ISA NATIONAL DEFENSE CYBER THREAT REPORT: HEALTHCARE PART 2

 

Government’s Motto for Cybersecurity Must Be “Do No Harm”

Healthcare was one of the very first industries regulated for cybersecurity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), yet it remains one of the least cybersecure. Academic reviews of cybersecurity policy have identified 49 separate regulations, standards, and guidelines applicable to healthcare cybersecurity alone (2). These include multiple requirements from HIPAA, the HITECH Act, FDA medical device rules, CMS reimbursement standards, and NIST frameworks—all intended to safeguard patient data and system integrity.

Despite this heavy regulatory environment—or perhaps in part because of it—the healthcare industry is among the least secure of all sectors. In 2023, a study found that 93% of healthcare organizations reported at least one cyberattack, and 75% experienced operational disruptions affecting patient care (6). The average cost of a cyber breach in healthcare is the highest across all industries (7). In 2024 alone, there were 14 U.S. healthcare data breaches involving more than one million records each, collectively affecting more than 238 million Americans (8). Rep. Jason Crow (D-CO) has warned, “Cyber attackers are targeting Americans’ medical data and must be stopped” (13).

As Ranking Member of the House Homeland Security Committee Bennie G. Thompson has warned, “Destruction can be delivered with a keystroke” (14). The implications for healthcare are immediate and severe: cyber intrusions no longer merely steal data—they disrupt care, disable systems, and place lives at risk.

To its credit, the healthcare industry is trying vigorously to “heal thyself.” In recent years, there has been unprecedented coordination among hospital systems, insurers, federal agencies, and medical device manufacturers. These efforts have included nationwide cyber-readiness drills, rapid-response information-sharing briefings, and the accelerated deployment of advanced threat-detection systems across clinical networks (11)(12). Yet even with these expanded defenses, no hospital group, vendor consortium, or private-sector alliance can withstand a sustained campaign from a nation-state actor. As cybersecurity officials have repeatedly warned, adversaries targeting healthcare will “do anything and everything at any price” to compromise U.S. critical infrastructure (1).

 

The Regulatory Paradox: Heavily Regulated, Yet Deeply Insecure Infrastructure

The healthcare sector exemplifies the “governance gap”—a condition in which regulatory frameworks multiply while organizational capacity, staffing, and budgets stagnate (3). Empirical data reinforce this systemic failure. Healthcare’s average time to identify and contain a breach is nearly ten months, far longer than in most industries (4). Furthermore, 45% of healthcare organizations cite staffing shortages as their primary barrier to cyber resilience (5). These conditions create a strategic vulnerability that adversaries can exploit without firing a shot.

This regulatory fragmentation has not gone unnoticed at the federal level. Objective 1.1 in the Biden Administration’s National Cybersecurity Strategy was to “establish an initiative on cybersecurity regulatory harmonization.” The inclusion of this objective reflects a growing recognition that overlapping, uncoordinated mandates can undermine security rather than strengthen it, particularly in sectors as complex and resource constrained as healthcare.

The sheer number of cyber regulations in this single sector—when combined with a lack of adequately trained staff, the speed and sophistication of attackers, and the fact that none of these regulations has ever been systematically tested for effectiveness—ironically makes the regulatory model itself a significant part of the problem.

Even among heavily victimized industries, healthcare—with its extremely convoluted regulatory structure—is among the worst performers. In a comprehensive post-COVID study of critical industries and cybersecurity, ESI ThoughtLabs found that healthcare ranked 11th out of 13 sectors in average loss relative to revenue. Healthcare also ranked 11th out of 13 in understanding cyber risk and using state-of-the-art quantitative methods to assess it. Most strikingly, healthcare ranked 13th out of 13 in plans to increase cybersecurity spending. Fewer than half of healthcare organizations had disaster recovery plans or conducted regular cyber risk assessments (9).

These figures illustrate a profound regulatory paradox: compliance has not translated into security.

 

Rethinking National Defense in the Digital Age

In the 21st century, the concept of national defense must expand beyond the traditional military model. Nation-state actors increasingly target healthcare for espionage and coercion. Patient data, genomic research, and pharmaceutical supply intelligence offer strategic and economic leverage (1).

Modern adversaries understand that destabilizing a nation no longer depends solely on weapons or armies—it depends on disrupting the infrastructures that sustain societal resilience. Among these, none is more essential than the healthcare and public health (CHPH) sector. As the Ranking Member of the House Energy and Commerce Committee, Frank Pallone, has warned, “As with all connected technologies, strong cybersecurity is essential. One weak point can compromise an entire system and put lives at risk” (15). Cybersecurity failures in this domain do not merely endanger patients; they threaten the nation’s operational readiness. A cyberattack that disables hospital systems, disrupts claims processing, or manipulates medical devices can rapidly escalate from a healthcare crisis into a national emergency.

Cyber threats to healthcare are not merely IT failures—they are attacks on national readiness, stability, and trust. The implications for defense are significant. Cyber compromises in healthcare can undermine national security in multiple ways:

1. Force Readiness and Military Support
   The military and its dependents rely heavily on civilian healthcare networks. Cyber disruptions affecting claims processing, pharmacy networks, or electronic medical records can delay care, degrade readiness, and strain military medical facilities (2).
2. Civil–Military Surge Capacity
   During national crises—pandemics, natural disasters, or mass-casualty events—civilian healthcare systems function as surge capacity for defense and homeland security. Cyber incidents that disable hospital networks or supply chains compromise the nation’s ability to mobilize effectively (1).
3. Public Health Intelligence
   Cyber intrusions into surveillance systems can obscure disease tracking, vaccine distribution, or biohazard containment, undermining the situational awareness critical to homeland defense (7).
4. Supply Chain Vulnerability
   Healthcare’s dependence on third-party vendors and interconnected systems makes it particularly susceptible to cascading failures. A single compromise can ripple through the national healthcare infrastructure (10).

 

Conclusion

Cybersecurity of the healthcare infrastructure is not merely a medical issue—it is a national defense issue. Cyberattacks on CHPH infrastructure degrade readiness, threaten civilian resilience, and expose the United States to coercive leverage by nation-state actors. Despite being one of the most heavily regulated industries in America, healthcare remains among the least secure. That paradox—heavy regulation combined with systemic vulnerability—demonstrates that compliance alone is not a defense.

National security today depends not only on ships, aircraft, and missiles, but also on resilient hospitals, secure healthcare networks, and trustworthy public health systems. As nation-state threat actors increasingly target these systems, the CHPH sector must be viewed—and protected—as an essential element of U.S. defense infrastructure.

 

 

 

Endnotes

1. ENISA. (2023). Health sector threat landscape 2023.

2. Carello, M. P., Marchetti Spaccamela, A., Querzoni, L., & Angelini, M. (2023). A systematization of cybersecurity regulations, standards, and guidelines for the healthcare sector [Preprint]. arXiv.

3. Clinton, L., & Hauser, J. (2024). Fixing cybersecurity: How to stop the madness. Internet Security Alliance.

4. IBM Security. (2023). Cost of a data breach report 2023.

5. Rubrik. (2025). Healthcare cybersecurity challenges and threats 2025.

6. Proofpoint & Ponemon Institute. (2023). Healthcare cybersecurity report.

7. Oliver Wyman. (2023). The seriousness of cyberattacks in healthcare cannot be ignored.

8. HIPAA Journal. (2025). Healthcare data breach statistics.

9. ESI ThoughtLab. (2022). Driving Cybersecurity Performance: Post-COVID Sector Analysis.

10. Politico. (2025, November). CISO warns of nation-state threat actors targeting critical infrastructure.

11. U.S. Department of Health and Human Services (HHS). (2024). Health Sector Cybersecurity Preparedness and Response Report.

12. Health Information Sharing and Analysis Center (H-ISAC). (2023). Annual Threat Intelligence & Sector Readiness Briefing.

13. Bracken, Matt. “Senate Bill to Protect Health Care Data Gets House Partner.” CyberScoop, 29 Aug. 2024

14. Thompson, Bennie G. Striking the Right Balance: Protecting Our Nation’s Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties. Prepared remarks delivered at the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee hearing, U.S. House Committee on Homeland Security, April 24, 2013.

15. House Committee on Energy and Commerce, Democrats. Pallone Opening Remarks at Oversight Hearing on Protecting Critical Infrastructure. Press release.