Heinl, Patapovas, and Pilgermann in Towards AI-enabled Cyber Threat Assessment in the Health Sector found that from 2016 to 2022, 6,835 healthcare companies in the US were hit by ransomware. As Dr. Joshua Tepper, CEO of North York General Hospital, emphasized in How hospitals can protect themselves from cyber attack, healthcare facilities face unique pressures: "We provide life and death services. For that reason, we're perceived as a high-value target."
MD Sazibur Rahman notes in The Art of Open Source Intelligence (OSINT), OSINT can be defined as "the systematic collection, processing, and analysis of publicly available data to generate actionable intelligence," and currently accounts for 80–90% of intelligence activities in Western law enforcement and national agencies. Meanwhile, cybersecurity expert Mark Gaudet points out in the same article that "the main vector for attacks is people, through phishing or the more targeted spearphishing attacks," with "ninety percent of breaches start with a person."
Here are the five strategies to reduce Open-Source Intelligence (OSINT) exposure:
As noted in "Intelligence and global health: assessing the role of open source and social media intelligence analysis in infectious disease outbreaks," research shows that "GPHIN combined with human moderation improves detection rates by 53%, reinforcing the importance of human factors despite technological advances." This same principle applies to defending against OSINT threats—automated tools alone aren't enough.
Perform quarterly audits by:
Rahman emphasizes that any information discovered "must be verified against other information" to understand its true risk level and potential impact. Heinl, Patapovas, and Pilgermann reinforce this by noting that "the outside perspective corresponds to the first impression an attacker might have in her information gathering about a potential target," making these audits needed for understanding your actual vulnerability.
According to the Paubox report Shadow AI Is Outpacing Healthcare Email Security, “Compliance officers are finding themselves in reactive mode, trying to understand tools that may already be in use by staff. It’s impossible for compliance to secure what they don’t even know about.”
This observation applies directly to OSINT. Organizations can’t defend what they can’t see. Hidden exposure, whether through public data or unsanctioned AI use, represents the same visibility gap.
As Gaudet explains in "How hospitals can protect themselves from cyber attack," hospitals are particularly vulnerable because they have a "broad attack surface"—it's difficult to control physical access to equipment, and many medical devices use older operating systems that are difficult to update and easier for hackers to exploit.
Job postings provide adversaries with detailed technology inventories:
Employees are often the largest source of unintentional OSINT leakage. The challenge, as highlighted in "Intelligence and global health," is that "although information shared on social networking sites such as Facebook may be public, we still expect a contextual degree of privacy and it is as yet unclear under which circumstances such expectations may be set aside."
Heinl, Patapovas, and Pilgermann observe that, "especially in the healthcare sector, where security awareness across employees is estimated to be rather low, characterizing security incidents and identifying indicators of compromise delivers an enormous benefit for organizations." According to "How hospitals can protect themselves from cyber attack," healthcare workers clicked on one out of every seven simulated phishing emails, a high rate that demonstrates the urgent need for better training and awareness.
The Paubox report explains, “People tend to do it without thinking, just wanting to speed up their work... you just uploaded a bunch of company data... and your security team does not know about this.” Just as employees casually share details online, many use AI tools without realizing the data security implications. This widens the OSINT attack surface.
However, Gaudet notes that proper training can make a difference; cybersecurity training programs "can decrease clicks on malicious links by two-thirds." But training alone isn't enough, organizations need clear policies.
Develop clear, enforceable policies that:
The authors further explain that OSINT encompasses multiple intelligence categories, including "Social Media Intelligence (SOCMINT)" which involves "the acquisition of information from social media (e.g. blogs, news, posts, deep web, or dark web forums) to be used as indicators for a certain research object," as defined by Rahman.
As Gaudet emphasizes, "Hospitals need to create a cybersecurity culture. They already do a good job on privacy and data management, but on cybersecurity they have a long way to go."
Digital documents reveal information through metadata, user accounts, software versions, internal file paths, and editing history. The value of this information to attackers is a lot, according to "How hospitals can protect themselves from cyber attack," hackers can get "around $1 per record if they sell them in bulk, or up to $1000 for the records of specific people."
To protect against this exposure:
Rahman's research warns, "One of the greatest issues with OSINT is that there can be so much data that deriving analytics becomes difficult." To put this in perspective, Rahman notes that "every day, approximately 500 million tweets are posted, over 4.75 billion items are shared on Facebook, more than 500 hours of video are uploaded to YouTube per minute, and Google handles over 99,000 search queries per second." Additionally, "Pertinent pieces of information can often be lost amongst the background noise of the internet because of the sheer quantity of data available."
As Dr. Tepper wisely cautions in "How hospitals can protect themselves from cyber attack," organizations must adopt the right mindset: "We have to have the mindset that it's a matter of when, not if. We need to prepare for it as we would for any other adverse event."
To cut through the noise effectively:
Attacks on healthcare systems can have severe consequences. As documented in "How hospitals can protect themselves from cyber attack," when Michael Garron Hospital in Toronto was hit by ransomware, it took 10 days to restore access to most systems, including electronic medical records, and even longer to restore some less critical systems. This kind of disruption in a healthcare setting can be a matter of life and death, making proactive OSINT protection not just a security best practice, but a patient safety imperative.
Yes, mobile health apps and IoT medical devices can expose sensitive information if not properly secured.
Insider threats involve employees or contractors misusing access, while OSINT exploits publicly available data to plan attacks.
Yes, vendors with access to systems or data can leak information that attackers could use.
Yes, unsanctioned AI use can create “shadow AI” risks where sensitive data is exposed without IT oversight.
Policies should be reviewed and updated at least quarterly to address new platforms, threats, and regulations.