What is threat intelligence?

Most healthcare organizations learn about a threat after it has already reached them. A staff member clicks a link, a vendor reports unusual activity or a breach appears on the HHS OCR portal. Threat intelligence is the practice of learning about threats before they occur, collecting and analyzing information about who is attacking, how, and what they are targeting, so that defenses can be adjusted ahead of the attack rather than in response to it.

For healthcare specifically, where a single breach costs an average of $9.8 million according to IBM's 2025 Cost of a Data Breach Report, the gap between knowing what is coming and finding out after the fact carries direct financial, clinical, and regulatory consequences.

Understanding threat intelligence

A 2026 MDPI study on AI and cyber threat intelligence defines the field as the collection, analysis, and dissemination of information about current and potential cyber threats, including threat actors, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs) associated with specific attacks. What separates threat intelligence from raw security data is the analysis step - converting observations about attack activity into conclusions that a security team can act on.

A 2025 systematic review published in MDPI Sensors, which analyzed 43 peer-reviewed studies on CTI effectiveness, found that organizations applying threat intelligence were measurably better positioned to predict and prevent attacks than those relying on reactive monitoring alone. The review also identified the persistent challenges: data standardization between sources, the speed at which threat intelligence becomes outdated, and the difficulty of translating intelligence into action when security teams are thin.

That last challenge is particularly acute in healthcare, where most small and mid-sized practices have no dedicated security analyst and where even larger organizations rely on generalist IT staff who are managing email, devices, and compliance requirements simultaneously. Threat intelligence is most valuable when it is delivered in a form that those teams can actually use.

Read more: What is phishing? | What is ransomware?

The three types of threat intelligence

Threat intelligence in practice operates at three levels, each useful to a different audience within an organization.

Strategic intelligence covers the broad spectrum of threats facing a sector including which criminal groups are active, what their motivations are, which industries they are targeting, and how the threat environment is changing over longer time horizons. A healthcare board or executive team reading that ransomware in healthcare surged 264% since 2018, as documented in Paubox's 2025 Healthcare Email Security Report, or that healthcare finished 2025 as the most attacked critical infrastructure sector according to the FBI's 2025 IC3 Report, is consuming strategic threat intelligence. It informs budget decisions and risk prioritization rather than immediate technical action.

Tactical intelligence covers the specific methods attackers use such as phishing lure types, malware delivery chains, exploitation of particular vulnerabilities, and social engineering techniques. When CISA and the FBI issued a joint advisory on Interlock ransomware in July 2025, describing the group's use of fake browser update pages and ClickFix social engineering to gain initial access, that was tactical intelligence. It told security teams precisely which user behaviors and system configurations the group exploits, enabling targeted defenses before a specific organization is hit.

Operational intelligence is the most immediate level, which include specific indicators of compromise, active IP addresses and domains used by attackers, malware signatures, and real-time signals about attacks in progress. CISA's Automated Indicator Sharing platform provides a public feed of exactly this type of intelligence, allowing organizations to ingest current IoCs into their security tools automatically. Operational intelligence has the shortest useful life; an attacker's infrastructure changes constantly and requires automated systems to consume it fast enough to be actionable.

Why healthcare threat intelligence is different

The threat intelligence area for healthcare has both advantages and gaps that organizations in other sectors do not face in the same way.

On the advantage side, healthcare has a sector-specific intelligence infrastructure that most industries lack. Health-ISAC, the Health Information Sharing and Analysis Center, celebrated its 15th anniversary in October 2025 and reported a 55% year-over-year increase in cyber incidents affecting the sector in its 2025 Fourth Quarter Health Sector Heartbeat, alongside a surge in threat intelligence sharing and tabletop exercises among members. Health-ISAC's threat intelligence portal provides members with actionable, healthcare-specific intelligence that goes beyond what general cybersecurity advisories cover, including analysis of how specific groups are targeting medical devices, clinical systems, and healthcare supply chains. HHS's Health Sector Cybersecurity Coordination Center (HC3) distributes monthly threat briefings and sector-specific advisories directly to healthcare organizations that subscribe to its listserv.

On the gap side, much of the best healthcare threat intelligence is shared through networks that smaller organizations never join. A rural critical access hospital, a solo psychiatric practice, or a regional home health agency rarely has the staff time to monitor Health-ISAC feeds, review HC3 bulletins, or parse CISA advisories for healthcare-relevant indicators. According to Paubox's Rural Healthcare report, these smaller organizations face the same attack exposure as larger systems while operating with a fraction of the security resources.

How threat intelligence connects to email security

Email is where most healthcare attacks begin, and threat intelligence about phishing campaigns, impersonation techniques, and malicious infrastructure has direct practical application for email security controls.

When a threat intelligence feed identifies that a specific ransomware group is using DocuSign impersonation emails to target healthcare providers, that information can be used to tighten inbound filtering rules before the campaign reaches a specific organization's staff. When a joint advisory documents the domains and IP addresses associated with a phishing campaign infrastructure, those indicators can be fed into email security systems to block delivery automatically. When Paubox's Top 3 Healthcare Email Attacks in 2025 report identifies phishing-driven mailbox takeover as the most damaging email attack type by impact, exposing 630,000 individuals in 2025, that is threat intelligence informing which attack type deserves priority in email security investment.

The limitation of traditional email security tools is that they respond to known threats. Signature-based filters catch malware and domains that have already been identified as malicious. According to Paubox's 2026 Healthcare Email Security Report, attacks avoiding native email defenses rose 47% in 2025, showing the gap between what signature-based systems know and what attackers are currently doing. AI-driven inbound filtering closes part of that gap by analyzing behavioral signals, sender patterns, message tone, and contextual anomalies that reveal threat intent without requiring a known signature to match against.

Paubox Inbound Email Security combines AI-based behavioral analysis with continuous threat intelligence to detect phishing, impersonation, and business email compromise attempts before they reach clinical and administrative staff. According to Paubox's Healthcare IT is dangerously overconfident about email security report, 89% of healthcare IT leaders identified AI and machine learning as critical for detecting email threats, and the organizations already using AI-powered detection are much better positioned against the novel techniques that threat intelligence identifies as current attack methods.

Where healthcare organizations can access threat intelligence

Several no-cost or low-cost threat intelligence resources are available specifically to healthcare organizations, and organizations that are not currently using them are leaving meaningful defensive capability on the table.

CISA's Healthcare and Public Health cybersecurity toolkit consolidates the most actionable federal threat intelligence resources for the sector, including HC3's monthly briefings, the Automated Indicator Sharing platform, and the HHS Office of Critical Infrastructure Protection's weekly bulletins. Organizations can subscribe to HC3 alerts by emailing HC3@hhs.gov, a step that costs nothing and delivers sector-specific threat briefings directly to whichever inbox the organization nominates.

The MS-ISAC, operated by the Center for Internet Security, provides threat intelligence and 24/7 monitoring services to state, local, tribal, and territorial organizations, including healthcare entities. For smaller healthcare organizations without dedicated security operations, MS-ISAC membership provides access to the same category of real-time threat intelligence that large systems pay significant security staff to maintain.

Health-ISAC provides the most detailed healthcare-specific threat intelligence available, covering medical devices, supply chain risk, ransomware group activity, and sector-targeted campaigns. Membership is tiered to accommodate organizations of different sizes, and the intelligence portal includes classified and sensitive threat information not available through public channels.

In the news

In March 2026, Health-ISAC's chief security officer, Errol Weiss warned publicly that any reduction in CISA's operational capacity introduced direct risk to healthcare threat intelligence sharing at a moment when the sector was already under elevated pressure from Iran-linked cyber activity following geopolitical tensions. "The stakes for the health sector are uniquely high when cyber and geopolitics intersect," Weiss said, adding that the ISAC community was continuing to share intelligence aggressively but that CISA's coordination function was irreplaceable for the speed and scope of collective defense. The statement showed a broader recognition within healthcare cybersecurity that threat intelligence is not a passive benefit but an active, time-sensitive resource whose value depends on the infrastructure distributing it operating at full capacity.

FAQs

What is the difference between threat intelligence and antivirus or email filtering?

Antivirus and email filtering are detection tools - they identify known threats based on signatures and reputation data. Threat intelligence is the information that feeds into how those tools are configured and updated, and it also informs human decisions about where to focus security investment. Good threat intelligence tells an organization which attack types are currently being used against healthcare, which groups are active, and which specific techniques their email and endpoint tools need to be tuned to catch.

How does threat intelligence help a healthcare organization with limited IT resources?

For resource-constrained organizations, the most accessible form of threat intelligence is the joint advisories published by CISA, the FBI, and HHS when a specific group is actively targeting healthcare. These advisories describe the exact techniques being used and the specific indicators of compromise to look for, reducing the analysis burden on internal staff. Subscribing to HC3 alerts and CISA advisories requires no budget and puts sector-specific threat intelligence directly into the hands of whoever manages security, even if that person is also managing the organization's printers.

What are indicators of compromise, and how are they used?

Indicators of compromise are specific technical artifacts associated with an attack: malicious domain names, IP addresses, file hashes, email sender patterns, or behavioral sequences observed in confirmed incidents. When a threat intelligence source publishes IoCs from an active campaign, organizations can use them to check whether those indicators have appeared in their own environment and to configure defenses to block or alert on them in the future.

Does threat intelligence sharing between healthcare organizations actually work?

The evidence suggests it does when the intelligence is timely and specific. Health-ISAC's 2025 annual report documented a surge in threat intelligence sharing and tabletop exercises, and the joint federal advisories on groups like Interlock and Qilin reached thousands of healthcare organizations before those groups expanded their campaigns. The limitation is not the intelligence itself but whether smaller organizations have the capacity to act on it after receiving it.

How does Paubox use threat intelligence in its email security products?

Paubox Inbound Email Security combines AI behavioral analysis with continuous threat intelligence to detect phishing, impersonation, and BEC attempts before they reach inboxes. Rather than relying solely on static signature databases, the system assesses sender behavior, message intent, and contextual signals against current threat patterns, catching novel attack techniques that signature-based systems miss. For healthcare organizations without a dedicated security team to monitor threat intelligence feeds manually, this approach embeds current intelligence directly into the email filtering layer, where it has the most immediate defensive effect.

Learn more: Paubox Inbound Email Security