Healthcare organizations are facing serious threats from ransomware groups, with nearly nine-in-ten (89%) found to have medical devices that are vulnerable to exploits.
That's according to research from Claroty, which examined the state of security among healthcare organizations — and the diagnosis isn't good.
The report found that effectively all (99%) of healthcare organizations have at least one known, actively exploited vulnerability in their networks, with 78% of operational devices such as power supplies, temperature controls, and building management systems found to have a known exploited vulnerability.
Even imaging systems such as X-rays, CT scanners, MRIs, and ultrasound machines are at risk, with 8% of those examined found to have known flaws. A further 20% of hospital information systems also featured known vulnerabilities.
Beyond those known flaws, Claroty warned that healthcare organizations put themselves at risk of a security incident with insecure connections, using default passwords or hard coded credentials, and leaving data in cleartext.
Researchers advised companies to scope out what critical processes and devices could be impacted, follow a cybersecurity framework that considers the business impact and exploitability of exposures, and rollout mitigations and patches.
"We urge organizations to focus on the exposures that matter most: KEVs, KEVs linked to ransomware, and insecure connectivity," the report said.
Rise in ransomware attacks
The warning to address these known flaws comes amid a string of attacks against healthcare organizations, with analysis showing there had been 884 security incidents in the sector between January 2023 and February 2025.
The attacks have continued, with Sunflower Medical Group recently warning patient data had been accessed in a breach earlier this month.
Two of the biggest attacks in the healthcare space have been pinned on Russian ransomware gangs. Ascension, a private healthcare provider in the US, admitted a breach in May 2024 that caused $1.8 billion in losses following an attack attributed to Russian group Black Basta.
Earlier that year, Change Healthcare is believed to have paid out a $22 million ransom, the report noted, in an attack attributed to Russian group BlackCat.
Hospitals and other healthcare organizations are major targets because they are among the critical infrastructure targets most likely to meet ransom demands, the Claroty report noted.
Indeed, a previous report by Claroty, which surveyed 1,100 cybersecurity leaders globally, found that 78% of organizations in the healthcare sector reported making a ransomware payment above half a million dollars.
Meanwhile, more than a third shelled out more than $1 million.
"Ransomware and other attacks against hospitals are in reality attacks against patients, their safety, and the integrity and availability of care," the report added.
"The threat is real as the hundreds of incidents in the last half-decade bear out — and it’s getting complex. Attackers are targeting not only hospitals, but the supply chain, payment processors, and other third-party organizations in the sector."
MORE FROM ITPRO
- February was the worst month on record for ransomware attacks
- Building ransomware resilience to avoid paying out
- CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
-
NinjaOne expands availability on CrowdStrike MarketplaceNews CrowdStrike Falcon customers now have simplified access to NinjaOne’s automated endpoint management capabilities
-
Implementation and atychiphobia: helping SMEs overcome fearIndustry Insights Fear of failure stalls SME system upgrades, but resellers can calm concerns and build confidence
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
