Healthcare systems are rife with exploits — and ransomware gangs have noticed
Claroty report says nearly all healthcare organizations have devices that have known flaws
Healthcare organizations are facing serious threats from ransomware groups, with nearly nine-in-ten (89%) found to have medical devices that are vulnerable to exploits.
That's according to research from Claroty, which examined the state of security among healthcare organizations — and the diagnosis isn't good.
The report found that effectively all (99%) of healthcare organizations have at least one known, actively exploited vulnerability in their networks, with 78% of operational devices such as power supplies, temperature controls, and building management systems found to have a known exploited vulnerability.
Even imaging systems such as X-rays, CT scanners, MRIs, and ultrasound machines are at risk, with 8% of those examined found to have known flaws. A further 20% of hospital information systems also featured known vulnerabilities.
Beyond those known flaws, Claroty warned that healthcare organizations put themselves at risk of a security incident with insecure connections, using default passwords or hard coded credentials, and leaving data in cleartext.
Researchers advised companies to scope out what critical processes and devices could be impacted, follow a cybersecurity framework that considers the business impact and exploitability of exposures, and rollout mitigations and patches.
"We urge organizations to focus on the exposures that matter most: KEVs, KEVs linked to ransomware, and insecure connectivity," the report said.
Rise in ransomware attacks
The warning to address these known flaws comes amid a string of attacks against healthcare organizations, with analysis showing there had been 884 security incidents in the sector between January 2023 and February 2025.
The attacks have continued, with Sunflower Medical Group recently warning patient data had been accessed in a breach earlier this month.
Two of the biggest attacks in the healthcare space have been pinned on Russian ransomware gangs. Ascension, a private healthcare provider in the US, admitted a breach in May 2024 that caused $1.8 billion in losses following an attack attributed to Russian group Black Basta.
Earlier that year, Change Healthcare is believed to have paid out a $22 million ransom, the report noted, in an attack attributed to Russian group BlackCat.
Hospitals and other healthcare organizations are major targets because they are among the critical infrastructure targets most likely to meet ransom demands, the Claroty report noted.
Indeed, a previous report by Claroty, which surveyed 1,100 cybersecurity leaders globally, found that 78% of organizations in the healthcare sector reported making a ransomware payment above half a million dollars.
Meanwhile, more than a third shelled out more than $1 million.
"Ransomware and other attacks against hospitals are in reality attacks against patients, their safety, and the integrity and availability of care," the report added.
"The threat is real as the hundreds of incidents in the last half-decade bear out — and it’s getting complex. Attackers are targeting not only hospitals, but the supply chain, payment processors, and other third-party organizations in the sector."
MORE FROM ITPRO
- February was the worst month on record for ransomware attacks
- Building ransomware resilience to avoid paying out
- CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
-
The UK is running on fumes as data center build-outs can’t keep pace with demandNews The country's vacancy rate has dropped sharply, with much of the pipeline early-stage and uncertain
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
