ISA NATIONAL DEFENSE CYBER THREAT REPORT: HEALTHCARE

Government’s Motto for Cybersecurity needs to be Do No Harm

Healthcare was one of the very first industries regulated for cybersecurity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and remains one of the least cybersecure. Academic reviews of cybersecurity policy have identified 49 separate regulations, standards, and guidelines applicable to healthcare cybersecurity alone (2). These include multiple requirements from HIPAA, the HITECH Act, FDA medical device rules, CMS reimbursement standards, and NIST frameworks—all intended to safeguard patient data and system integrity.

Despite this heavy regulatory environment—or perhaps in part because of it—the healthcare industry is among the least secure of all sectors. In 2023, a study found that 93% of healthcare organizations reported at least one cyberattack, and 75% experienced operational disruptions affecting patient care (6). The average cost of a cyber breach in healthcare is the highest across all industries (7). In 2024 alone, there were 14 U.S. healthcare data breaches involving more than 1 million records each, collectively affecting more than 238 million Americans (8).

To its credit, the healthcare industry is trying vigorously to “heal thyself.” In recent years, we have seen unprecedented coordination among hospital systems, insurers, federal agencies, and medical device manufacturers. These efforts have included nationwide cyber-readiness drills, rapid-response information-sharing briefings, and the accelerated deployment of advanced threat-detection systems across clinical networks (11)(12). Yet even with these expanded defenses, no hospital group, vendor consortium, or private-sector alliance can withstand a sustained campaign from a nation-state actor. As cybersecurity officials have repeatedly warned, adversaries targeting healthcare will “do anything and everything at any price” to compromise U.S. critical infrastructure (1)

 

The Regulatory Paradox: Heavily Regulated, Yet Deeply Insecure Infrastructure 

The healthcare sector exemplifies the “governance gap”—a condition in which regulatory frameworks multiply, but organizational capacity, staffing, and budgets stagnate (3). Empirical data reinforce this systemic failure. Healthcare’s average time to identify and contain a breach is nearly 10 months, far longer than most industries (4). Furthermore, 45% of healthcare organizations cite staffing shortages as their primary barrier to cyber resilience (5). These conditions create a strategic vulnerability that adversaries can exploit without firing a shot.

The sheer number of cyber regulations in this one sector, when combined with the lack of adequately trained staff, the complexity and speed of the attackers, and the fact that none of the regulations have ever been tested to assess their effectiveness in terms of enhancing security, ironically makes the regulatory model itself a significant part of the problem.

Even in a community of industry victims, healthcare—with its extremely convoluted regulatory model— is among the very worst. In a comprehensive post-COVID study of critical industries and cybersecurity, ESI ThoughtLabs found that healthcare ranked 11th out of 13 crucial sectors in terms of average loss relative to revenue. Healthcare also ranked 11th out of 13 in understanding cyber risk and using state-of-the-art quantitative methods to assess it. Healthcare ranked 13th out of 13 in plans to increase cybersecurity spending. Fewer than half had disaster-recovery plans or conducted regular cyber risk assessments (9).

These figures illustrate a profound regulatory paradox: compliance has not translated into security.

 

Rethinking National Defense in the Digital Age

In the 21st century, the concept of national defense must expand beyond the traditional military model. Nation-state actors increasingly target healthcare for espionage and coercion. Patient data, genomic research, and pharmaceutical supply intelligence offer strategic and economic leverage (1).

Modern adversaries understand that the ability to destabilize a nation no longer depends solely on weapons or armies—it depends on disrupting the infrastructures that sustain societal resilience. Among these, none is more essential than the healthcare and public health (CHPH) sector. Cybersecurity failures in this domain do not merely endanger patients; they threaten the nation’s operational readiness. A cyberattack that disables hospital systems, disrupts claims processing, or manipulates medical devices can quickly escalate from a healthcare crisis to a national emergency.

Cyber threats to healthcare are not merely IT failures—they are attacks on national readiness, stability, and trust. The implications for defense are significant: Cyber compromises in healthcare can undermine national security in multiple ways

1. Force Readiness and Military Support

The military and its dependents rely heavily on civilian healthcare networks. Cyber disruptions affecting claims, pharmacy networks, or electronic medical records can delay care, degrade readiness, and place strain on military medical facilities (2).

2. Civil–Military Surge Capacity

During national crises—pandemics, natural disasters, or mass-casualty events—civilian healthcare systems function as surge capacity for defense and homeland security. Cyber incidents that disable hospital networks or supply chains compromise the nation’s ability to mobilize effectively (1).

3. Public Health Intelligence

Cyber intrusions into surveillance systems can obscure disease tracking, vaccine distribution, or biohazard containment, undermining situational awareness critical to homeland defense (7).

4. Supply Chain Vulnerability

Healthcare’s dependence on third-party vendors and interconnected systems makes it particularly susceptible to cascading failures. A single compromise can ripple through the national healthcare infrastructure (10).

 

Conclusion

Cybersecurity of the healthcare infrastructure is not just a medical issue—it is a national defense issue. Cyberattacks on CHPH infrastructure degrade readiness, threaten civilian resilience, and expose the United States to coercive leverage by nation-states. Despite being one of the most regulated industries in America, healthcare remains among the least secure. That paradox—heavy regulation combined with systemic vulnerability—demonstrates that compliance alone is not a defense.

National security today depends not only on ships, aircraft, and missiles but also on resilient hospitals, secure healthcare networks, and trustworthy public health systems. As nation-state threat actors increasingly target these systems, the CHPH sector must be viewed and protected as an essential element of U.S. defense infrastructure.

 

 

Endnotes

1. ENISA. (2023). Health sector threat landscape 2023.
2. Carello, M. P., Marchetti Spaccamela, A., Querzoni, L., & Angelini, M. (2023). A systematization of cybersecurity regulations, standards, and guidelines for the healthcare sector [Preprint]. arXiv.
3. Clinton, L., & Hauser, J. (2024). Fixing cybersecurity: How to stop the madness. Internet Security Alliance.
4. IBM Security. (2023). Cost of a data breach report 2023.
5. Rubrik. (2025). Healthcare cybersecurity challenges and threats 2025.
6. Proofpoint & Ponemon Institute. (2023). Healthcare cybersecurity report.
7. Oliver Wyman. (2023). The seriousness of cyberattacks in healthcare cannot be ignored.
8. HIPAA Journal. (2025). Healthcare data breach statistics.
9. ESI ThoughtLab. (2022). Driving Cybersecurity Performance: Post-COVID Sector Analysis.
10. Politico. (2025, November). CISO warns of nation-state threat actors targeting critical infrastructure.
11. U.S. Department of Health and Human Services (HHS). (2024). Health Sector Cybersecurity Preparedness and Response Report.
12. Health Information Sharing and Analysis Center (H-ISAC). (2023). Annual Threat Intelligence & Sector Readiness Briefing.