The US incurs hundreds of billions of dollars in losses each year due to cybercrime. In 2025, a surge in ransomware activity and AI-driven scams is expected, as well as increasingly complex and coordinated cyberattacks on healthcare infrastructure. While conventional crimes typically involve physical spaces, tangible properties, or direct human confrontation, cybercrime operates primarily within digital environments, using technology not merely as an accessory, but often as the very means, target, and method of deception.
As a key component of critical infrastructure, the healthcare ecosystem remains vulnerable to a wide array of continuous and evolving threats. Attackers specifically target patients' personal identification information (PII) for various financial crimes, including identity theft and insurance fraud.
Outlined below are the key threats contributing to the healthcare ecosystem’s risk landscape, including internal threats, third-party vendor risks, and threats posed by external factors.
Internal threats. Oftentimes, the very real and dangerous risk lies within an organization (e.g., employees and contractors). Malicious (data theft, sabotage) or negligent (misconfiguration, phishing susceptibility) insider threats pose a threat because of the legitimate access to the proprietary systems, knowledge of the network setup and vulnerabilities, or the ability to obtain that knowledge.
Third-party vendors. In the modern healthcare landscape, a large portion of critical services, from scheduling and billing to electronic health records (EHRs), radiology systems, and other essential clinical tools, are powered by third-party vendors. To ensure continuity of care, healthcare organizations must approach cybersecurity in a more comprehensive way, particularly when dealing with third-party vendors.
External Threat Actors. As healthcare operations become digitized, the attack surface of medical clinics and their vendors grows - ransomware, AI-enhanced DDoS, supply chain attacks, business email compromise, or credential stuffing. Cybercriminals are targeting healthcare providers because they possess high-value patient information to cybercriminals and nation-state actors, in addition to a lack of preparedness in the industry.
The following outlines both technical measures and governance/procedural approaches the organization can employ to detect and respond to threats.
Technical Measures:
• Deploy Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR).
• Implement Security Information and Event Management (SIEM) systems integrated with machine learning for behavioral analytics.
• Maintain encrypted backups with isolated storage to ensure ransomware resilience.
• Use micro segmentation to limit lateral movement in networks.
• Restrict vendor access using zero-trust architectures and enforce multi-factor authentication (MFA).
• Invest in AI-enhanced security solutions for real-time monitoring and anomaly detection.
Governance and procedural Measures:
o Foster a collective approach to cybercrime and vendor risk.
o Establish an Incident Response Plan (IRP) with clearly assigned roles and escalation paths.
o Conduct tabletop exercises and red-team simulations quarterly.
o Ensure CISO-level leadership is integrated into executive decision-making.
o Review and update data classification policies, retention policies, and breach notification procedures regularly.
o Require contractual obligations for security compliance (NIST, HIPAA, etc.).
Advancements in technology can improve efficiency for healthcare providers, but they also bring new risks and security challenges. In 2025, cybercriminals are leveraging sophisticated AI technology to bypass security systems, steal sensitive patient data, and wreak havoc on healthcare providers nationwide. Below is an overview of its dual role in enabling cyber threats and enhancing organizational defense mechanisms.
The use of AI in compromising healthcare infrastructure
▪ Automated Phishing and Social Engineering. Healthcare workers are twice as likely to fall victim to AI-driven attacks due to the compelling and customized nature of the scams, which makes cyber training on phishing awareness essential, and not only good practice.
▪ Vulnerability Scanning and Exploitation. Attackers can use AI to automatically scan outdated software and unpatched systems, in addition to helping prioritize targets and select the most effective exploits.
▪ Ransomware Optimization. Holding sensitive data and not affording downtime, delayed treatment, and forced redirection of emergency patients make the healthcare sector a prime target for ransomware groups - lives put at risk raise the stakes for cybersecurity in healthcare to levels unseen in other industries. ▪ Deepfakes and Synthetic Data. AI-generated synthetic data could be used to obfuscate breaches or impersonate patients and hospital executives.
The role of AI in healthcare cyber defense
• Anomaly Detection in Networks. AI can monitor data traffic to detect unusual patterns that signal an attack (e.g., malware communication, credential theft). This is especially useful in large, complex hospital systems with hundreds of connected devices.
• Medical Device Security. AI can be embedded in IoT security platforms to protect devices like infusion pumps, MRI machines, or pacemakers from unauthorized access.
• Threat Intelligence & Prediction. AI systems can analyze global threat data to predict potential attacks and prioritize patching or mitigation efforts. Natural language processing (NLP) models extract relevant indicators of compromise from threat reports.
• Automated Incident Response. AI can be used to automatically isolate infected devices, terminate malicious processes, and notify IT teams in real-time. Chatbots can assist in triaging alerts, reducing response time.
• Data Privacy & Compliance. AI tools help ensure HIPAA and GDPR compliance by monitoring how patient data is accessed and flagging risky behavior or unauthorized access.
In light of the facts outlined above, it is evident that cybersecurity in today’s healthcare ecosystem must be regarded as a mission-critical priority - not merely as a HIPAA compliance issue. Because malicious cyber activity threatens the public’s safety and our national and economic security, the FBI is committed to working with the private sector when the attack involves stolen patient data (HIPAA breach), there are indicators of criminal or nation-state involvement, or the organization needs forensic support or legal
immunity for certain disclosures. Organizations may choose to collaborate by pre-establishing contact, developing communication protocols for breach disclosure that preserve evidence, and sharing indicators of compromise (IOCs) or industry threat-sharing platforms.
While exploring opportunities for collaboration between the private sector and law enforcement is important, it is equally crucial to acknowledge the risks that may deter healthcare organizations from seeking such assistance. Premature disclosure can harm patient trust or invite litigation, law enforcement actions may involve seizure of infrastructure or data during investigations, cooperation might impede internal response efforts, or restrict control over communications.
The very nature of cybercrimes makes them very difficult to track or detect. On one hand, healthcare organizations may hesitate to report cybercrimes to safeguard their reputation. On the other hand, inconsistencies in how federal enforcement agencies define cybercrime, coupled with the absence of a centralized repository for cybercrime data, complicate information sharing and coordination efforts.
Given that this fragmentation impedes a comprehensive understanding of the scope and nature of these crimes, how can we effectively secure what we don’t fully comprehend?