Cloud vulnerabilities and misconfigurations: Many healthcare organizations have adopted cloud services as part of broader digital transformation initiatives. As a result, patient health information (PHI) and other sensitive data is increasingly being hosted in vendor cloud environments.The trend has broadened attack surface at healthcare organizations, says Anthony James, vice president of products at Infoblox, especially as healthcare organizations often use multiple cloud vendors and services with differing security standards and practices, making it hard to apply a consistent data protection policies.Sixty-one percent of healthcare companies said they experienced a cloud cyberattack in the past 12 months in a February 2024 report by healthcare software developer KMS Healthcare.In March 2026, US healthcare software vendor CareCloud’s EHR environment suffered a breach, disrupting access for 45,000 providers.Attacks aren’t the only cyber risks healthcare organizations face with rising cloud use. Misconfigurations play a role as well.In April 2025, US health insurer Blue Shield of California found that it had exposed member data, including protected health information, to Google’s advertising platform for three years up until January 2024 because of a flawed Google Analytics setup on some of its web pages. Web application attacks: Web application attacks targeting healthcare entities have also spiked sharply in recent years, with cross-site scripting attacks among the most common, along with SQL injection, protocol manipulation attacks, and remote code execution/remote file inclusion attacks.”Technically speaking, web application attacks can be incredibly challenging for under-resourced healthcare organizations to manage,” Varonis’ Ray says. To address the issue, healthcare organizations must implement controls that enable better visibility into third-party applications and API connections. Only then will the security team be able to understand who is trying to access critical data and whether that activity should be permitted. Bad-bot traffic: Traffic from bad bots, such as those attempting to scrape data, send spam, or download unwanted software, present another major challenge for healthcare organizations. The problem became especially pressing during the pandemic when governments around the world set up new websites and other digital infrastructure to support COVID vaccine registrations and appointments.”Increased levels of traffic result in downtime and disruption for legitimate human users who are trying to access critical services on their healthcare providers’ site,” Ray says. “It might also result in increased infrastructure costs for the organization as it tries to sustain uptime from the persistent, burdensome level of elevated traffic.”The latest 2025 edition of Imperva’s Bad Bot report estimates malign bots account for nearly a third (37%) of internet traffic, up from 32% in the year prior. Imperva warned that AI is “supercharging the bot threat” alongside a shift in advanced bot traffic targeted APIs rather than applications, reflecting how API endpoints often handle sensitive or high-value data.”Financial services, business, telecom, and healthcare are among the most targeted industries for bot attacks on APIs, accounting for over 75% of all API attacks,” Imperva reports.Bad bots can lead to healthcare data breaches, for example through credential stuffing attacks against patient accounts, and scraping of sensitive health information.Cybercriminals target confidential health information, such as patient records, medical history, and insurance details because this stolen data can be sold on the dark web for profit or used for fraudulent activities, Imperva warns. Increased phishing volumes: Phishing attacks pose a major threat to the healthcare industry as they do in almost every sector. Again, the pandemic provided a unique backdrop for a rise in phishing volumes versus healthcare organizations. In a survey of 168 healthcare cybersecurity professionals conducted by Healthcare Information and Management Systems Society (HIMSS) at the time found that phishing was the typical initial point of compromise for most security incidents.”Phishing attacks are the top type of significant security incident reported by respondents,” HIMSS noted in its report. “Phishers were the top type of threat actor responsible for significant security incidents at healthcare organizations.”But phishing has long been an issue for healthcare. Stats compiled by the US Department of Health and Human Services (HHS) record that 18% of 4,419 reported breaches of PHI between 2009 and 2021 involved either phishing attacks or the hacking of email accounts, according to the HIPAA Journal.Phishing was the initial vector in high-profile attacks against healthcare organizations Anthem (2015) and Magellan Health (2020), among others.A study by UK medical journal BMJ found that around 3% of emails sent to hospital staff over a one-month period were suspected threats.While many staff appear to be aware of phishing and respond appropriately, ongoing education is required, particularly about the risk of leaking information of potential use to attackers through social media, the BMJ advised. Smart devices: Wearable and implantable smart medical devices are a proven cybersecurity risk. These technologies certainly offer better analysis, assisting diagnosis of medical conditions while aiding independent living, but mistakes made in securing such medtech have exposed vulnerable users to potential attack.A seminal moment was the late Barnaby Jack’s hacking of an insulin pump in 2011. This attack over Bluetooth had a maximum range of approximately 300 meters.Since then, security researchers at Pen Test Partners have found “closed loop” insulin trial data on the public internet.”In one case, we could have modified the readings taken by the body-worn continuous glucose monitor and automatically, remotely administered a fatal dose of insulin to around 3,000 users in the trial,” Ken Munro, managing director of Pen Test Partners, tells CSO. “Fortunately, the vendor involved responded very quickly to our report and had the system secured the same day.”Munro adds: “Other connected medtech devices Pen Test Partners have found security issues with include cranial stimulators, dosing pumps, and medical robots, among many others. Fortunately, the smart devices threat has been recognized and regulators are starting to take action.”For example, the US Food & Drug Administration (FDA) introduced FD&C 524b in 2023 to drive cybersecurity in connected medical devices.
Generative AI: As healthcare staff adopt generative AI, the risk of leaking sensitive information through prompts and documents has grown.Regulated data, such as patient records and medical information, is especially at risk, accounting for 89% of all data policy violations occurring in the context of gen AI usage, significantly higher than the cross-industry average of 31%, according to a 2026 study by Netskope.Moreover, the Netskope report shows that healthcare organizations’ deployment and usage of internal AI tools, which require bespoke security guardrails, is accelerating. The proportion of healthcare workers using gen AI applications managed by their organization jumped from 18% to 67% in 2025, significantly ahead of cross-industry averages (26% to 62%), according to the study.The need for bespoke security controls for AI systems is illustrated by research from Mindgard showing that the clinical AI tool Doctronic could be compromised to spread conspiracy theories or even manipulate prescription guidance.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/564832/biggest-healthcare-security-threats.html
