HealthISAC Annual Threat Report 2025

Keypoints

• Report structure — Introduction: scope, 2024 context, and high-level summary of threats and impacts on the health sector.
• Report structure — Annual Member Survey Insights: methodology, participant mix (~200 executives and security professionals), and ranked top concerns for 2024 and 2025.
• Report structure — Key Insights: synthesis of survey results, cross-cutting themes, and high-level takeaways for member organizations.
• Report structure — Part I (Recent Attacks Against Healthcare): detailed case studies (patient extortion campaigns, major ransomware incidents like Change Healthcare and Ascension), operational impacts, and examples of data misuse and extortion tactics.
• Report structure — Part II (The Current Threat Landscape): enumeration of active threat actors, supply-chain incidents, notable vulnerabilities and takedown operations, and sector-wide statistics.
• Report structure — Part III (Tactics, Techniques and Procedures): profiling social engineering, C2 frameworks, common malware families, and observed attacker behaviors such as use of IABs and double extortion.
• Report structure — Part IV (Future Cybersecurity Outlook) and Call to Action: resilience planning, emerging threats (AI, PQC), and recommended community responses and information sharing actions.
• Survey headline statistics — participation and priorities: ~200 respondents; 2024 top five threats: Ransomware, Phishing, Compromised Credentials, Third-Party Credentials, Data Breaches; 2025 top five concerns: Ransomware Deployments, Third-Party Breaches, Data Breaches, Supply Chain Attacks, Zero-Day Exploits.
• Ransomware scale and perpetrators: Health-ISAC tracked 458 ransomware events in 2024; most active groups included LockBit 3.0 (52 events), INC Ransomware (39), RansomHub (36), BianLian (31), and QiLin (23).
• High-impact incidents and operational effects: Change Healthcare payment-portal outage disrupted millions of patient transactions; Ascension ransomware forced system shutdowns, diverted ambulances, and postponed care across hundreds of facilities.
• Patient extortion trend: attackers increasingly directly extort patients using stolen PHI and medical images (examples include mammogram and pre-op photo extortion), indicating a rising business model of individualized blackmail.
• Supply-chain and third-party risk: multiple exploited vendors and tools (notably Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887, MOVEit past exploitation) underscore cascading risks from vendor compromises and zero-day use.
• Notable software supply-chain compromises: XZ Utils backdoor (CVE-2024-3049) demonstrated that upstream library compromises can create persistent backdoors affecting Linux systems.
• Malware and observables: most-shared malware families by IOCs were Agent Tesla (515), Remcos RAT (471), AsyncRAT (222), DarkGate (160), and XWorm (139), showing continued prevalence of commodity RATs and info-stealers.
• Vulnerability targeting and exposures: highest targeted alerts included RDP (105), Ivanti Connect Secure (57), FortiOS (56), MOVEit Transfer (46), and Check Point (27); CISA issued 11 medical device advisories and research found ~5,100 publicly exposed DICOM servers.
• Abuse of offensive tooling and C2 frameworks: Brute Ratel and Cobalt Strike remain widely abused for post-exploitation C2; law-enforcement takedowns (Operations Cronos, Endgame, Morpheus, Magnus) disrupted many illicit infrastructures but threat actors persist.
• Nation-state and espionage threats: campaigns included APT29 using WINELOADER, Chinese groups exploiting Ivanti (UTA0178), and North Korean operators using fake remote IT workers to steal IP and funds.
• Evolving attack techniques: rise in AI/LLM-assisted reconnaissance and social engineering, increased use of Initial Access Brokers and purchased credentials, telephone-oriented attack delivery (TOAD) and help-desk impersonation, and continued reliance on zero-day and supply-chain exploitation.
• Geopolitical and physical risk interdependencies: kinetic and hybrid conflicts (Russia/Ukraine, Middle East tensions) raise risk of nation-state activity targeting critical infrastructure and healthcare supply chains; workplace violence and public-health crises add physical and operational risk layers.
• Medical device lifecycle and remediation challenges: manufacturers cite difficulty integrating security by design, delivering secure updates/patching, and maintaining long-term device security across lifespans; this amplifies risk from exposed DICOM servers and ICS/medical device CVEs.
• Recurring themes and systemic weaknesses: credential compromise, third-party/supply-chain failures, delayed patching, and fragile trust in shared digital infrastructure repeatedly enable large-scale impact events.
• Impactful takeaways and recommended priorities: expand information sharing and IoC dissemination, incorporate mission-critical suppliers into risk planning, accelerate patch and asset management, harden remote-access controls and help-desk procedures, and run scenario-based resilience exercises for high-impact outages.
• Future-facing concerns and mitigation: prioritize supply-chain visibility, plan for AI-enabled threats and PQC transition, adopt proactive threat hunting and segmentation for IoMT and medical devices, and sustain cross-organizational collaboration through Health-ISAC-style communities.