificial intelligence-fueled arms race, with the bad guys using AI to launch cyberattacks and the good guys using it to defend against those cyberattacks. The level of threat from the cyberattacks will be significantly influenced by the geopolitical situation and the approaches the current administration takes in dealing with hostile nation-states and, by proxy, the criminal groups that are provided safe harbor by those nations.

The main geopolitical tensions contributing to this AI cyber war include:

  • The war in Ukraine.
  • The situation in the Mideast — the Gaza Strip and, by extension Iran, which has a significant cyber offensive capability.
  • North Korea’s use of funding from cybercrime (such as the ransoms hospitals paid to the Maui ransomware group) to build its illegal nuclear weapons program and advance its national security objectives.
  • Malware from China, which has been found deeply embedded in our critical infrastructure, including water, internet service and telecommunications networks. According to the federal government, if China chooses to invade Taiwan, China is poised to detonate that malware — causing massive infrastructure disruption and societal chaos intended to blunt our response to defend Taiwan. The Chinese government remains our No. 1 strategic cyberthreat.

3. Here’s the Good News: Now That We’re Aware, We Can Prepare to Maintain Continuity of Care

Having witnessed and battled the impact of cyberattacks on clinical processes, building management systems and business operations, the health care field has learned ways to better prepare for future attacks.

  • Never before has there been such a robust exchange of cyberthreat intelligence between the government and the private sector, including the health care field. We’re taking a “whole of nation” approach — cooperating across the field, with other sectors, with other nations and the government to defend against a common threat — just as we did after 9/11.
  • The field of cybersecurity has seen some positive technological developments. Experts are using AI to understand how adversaries are penetrating our networks, and they’re developing more effective tools, more quickly, to counter adversaries’ tactics, techniques and procedures.
  • Hospitals are now focusing on emergency preparedness — meaning they’re not just focusing on technical defenses to prevent an attack, but also considering how to prepare a response, step-by-step, to maintain clinical continuity. How will they continue to deliver safe and quality care, department by department, function by function, for 30 days or longer? As they have said for years, “It’s not a matter of if, but when” we experience a cyberattack. In 2025, the question needs to be more to the point: "When we are attacked, will we be ready?" 

    Clinical continuity planning also entails ensuring their third-party providers are prepared. We know that when business associates, medical device providers and supply chain vendors get hit through insecure technology or an insecure supply chain, hospitals and patients get hit, too. After a 2024 blood supply ransomware attack that disrupted network-connected machines that print critical labels for blood units, my colleague Scott Gee and I helped the blood community and affected hospitals understand the nature of the threat and identify downtime procedures to help mitigate the impact. 

    Consider requesting the Clinical Continuity Assessment to evaluate your hospital’s readiness to maintain critical clinical and operational functions during a cyberattack and gain practical recommendations.
     

  • Beyond medical and information technology, there is operational technology, which may directly or indirectly impact patient care. Hospitals must account for the resulting physical effects of a foreign-based cyberattack on their buildings and building management systems, which are now highly automated and network-dependent. With everything internet-connected, what happens if operational technology goes down? Security and safety of patients and staff quickly become a concern.

    Below are just some of the impact points:

    • Lighting and climate control. Think of the repercussions for your operating rooms.
    • Access control. Doors default to either a locked or unlocked setting, potentially creating physical security concerns for patients and staff.
    • Video surveillance, fire alarms and intrusion alarms. Losing access compromises safety.
    • Voice over Internet Protocol phones may stop functioning. Staff may not be able to effectively respond to the attack, coordinate care and communicate with patients; fire and security systems may not be able to communicate with central monitoring stations and police and fire departments.
    • Computer-controlled elevators. Their default setting may be that the elevator goes to the first floor and the doors open, rendering them unusable.


    Physical threats also entail the domestic threat of U.S. residents directing misinformed anger at the health care sector. With the high-profile murder of the UnitedHealth Group’s CEO Brian Thompson in New York City and the ongoing legal process, there has been a tremendous increase in online vitriol directed at health care and insurance leaders. Hospitals now know that detecting these threats before they escalate into physical action requires increased physical security, staff training and thorough online and open-source monitoring. 

    To help in protecting your patients and operations from physical threats and cyberattacks, we have assembled a network of trusted providers — with vetted services — participating in the AHA Preferred Cybersecurity & Risk Provider Program.
     

Additional Support for Your Security Efforts from the AHA’s Cybersecurity and Risk Experts

Our team offers a wide variety of strategic cybersecurity and risk advisory services to assist AHA members, many of which are included with your AHA membership.

We are also available anytime, including after hours, at no cost should your AHA-member organization need urgent assistance, guidance or introduction to trusted government contacts as the result of a cyber or risk incident.

1 https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 

Related News Articles

Headline
CISA releases guidance following reported legacy Oracle cloud breach
The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services.…
Headline
Agencies issue guidance on navigating deceptive online recruitment of current and former federal employees
The National Counterintelligence and Security Center, the FBI, and the Defense Counterintelligence and Security Center yesterday released guidance on…
Headline
House subcommittee holds hearing on cybersecurity vulnerabilities in legacy medical devices
The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The…
Headline
ICYMI: AHA podcast discusses the innovative design for Novant Health's Breast Center
In this recent episode of AHA’s Advancing Health podcast, Sara Robinson, senior associate healthcare architect at McMillan Pazdan Smith Architecture, and Jamie…
Headline
Administration extends national emergency for cyber threats
The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S.…
Headline
FBI says no specific, credible threat targeting U.S. hospitals
The FBI March 26 advised that, after extensive investigation and intelligence review, they have not identified any specific credible threat targeted against…