Why cyberattacks are a public health crisis

According to a Narrative Review titled ‘Cyber-Attacks on Hospital Systems’, “technological advancements are increasingly shaping the field of medicine,” improving efficiency, accessibility, and innovation.

At the same time, our healthcare system has become more vulnerable to cyberattacks with malicious actors targeting patients’ protected health information (PHI).

What is a cyberattack?

The narrative review defines a healthcare cyberattack as “any purposeful, malicious attempt to breach healthcare data, compromise patient confidentiality, or disrupt operational systems.” It also states that “the number of incidents has doubled since the COVID-19 pandemic.” Moreover, “each year, the number of online security breaches rises and is growing at an alarming rate,” where “the number of incidents has tripled in the last decade.”

Between 2018 and 2020, “the number of reported healthcare security breaches almost doubled from 369 to 663.” In 2023, that number had reached 742 breaches, and “in April 2024 alone, there were 15,349,203 records compromised.”

More recent data support these findings, with the United States Department of Health and Human Services (HHS) reporting 170 email-related healthcare breaches in 2025, ultimately affecting more than 2.5 million individuals.

Go deeper: 2025 Healthcare Email Security Report

Why hospitals are major targets

Healthcare organizations host a vast amount of patient data, making it an attractive opportunity for cybercriminals. As the study explains, “on the black market, each patient record can be worth up to $1,000.” It also makes healthcare data more lucrative than typical financial information.

Additionally, hospitals often lag other industries in cybersecurity maturity. A 2024 report cited in the study found that “over 26% of healthcare organizations have low cybersecurity maturity,” while “only 3% of healthcare industries actually have mature cybersecurity features.”

Furthermore, healthcare systems are highly interconnected. More specifically, “many medical devices and online portals are interconnected in healthcare systems, so a security breach can cause widespread implications across multiple departments.” Therefore, an outdated device with a vulnerable security system can compromise an entire hospital network.

Common methods of cyberattacks

Phishing

Phishing is described as “a fraudulent attempt to obtain sensitive information by disguising [itself] as a trustworthy entity.” These attacks often occur via email and rely on human error, making them particularly effective.

For example, a nurse might receive a message warning that their access to the electronic medical record system will be suspended unless they click a link and log in immediately. If the email looks legitimate with official logos, the nurse would be inclined to click on the link. They are then directed to a fake login page, and when they enter their credentials, the attacker captures those details. It allows unauthorized access to hospital systems, where PHI can be viewed, stolen, or used to launch further attacks.

Malware and ransomware

The narrative review defines malware as “malicious software designed to disrupt, damage, or gain unauthorized access,” while ransomware takes things further as cybercriminals encrypt data and demand payment.

In the 2017 WannaCry incident, the ransomware spread across outdated hospital systems, locking staff out of their patient files and medical records. As a result, appointments were canceled, emergency services were disrupted, and healthcare providers were forced to revert to manual processes.

Denial-of-Service (DoS)

A DoS attack “overwhelms a system… rendering it unavailable to users.” It happens when attackers flood the hospital’s network with excessive traffic, causing it to crash or become extremely slow. During this time, wouldn’t be able to access electronic medical records, lab results, or imaging systems, especially in high-pressure environments like the emergency department.

The disruption can delay diagnoses and treatment, where staff would have to rely on manual information, putting patient safety at risk.

Man-in-the-Middle (MitM) attack

A man-in-the-middle attack happens when a cybercriminal secretly intercepts and interferes with the communication between two parties without their knowledge, typically to steal sensitive information.

During the 2018 SingHealth data breach, attackers gained unauthorized access to internal systems and sensitive patient data, compromising 1.5 million patient records in Singapore.

SQL injection

SQL injection is a technique where attackers insert malicious code into input fields (such as login forms) to manipulate a database and access stored data.

For example, in the Vastaamo psychotherapy center breach, attackers exploited weaknesses in database security to access patients’ therapy records. Although multiple weaknesses were involved, reports indicated poor database security practices consistent with risks seen in SQL injection-style attacks, where backend databases are exposed due to insecure inputs.

Cross-site scripting (XSS)

Cross-site scripting is a vulnerability in web applications that allows attackers to inject malicious scripts into webpages viewed to steal login credentials or session data.

For example, in October 2019, Mission Health (a large health system in North Carolina) disclosed that an XSS vulnerability in its e-commerce web application had been present for about three years and was exploited to inject malicious scripts. While that breach didn’t expose PHI, it did result in the unauthorized disclosure of names, addresses, and payment card data.

Zero-day exploit

A zero-day exploit targets a previously unknown vulnerability in software or hardware, giving developers no time to fix the issue before it is exploited.

The WannaCry cyberattack mentioned above used a zero-day vulnerability, impacting the National Health Service and disrupting hospital operations as it locked access to PHI.

A look at the consequences

Cyberattacks can “prevent access to medical records, cause medical equipment… to malfunction, and hinder delivery of lab results.”

In extreme cases, hospital systems are forced offline. One notable example involved Universal Health Services, where systems were down for over a month. The narrative review reports that “trauma patients and procedures were rerouted to competitor facilities,” resulting in “$67 million in pretax losses.”

In addition, emergency rooms were forced to see fewer patients as ambulances were diverted, elective procedures were postponed, and lab results became inaccessible. The review summarizes these impacts as “decreased productivity, delay in delivery of patient care, and loss of access to past medical records.”

Other consequences include imaging systems being affected, like in the Springhill Medical Center Ryuk attack, where the ransomware took the hospital’s IT network offline and disrupted access to connected clinical technologies. As a result, fetal heartbeat monitors in the labor and delivery ward were compromised, possibly resulting in the death of a baby.

Cybersecurity as a public health issue

“Cybersecurity incidents pose a public health concern,” as evidenced in the narrative review. When hospital systems fail, patient outcomes are directly affected. Delays in treatment, diagnostic errors, and reduced access to care can all result from cyber incidents.

These impacts also influence how individuals perceive safety and trust in the healthcare system. According to Cyberattacks, Psychological Distress, and Military Escalation: An Internal Meta-Analysis, “members of the public registered a steep decline in public confidence in their governments’ ability to defend them against harm. Meanwhile, millions of people exhibited intense anxiety at their newly perceived vulnerability to attack, prompting calls for stricter cybersecurity policies and encouraging a willingness to sacrifice digital civil liberties for the sake of security.”

The financial burden of cyberattacks

Cyberattacks impose a massive financial burden on healthcare organizations. According to the narrative, “the healthcare industry spends $10.93 million annually… to pay for ransomware,” compared to $4.45 million in other industries.

Costs continue to rise, and after COVID-19, “the average cost of healthcare data breaches has increased by 53.3%.” These expenses include ransom payments, system recovery, legal fees, and reputational damage.

Hospitals must also contend with regulatory consequences, as they are legally required to protect patient data and may face lawsuits and penalties when breaches occur. ​As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability.

These consequences reaffirm why hospitals and other healthcare organizations must prevent cyber threats to “avoid costly ransomware attacks… and prevent the fallout from class action lawsuits and damage to their reputation.”

Prevention strategies

Education and awareness

Cybersecurity is a shared responsibility, as “individual lapses can provide entry points for attackers.” The narrative review thus encourages hospitals to “implement ongoing education for employees to maintain awareness and promote safe practices.”

Incident response planning

Hospitals must develop structured response plans that include “planning and preparation, detection, analysis… containment… recovery, and postincident activities.”

Mock drills and simulations

The narrative review recommends “mock drills for downtime scenarios,” which help staff adapt to offline operations and identify weaknesses in existing systems. These could help staff be better prepared, experience less stress, and respond more effectively during attacks.

Strengthening technical defenses

Hospital IT departments must check their systems for:

• Regular software updates
• Multi-factor authentication
• Strong password policies

Instead of using overly complex systems that can lead to “frustration and non-compliance,” staff must use a simple HIPAA compliant system, like Paubox. Paubox email offers advanced encryption, multifactor authentication, and access controls to protect individuals’ PHI during transmission and at rest.

Upgrading legacy systems

A major vulnerability lies in outdated technology. According to a 2021 HIMSS survey, 73% of healthcare providers use legacy operating systems. These systems don’t have sufficient security features, making them easy targets for attackers.

Additionally, they slow down processes, increase wait times, and make it harder for providers to access and share patient records, leading to delays in treatment and potential medical errors.

The way forward

Blockchain technology may help strengthen healthcare cybersecurity. The narrative study explains that blockchain allows data to be “split, encrypted, and stored across multiple computers,” reducing the risk of centralized attacks.

In addition to technological solutions, hospitals are advised to develop “a downtime procedure manual” and maintain “approved paper charts and surgical and emergency service protocol.”

Together, these measures preserve continuity of care when an attack occurs, so hospitals can “efficiently handle the attacks with minimal interruptions.”

FAQs

Why are malicious actors targeting PHI?

Protected health information (PHI) is valuable as it contains sensitive personal and medical information that can be exploited for identity theft, financial fraud, or illicit sale on the black market.

Why has the healthcare sector become more vulnerable to cyberattacks?

The sector heavily relies on digitization, usage of electronic health records, interconnected systems, and networked medical devices, expanding the number of potential entry points for attackers.

Can cyberattacks affect medical devices and equipment?

Yes, cyberattacks can impact network-connected medical devices, like imaging systems and patient monitors, if the underlying IT infrastructure is compromised, potentially disrupting their functionality and access to patient data.