Veriti: The State of Healthcare Cybersecurity 2025

Keypoints

• Typical report structure: Executive Summary (high-level findings and strategic implications); The Attack Landscape (scope, incident counts, threat actor behavior); Diagnosing the Threats (CVE/TTP mapping, attack techniques, group profiles); Breaking Down Exposures (vulnerable assets, misconfigurations, endpoint and OS issues); Severely Vulnerable Medical Devices and Applications (device/app CVEs, exposed DICOM/PACS interfaces); Notable Events (case studies of major breaches and exploitation chains); Veriti’s Predictions and Challenges (forward-looking risks and prioritized mitigations).
• Scope and scale: Nearly 400 U.S. healthcare organizations reported cyber incidents in 2024; Veriti documented 149 ransomware attacks globally from Jan–Oct 2024, with 52% affecting U.S. entities.
• Financial impact metrics: Average healthcare breach cost ~$3.5M; average cost per exposed record ~$398; typical ransom averages reported around $7M with observed demands up to $100M.
• Organizational readiness gaps: 50% lack confidence in detecting/resolving breaches, 42% lack policies to prevent unauthorized access, 51% lack breach-prevention technologies, and 47% lack expertise to resolve breaches effectively.
• Dominant ransomware actors and behaviors: LockBit 3.0, ALPHV/BlackCat, and BianLian drove much of the activity, using double extortion (encryption + data theft), phishing, RDP/credential abuse, living-off-the-land techniques, and Cobalt Strike for post-access operations.
• High-risk CVEs and exploitation trends: Frequent exploitation of Log4Shell (CVE-2021-44228), Fortinet SSL VPN (CVE-2018-13379), Zerologon (CVE-2020-1472), Citrix ADC issues, and multiple web/server vulnerabilities used as initial access points; open-source tool vulnerabilities (e.g., DoctorAppointmentSystem SQLi CVEs) were used against smaller providers.
• Active vulnerability exposure in hospitals: Multiple CVEs affecting large hospital populations (e.g., CVE-2021-1675: 45% of hospitals; CVE-2021-34527: 42%; others in the 20–40% range), indicating wide, persistent unpatched risk.
• OS and configuration weaknesses: Large counts of hosts with insecure settings—NTLMv2 auth enabled on 1,053 hosts, Windows Defender SmartScreen disabled on 1,032 hosts, MSDT enabled on 947 hosts, and numerous hosts with insecure guest auth or virtualization disabled—creating easily exploitable attack surfaces.
• Endpoint shortcomings: Widespread absence or misconfiguration of EDR despite installed tools, quarantine-on-write disabled on ~35% of hosts, shadow copy/recovery misconfigurations on ~22%, and other protections (ASLR, SEH) frequently not enforced.
• Vulnerable medical devices and applications: High-severity flaws in MedDream (CVSS up to 9.8) and high exposure of DICOM/web viewers—OHIF (902 hosts), Orthanc (500), NeoLogica (215), XERO (178), Philips IntelliSite (82), Butterfly Network (14)—amplifying risk to imaging and diagnostic workflows.
• Notable incidents illustrating systemic gaps: ALPHV/BlackCat’s Change Health breach and exploitation of Mirth Connect (CVE-2023-37679, CVE-2023-43208) show how misconfigurations and unpatched middleware enable large-scale data exfiltration and prolonged operational disruption.
• Third-party and supply-chain risk: Increasing targeting of third-party providers and suppliers with weaker defenses, producing downstream impacts across healthcare networks and magnifying the effects of single compromises.
• Nation-state collaboration and geopolitical drivers: Evidence of cooperation or overlap between ransomware groups and nation-state actors, and of cyber operations being used to advance geopolitical objectives that threaten patient safety and national health infrastructure.
• Emerging vectors: Rapid growth of IoT/connected medical devices, AI-driven workflows, and cloud-based PACS/DICOM systems introduces new attack surfaces—misconfigurations, insecure APIs, and data exfiltration outside hospital-controlled environments.
• Recurring themes and attack techniques: Phishing for initial access, exploitation of known CVEs, RDP/credential misuse, living-off-the-land, double extortion, and use of tools like Cobalt Strike remain dominant and effective against health networks with weak hygiene.
• Regulatory and compliance movement: New regulations aimed at enforcing stronger healthcare cybersecurity practices are emerging, increasing pressure on organizations to standardize controls, reporting, and incident response capabilities.
• Key recommendations and takeaways: Prioritize IoT/device hardening and standardized patch management; enforce endpoint protections (EDR, quarantine, ASLR/SEH); remediate high-impact CVEs across IT/OT; secure cloud/PACS deployments and APIs; improve third-party risk management; and invest in detection, response capability and staff expertise.
• Strategic posture for 2025: Focus on proactive exposure monitoring (agentless or integrated solutions), continuous vulnerability management, segmentation of medical and imaging systems, robust backup and recovery practices to mitigate double extortion, and governance around AI-data handling to limit privacy and exfiltration risks.