Dive Brief:
- Rapid digitization and increasing interconnectedness in the healthcare industry are “exposing clinical technology to threats it was never engineered to withstand,” Trellix said in a report published on Tuesday.
- The threat intelligence report, based on 54.7 million detections from Trellix products in healthcare environments in 2025, highlighted email as the top threat vector (85% of all detections) and the U.S. as the biggest target (75% of all detections).
- Trellix’s report also described the evolution of the ransomware ecosystem.
Dive Insight:
The “cascading effect,” in which a disruption of one system causes a chain reaction that paralyzes other systems, represented “the defining trend of 2025” in healthcare cybersecurity, according to Trellix.
“These disruptions were not merely financial; they were lethal,” Trellix said in its report, citing research on mortality rates and other patient harms resulting from cyberattacks that crippled hospital computer systems.
In a blog post about the report, Trellix vice president of threat intelligence strategy John Fokker wrote that “digital transformation, cloud adoption, remote access, and AI-driven workflows … have dramatically expanded the healthcare attack surface.”
As a result, he added, “cyber incidents are no longer an IT disruption. They are a patient safety crisis.”
Multiple ransomware gangs seized on the healthcare sector’s vulnerability in 2025. Qilin “matured into a high-tempo operation” throughout the year, using Linux- and ESXi-based malware to target databases storing electronic health records. Another group, INC Ransom, surged to prominence in 2025, launching 34 attacks on healthcare organizations, nearly 10% of the annual total. Trellix said its data showed that INC Ransom targeted “a regional hospital in North America, a national public health system, and a major hospital in the Southern Hemisphere.”
Other groups also established dangerous reputations, including Sinobi, a new group focusing on biotechnology firms and other specialized healthcare companies, and Devman2, which Trellix described as “notorious for massive data exfiltration.” RansomHub’s affiliate model, meanwhile, helped it conduct some of the most damaging attacks on the sector in 2025.
More and more ransomware gangs are using extortion-only tactics against healthcare firms, Trellix said, a shift that reflects the sector’s unique concerns about the exposure of private data. In 2025, 12% of all attacks on healthcare organizations involved solely extortion, a 300% increase from 2023. “By demanding just $50 to $500 per patient,” Trelix said, “actors bypass corporate insurance and legal teams,” speeding up the process of getting paid.
Trellix’s report also described threat actors’ most effective breach tactics. Phishing remains the primary vector (accounting for initial access in 89% of incidents), but hackers are now making their lures more appealing to IT administrators with themes like “AI Transformation” and “Regulatory Compliance.” For command-and-control infrastructure, hackers use malicious domains with healthcare terms like “HIPAA,” as well as malicious subdomains built into legitimate healthcare websites.
