New Darktrace research revealed that differences in healthcare operating models across the U.S., the U.K., and Brazil significantly influence how threat actors target and exploit the sector. While global trends such as ransomware, business email compromise, and poor cyber hygiene remain common across borders, the tactics and consequences vary depending on systemic and financial structures within each country.
The Cambridge, U.K.-based company explained that its research was driven by the recognition that while healthcare is a critical pillar of society, it has historically been more vulnerable to cyberattacks than other sectors. The 2017 WannaCry ransomware attack marked a major turning point, prompting significant global investment to strengthen security across the sector.
As digital transformation accelerates and healthcare becomes more interconnected, there is a growing need to re-evaluate the threats it faces. With governments and national bodies reviewing cybersecurity policies that will shape requirements for healthcare systems and their supply chains, it is essential to understand the role that emerging technologies such as artificial intelligence and medical IoT play in shaping the current threat landscape.
Darktrace observed that as digital transformation accelerates and technologies like AI and medical IoT become more widespread, the healthcare sector remains dangerously exposed. The report looks at how different healthcare systems, attack techniques, and policy approaches shape regional risk, highlighting how legacy systems and systemic gaps worsen vulnerabilities.
It focused on several key areas, including the main threat actors and attack vectors targeting healthcare systems, the differences in healthcare operating models across the three countries, and how digital transformation and artificial intelligence are reshaping cybersecurity risks. It also gathered insights from key stakeholders in each region and examined how well current policies are addressing these emerging threats, highlighting the broader implications for both businesses and governments.
US healthcare model fuels financial fraud
In the U.S., the profit-driven nature of healthcare delivery and the heavy reliance on complex payment chains make the sector especially vulnerable to financially motivated attacks. Compared to other regions, financial fraud emerged more frequently as a direct consequence of cyberattacks.
Researchers highlighted the ripple effects of the high-profile 2024 Change Healthcare breach, which not only disrupted patient care and billing workflows but also reshaped the ransomware-as-a-service (RaaS) ecosystem. The incident marked a shift toward affiliate-driven operations, making U.S. healthcare organizations increasingly attractive targets.
UK interconnected healthcare environment presents different risks
In the U.K., where the National Health Service (NHS) dominates the landscape as both a healthcare provider and Europe’s largest employer, attackers have focused on data exfiltration. Stolen information includes both patient and employee data, though fraud was not immediately observed following such breaches.
Instead, the U.K.’s interconnected systems and shared access gateways have become key entry points for adversaries. The move toward more integrated care delivery has created broader attack surfaces, with attackers exploiting these connections to gain footholds across multiple entities.
Brazil sees localized ransomware tactics
Brazil’s healthcare sector, while also impacted by ransomware, experienced a distinct pattern. Threat actors have favored smaller providers and specialized clinics, including those offering plastic surgery. Notably, attackers have used public shaming techniques aimed at patients, not just organizations, to apply pressure and extract payments. This adaptation of extortion tactics signals a more tailored approach by ransomware operators who understand the socio-political and economic contours of their targets.
Systemic weaknesses continue to undermine cyber resilience
Across all regions, Darktrace revealed that the most pressing risks were seen as operational and systemic rather than technical. Stakeholders consistently pointed to aging infrastructure and a persistent mindset of ‘keeping the lights on’ as major obstacles to cybersecurity advancement.
Defenders and policymakers should support the healthcare sector to achieve operational excellence by reflecting the critical national infrastructure (CNI) status of healthcare within policy and requiring ‘state-of-the-art’ defenses to build resilience in the sector. Improved collaboration between healthcare providers and their suppliers at the national level is required to reduce systemic risk.
For defenders specifically, continuous monitoring of their network, including network traffic from digital medical assets and medical IoT devices, is important to defend against the relevant attack vectors employed by attackers in 2024.
The report mentioned that actors, such as LockBit, RansomHub, Scattered Spider, and ALPHV/ BlackCat, have been observed to frequently claim double or triple extortion attacks on healthcare organizations. “While several RaaS groups, such as LockBit, claim to avoid targeting healthcare organizations, this has not always been the case, particularly given the separation between affiliates and operators of RaaS tools. Additionally, from the analysis of attacks in 2024, the TTPs observed within healthcare compromises have remained fairly consistent in recent years, demonstrating a ‘tried-and-tested’ approach to the type of attacks facing the sector.”
Phishing, poor hygiene, third parties emerge as sector’s cyber weak spots
The report found that common initial access vectors captured by Darktrace incident data globally in 2024 were email, the exploitation of vulnerabilities in edge infrastructure, and compromise resulting from poor cyber hygiene. A sample of Darktrace / EMAIL metadata over time shows an increase in the proportion of alerts for phishing emails between November and December last year. This coincides with the expected increase in opportunistic attacks during the holiday season, showing that the healthcare industry is also susceptible to the same type of attacks observed at large.
Darktrace found that, regardless of the considerable geopolitical motivations for attacking healthcare, the main threats against healthcare currently appear to still originate from opportunistic or financially motivated actors. In 2024, 75 percent of healthcare compromises from Darktrace incident data were business email or cloud account compromises and network intrusions that did not escalate to ransomware or data exfiltration, possibly to leverage outputs of the initial attack for further gain.
Supply chain attacks are also becoming increasingly prominent in the healthcare sector. Many of the most disruptive incidents reported in the media, which affected both the confidentiality of patient data and the availability of care, did not directly target healthcare providers. Instead, attackers focused on third-party suppliers, causing a cascading impact across the broader healthcare ecosystem.
The approach of compromising one organization to affect many is not new. Since the 2020 SolarWinds breach, there has been a steady increase in supply chain attacks across multiple industries, with healthcare standing out as a particularly vulnerable and high-impact target due to its reliance on an extensive network of vendors and service providers. However, the impactful supply chain attacks in 2024 on suppliers to healthcare reveal that attackers are starting to leverage this methodology within the interconnectedness of the healthcare supply chain in this digital age.
In conclusion, Darktrace recognized that the healthcare sector continues to be a target for financially motivated and politically aligned threat actors, who adjust their TTPs to the unique operating models of different healthcare sectors and changing national interests. It also highlighted a mix of vulnerabilities from lapses in cyber hygiene, and more sophisticated tactics have been employed by attackers to primarily infiltrate healthcare IT networks to access sensitive data and cause disruption to operations.
“The ongoing digital transformation within healthcare has meant that the sector can be targeted through multiple nodes across the supply chain, where the operational risks inherent to this sector produce cascading impacts of cyber attacks to broader areas of the sector,” the report added. “While stakeholders globally are concerned about the impact of AI on the sophistication and speed of threats, wider concerns were expressed about developing a resilient AI strategy for AI adoption in healthcare. It is predicted that AI and efforts to improve cyber hygiene will lead to more sophisticated attack vectors being observed in healthcare.”
Consequently, Darktrace noted that healthcare organizations need to achieve compliance, as well as operational excellence, when it comes to security defenses and practices.
In February, Darktrace’s Threat Research team reported a sharp rise in malware-as-a-service (MaaS) attacks, making up 57 percent of detected threats, a 17 percent rise from early 2024. The company’s annual threat report noted a surge in sophisticated phishing, with such attacks accounting for 38 percent of incidents. Attackers are increasingly using stealthy methods such as exploiting edge device flaws, living-off-the-land (LOTL) techniques, and hijacking business tools like Dropbox and SharePoint.
