Healthcare breaches reach new cost highs as adversaries exploit expanding clinical attack surfaces, Trellix reports
Publish Date: 2026-01-30 04:32:00
Source Domain: industrialcyber.co
Using an unordered list, summarize the following article with between 4 and 8 key points.
New analysis from Trellix underscores how cybersecurity has become a boardroom issue for healthcare organizations as digital transformation reshapes clinical environments and expands cyber risk. In its 2025 Healthcare Cybersecurity Threat Intelligence Report, Trellix warns that cloud adoption, remote access, and AI-driven workflows have dramatically widened the healthcare attack surface, turning cyber incidents from isolated IT disruptions into direct patient safety threats. The report argues that systems once designed for reliability in closed environments now face exposure to adversaries capable of exploiting vulnerabilities at scale, making cybersecurity oversight a C-suite imperative rather than a technical afterthought.
“In 2025 alone, Trellix recorded 54.7 million detections across our global healthcare customer base. These are not theoretical risks; they are daily attempts to breach clinical environments,” John Fokker, vice president for threat intelligence strategy at Trellix, wrote in a company blog post this week. “Alarmingly, 75 percent of all detections originated in the United States, underscoring the extent to which U.S. healthcare infrastructure is being targeted. Email was the dominant vector, accounting for 85 percent of detections.”
He noted that healthcare also marked its fifteenth consecutive year as the most expensive industry for data breaches. “In the United States, the average cost of a healthcare breach climbed to 10.22 million dollars per incident, up 9.2 percent year over year.”
The report flagged that the defining trend of 2025 was the ‘Cascading Effect,’ where a shift in breaches in administrative networks or non-clinical OT (operational technology) systems, such as a building’s HVAC, could paralyze an entire health system’s clinical workflow. “These disruptions were not merely financial; they were lethal. Research confirmed that hospitals affected by cyberattacks, including cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC) incidents, saw a 29% increase in mortality rates for inpatients, and neighboring hospitals experienced an 81% surge in cardiac arrest cases due to emergency diversions.”
Fokker mentioned that 2025 saw a chilling, but increasingly common, evolution in cybercrime: patient extortion. “Ransomware groups no longer stop at encrypting servers. They steal medical records and then text patients directly demanding privacy fees to prevent exposure of diagnoses, HIV test results, or treatment histories. Qilin alone exfiltrated 852 gigabytes of patient data from Covenant Health in one incident. The underground economy now values a single electronic health record at $60, nearly 20 times the value of a stolen credit card. This explains why attackers are shifting from traditional ransomware to exfiltration-only campaigns, which tripled in frequency in 2025.”
He identified that the healthcare attack surface is a web of internet-connected infusion pumps, imaging systems running legacy operating systems, patient monitors transmitting data in plain text, and building management systems with known exploited vulnerabilities. “Research found that 99% of hospitals manage at least one device with a known exploited vulnerability, and 60% of medical devices are end-of-life and unpatchable. This creates ideal conditions for attackers to move from HVAC to imaging systems to EHR databases silently, efficiently, and at scale.”
The report detailed that the healthcare attack surface in 2025 extends far beyond traditional endpoints, such as laptops and servers, and now encompasses a complex web of IoMT (Internet of Medical Things) and OT systems. As a result, 99% of hospitals are managing at least one device with a known exploited vulnerability.
Medical devices continue to carry a higher density of security flaws than standard enterprise hardware, averaging 6.2 software bugs per device. Medical imaging systems remain a particularly attractive target because they often rely on outdated operating systems. Research shows that 32% of DICOM and PACS workstations contained at least one critical unpatched vulnerability, while 20% of imaging systems carried known exploited vulnerabilities actively used by major ransomware groups.
Patient monitors and vital sign controllers further illustrate the exposure across IoMT and OT environments. These devices frequently lack basic security protections and can serve as entry points into broader clinical networks. A notable 2025 disclosure involving the Contec Health CMS8000 found that the device transmitted patient data in plaintext to a hard-coded public IP address by default, effectively creating a backdoor for data leakage.
Large-scale analysis of 200,000 infusion pumps in 2025 found that 75% had one or more known security gaps. More than half were vulnerable to critical CVEs from 2019 embedded in device firmware, and many continued to operate on legacy firmware with hard-coded or default passwords, making them attractive targets for lateral movement within healthcare networks.
Trellix reported that adversaries in 2025 moved beyond simple encryption to ‘triple extortion’ data theft, service disruption, and individual patient harassment. The Ransomware-as-a-Service (RaaS) ecosystem underwent a violent reorganization following the high-profile fallout of the Change Healthcare breach, leading to more aggressive, affiliate-centric models.
The report disclosed that the financial toll of 2025 was not merely the result of record-breaking ransoms but the massive, unpredictable cost of systemic operational failure. For healthcare systems, the phrase ‘time is money’ has taken on a literal and devastating meaning. Industry benchmarks from Comparitech and Censinet show that the cost of downtime ranges between $7,500 and $9,000 per minute, adding up to an average of $1.9 million per day in lost revenue and recovery expenses.
The duration of disruption has become a crisis in its own right. In 2025, the average healthcare organization experienced more than 17 days of downtime per cyberattack, with some major systems suffering partial outages for months. Over 75% of organizations reported that full recovery from a major attack took longer than 100 days.
The scale of adversarial activity in 2025 remained elevated, according to Trellix telemetry and targeted campaign tracking, underscoring a persistent, high-volume threat environment tailored to the healthcare sector’s unique vulnerabilities.
Data from the 2025 Trellix Healthcare Cybersecurity Threat Intelligence Report shows that the average cost of a healthcare data breach in the United States reached $10.22 million, an increase of 9.2% from 2024. Downtime continues to drive a significant share of this impact, with modern hospital operations losing approximately $9,000 per minute during a full system outage. Detection and escalation costs alone averaged $1.47 million per incident, reflecting the growing challenge of identifying low-profile attackers operating within complex clinical networks.
Globally, Trellix recorded 54.7 million detections across healthcare customer organizations in 2025, with email remaining the dominant attack vector. Trellix Email Security accounted for 85% of all detections. Activity was heavily concentrated in the U.S., which represented 75.14% of all healthcare-related detections during the year.
Trellix reported that end-of-life devices continue to dominate hospital environments, with 60% of medical devices operating without security patches. A major security weakness across many healthcare organizations is their reliance on legacy equipment that was designed without modern security considerations.
This challenge is compounded by the fact that one in five connected medical devices runs on an unsupported or end-of-life operating system. Even when patches are eventually applied, healthcare devices often remain exposed for extended periods, with an average vulnerability dwell time of 3.2 years.
The report mentioned that converged risk across OT environments remains a serious concern. In 2025, Claroty assessed that 65% of OT systems, including building management systems, uninterruptible power supplies, and elevators, contained known exploited vulnerabilities and were connected to the internet.
OT systems that control HVAC, elevators, backup power, and pneumatic tube networks create thousands of potential entry points for attackers. Adversaries commonly exploit unpatched HVAC or electrical controllers to gain an initial foothold and then move laterally into DICOM imaging networks, effectively crippling radiology departments and forcing ambulance diversions. This OT-based pivot often bypasses traditional IT security controls because these systems rarely support endpoint detection and response agents.
Even in environments described as air-gapped, OT systems remain at risk. Patching and updates are frequently performed via USB media, and a 2024 study found that 51% of malware discovered on USB drives was designed to compromise industrial and operational equipment.
In conclusion, the Trellix report noted that healthcare security leaders face a highly professionalized threat landscape in 2026 that demands a shift from episodic controls to a unified, risk-based security strategy. Central to this transition is the use of healthcare-specific threat intelligence to move from reactive defense to proactive risk prediction, allowing organizations to identify and prioritize threats most likely to target their environments. Given that email remains the dominant attack vector and phishing drives the majority of initial access, layered email security, phishing-resistant MFA, and rapid inspection of links and attachments are critical.
Organizations must also address cascading risk by segmenting corporate IT, clinical IT, IoMT, and OT environments and pairing segmentation with network detection to prevent lateral movement into clinical systems. Identity has emerged as a primary security perimeter, requiring stronger governance, least-privilege access, and monitoring for quiet, identity-driven compromise. Endpoint detection and response remains essential to disrupt credential theft and living-off-the-land techniques, particularly on systems that bridge administrative and clinical environments.
With most hospitals managing devices affected by known exploited vulnerabilities, remediation efforts should be driven by exploitation likelihood and active healthcare campaigns rather than patch age alone, supported by compensating controls where patching is not possible. Finally, as adversaries increasingly target protected health information through exfiltration and patient extortion, healthcare organizations must strengthen data protection, loss prevention, and SOC-led incident response to reduce downtime, contain operational impact, and preserve patient safety.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.
