Threats exploiting operational overload in the healthcare system

Operational overload in the healthcare system has become an increasingly critical issue, straining resources and impacting patient care. Hospitals and clinics are grappling with high patient volumes, staffing shortages, and administrative burdens that hinder efficiency. This constant pressure not only exhausts medical professionals but also compromises the quality and timeliness of care delivery. Addressing these challenges is essential to ensure sustainability and resilience in healthcare operations.

Devices at risk in healthcare IT ecosystems

The main categories of at-risk devices in healthcare IT ecosystems includes: electronic health record (EHR) systems; lab information systems and diagnostic devices; medical-specific Internet of Things (IoT) devices (known as IoTM devices); imaging systems; and administrative systems.

Let's explore each in turn, with a focus on: the types of data that gets affected; the methods by which data is affected; a real-world incident that occurred; challenges CISOs may face in preventing such attacks; security policies to mitigate such threats; the role of security information and event management (SIEM) in preventing such attacks; and a related use case.

1. Electronic health record (EHR) systems

Sensitive patient data is centralized by EHR systems to enhance care delivery. They are a major target for cyber risks, though; especially credential theft, which is one of the most prevalent and destructive attack vectors in the healthcare industry. This happens when hackers get unauthorized access to administrative users' or medical professionals' login credentials. Once inside, hackers can move laterally through the network, steal confidential information, and even tamper with medical records.

Types of data that gets affected

• Personally identifiable information: Names, dates of birth, addresses, contact details.
• Protected health information: Medical history, diagnoses, treatment records, prescriptions.
• Financial information: Insurance details, billing data, and sometimes payment information.
• Operational data: Staff credentials, internal communications, access logs.

Methods by which it is executed

• Phishing attacks targeting healthcare employees.
• Brute-force attacks on weak or reused passwords.
• Insider threats where disgruntled or careless employees expose credentials.
• Malware/keyloggers capturing login details.
• Exploiting remote access vulnerabilities (e.g., poorly secured VPNs, RDP).

Once credentials are compromised, attackers can:

• Access EHR systems undetected.
• Exfiltrate sensitive patient data.
• Launch ransomware or further lateral attacks.
• Manipulate records or disrupt care operations.

Real world incident that occurred

In May 2021, Scripps Health, a San Diego-based hospital system, suffered a significant ransomware attack that disrupted operations across all five of its hospitals for nearly four weeks. The cyberattack forced staff to revert to paper records, diverted emergency patients to other facilities, and led to the cancellation of appointments and surgeries. Approximately 1.2 million patients had their personal and medical information compromised, including Social Security and driver's license numbers. The incident cost Scripps Health an estimated $113 million in lost revenue and remediation expenses. In response to multiple lawsuits, Scripps agreed to a $3.57 million settlement, offering compensation and identity theft protection to affected individuals.

Challenges CISOs may face in preventing such attacks

• Lack of cybersecurity awareness among healthcare staff.
• Limited budgets and outdated IT infrastructure.
• Poor access control policies due to excessive privileges or lack of multi-factor authentication (MFA).
• Vendor/third-party risks due to integrated systems.
• Monitoring complexity due to hybrid IT environments (on-premises + cloud).

Security policies to mitigate such threats

• MFA: Enforce multi-factor authentication for all EHR access points.
• Zero Trust: Implement Zero Trust architecture to verify every user and device.
• PAM: Maintain privileged access management (PAM) to restrict and monitor admin access.
• Credential hygiene: Practice credential hygiene by implementing policies for password strength and routine password rotation.
• Security awareness training: Conduct security awareness training with education and real-world scenarios like phishing simulations.
• Continuous monitoring: Continuously monitor by tracking unusual access patterns and geolocation anomalies.
• Incident response and recovery: Build incident response and recovery plans tailored to EHR-specific attacks.

Role of SIEM in preventing such attacks

SIEM solutions aggregate and analyze logs from EHR systems, network devices, endpoints, and cloud services in real time. They help to:

• Detect anomalies like unauthorized login attempts or unusual access patterns.
• Trigger alerts for suspicious behavior (e.g., login at odd hours, from unfamiliar IPs).
• Correlate events across systems to identify advanced threats (e.g., lateral movement).
• Automate response, such as disabling compromised accounts or notifying admins.
• Provide forensic data to analyze breaches and improve incident response.

Related use case

A SIEM system detects a sudden surge of failed logins followed by a successful login from a foreign IP, flags it, and automatically disables the user account—preventing EHR system access and alerting the security operations center (SOC) team.

2. Lab information systems and diagnostic devices

Clinical operations rely heavily on diagnostic devices and LIS software—sometimes known as laboratory information management system (LIMS) or laboratory management system (LMS)—which manage everything from test orders and results to integrating with laboratory analyzers and EHRs. They are attractive targets for cyberthreats, especially data poisoning attacks, because of their integration with hospital networks, which frequently occurs through outdated, less secure protocols. Manipulation of lab results or diagnostic data often leads to misdiagnosis and medical errors .

Types of data that gets affected

• Patient demographics: Name, ID, age, contact information.
• Diagnostic test orders and results: Blood tests, pathology reports, genetic data.
• Device calibration and configuration data: Algorithms and settings used to interpret diagnostic outputs.
• Clinical workflow information: Sample tracking, processing times, test queues.
• Physician notes/comments: Interpretations and test instructions.

Methods by which it is executed

• Compromising input data streams such as data from sample scanners, sensors, or EHR integration points.
• Infiltrating AI-powered diagnostic systems by feeding incorrect training or inference data.
• Altering device calibration or firmware to distort lab results subtly.
• Injecting malicious test orders or results via compromised accounts or APIs.

Once poisoned, these systems may:

• Deliver incorrect diagnoses or test results.
• Trigger inappropriate treatments or miss life-threatening conditions.
• Lead to clinical decision support failures.
• Undermine trust in diagnostic integrity.

Challenges CISOs may face in preventing such attacks

• Legacy devices: Many diagnostic tools run on outdated OS with limited patching support.
• Lack of device visibility: Inadequate monitoring of device-level data flows and firmware updates.
• AI model vulnerability: Increased adoption of AI-driven diagnostics introduces new attack surfaces.
• Third-party dependencies: Labs often rely on external analyzers and cloud vendors with limited control.
• Low IT–OT integration: Disconnect between cybersecurity teams and biomedical engineering groups.

Security policies to mitigate such threats

• Data integrity and validation policy: Implement checksums and validation protocols for all test inputs and results exchanged between devices and LIS software.
• Secure firmware and patch management policy: Regularly update and verify firmware integrity on diagnostic devices and restrict unauthorized changes.
• AI model governance policy: Monitor, audit, and retrain diagnostic AI models regularly to detect and neutralize poisoned inputs.
• Network segmentation and access control policy: Isolate LIS software and lab devices from internet-facing systems and enforce least-privilege access.
• Audit logging and change tracking policy: Maintain immutable logs for all test modifications, result updates, and device configuration changes.

Role of SIEM in preventing such attacks

• Correlates logs from LIS software, lab devices, firewalls, and user endpoints.
• Flags unauthorized firmware changes or irregular API calls to the LIS.
• Monitors input integrity by cross-validating with baseline norms and historical data.
• Automates alerts and incident response for suspicious data modification attempts.

Related use case

A SIEM system notices a pattern of abnormally high blood sugar test results from a specific analyzer. Upon investigation, it correlates this to a recent unauthorized firmware update flagged in logs—potentially revealing a data poisoning attempt.

3. Medical IoT devices (IoMT)

IoMT devices—like infusion pumps, pacemakers, insulin delivery systems, imaging machines, and patient monitors—are increasingly network-connected for real-time care, remote monitoring, and automation. However, they are susceptible to cyberattacks because of their connectivity. Unsecured IoMT devices are hijacked and used as part of a botnet for broader attacks or internal DDoS, which often goes unnoticed due to minimal logging.

Types of data that gets affected

• Patient health metrics: Vital signs, glucose levels, and ECG data.
• Device configuration data: Firmware versions, calibration settings, network parameters.
• Device logs and communication data: Usage history, alerts, and clinician interaction logs.
• Real-time telemetry: Continuous data streams from wearable or implantable devices.
• Patient identity and treatment info: Data synced to EHRs for care decisions.

Methods by which it is executed

• Weak/default credentials left unchanged on devices.
• Outdated firmware with unpatched vulnerabilities.
• Poorly secured wireless protocols (e.g., BLE, ZigBee, Wi-Fi).
• Unencrypted communications between a device and the network.
• Lack of network segmentation, allowing lateral movement post-compromise.

Once enrolled in a botnet, the IoMT device may:

• Be used in DDoS attacks (e.g., on hospital servers themselves or external targets).
• Act as an entry point into internal networks for malware.
• Exfiltrate sensitive patient data or spy on device behavior.
• Disrupt critical care operations by crashing or overloading systems.

Challenges CISOs may face in preventing such attacks

• Device diversity and legacy hardware: Hundreds of device types with proprietary protocols.
• Limited update mechanisms: Many devices lack over-the-air update capabilities.
• Insecure-by-design devices: Hard-coded credentials, no logging, and minimal encryption.
• Vendor lock-in: Reliance on third-party vendors for security patching.
• Poor network visibility: Inability to detect or monitor IoMT devices effectively in real time.

Security policies to mitigate such threats

• IoMT authentication and access: Enforce strong, unique credentials and disable unused default accounts on all IoMT devices.
• IoMT firmware and patch management: Ensure timely patching and firmware updates through vendor coordination and security SLAs.
• Network segmentation and isolation: Segregate IoMT devices from core hospital networks using VLANs or SDN, and block internet access unless required.
• IoMT device inventory and monitoring: Maintain a real-time, continuously updated inventory of all IoMT devices with details on MAC/IP, model, and firmware data.
• Anomaly detection and incident response: Continuously monitor for unusual device behavior (e.g., outbound traffic spikes) and respond rapidly to anomalies.

Role of SIEM in preventing such attacks

• Device behavior profiling: Establishes baselines of normal device activity and flags anomalies.
• Unusual traffic detection: Identifies large outbound traffic volumes or connections to suspicious IPs.
• Threat intelligence integration: Matches communication patterns with known botnet C2 signatures.
• Log correlation: Connects events from firewall, network access control, DNS, and device logs to detect coordinated attacks.
• Automated response: Triggers device quarantine or blocks traffic if botnet behavior is detected.

Related use case

A patient monitor starts sending large outbound packets to an unknown IP every 30 seconds. The SIEM solution detects this deviation, correlates it with threat intelligence feeds, flags it as potential botnet activity, and alerts the SOC team for isolation and remediation.

4. Imaging systems

Imaging systems—such as MRI, CT, and X-ray, in addition to picture archiving and communication systems (PACS)—are essential for diagnostics and treatment planning. They create and manage digital imaging and communications in medicine (DICOM) files, which include metadata and patient data in addition to image data. Due to their frequent integration with hospital networks and EHRs, these systems are susceptible to cyberattacks, particularly file format exploitation. Exploits in imaging viewers are triggered by malicious DICOM images or altered metadata, which may provide remote access.

Types of data that gets affected

• Patient identifiers: Name, date of birth, medical record number.
• Diagnostic images: High-resolution MRI, CT, and X-ray images.
• Image metadata: Study descriptions, modality info, timestamps, physician notes.
• Treatment annotations: Measurements, markings, or surgical guidance overlays.
• Transmission logs: Tracks when, how, and by whom patient data—such as medical images or health records—were accessed, shared, or transmitted across systems.

Methods by which it is executed

• Malicious DICOM images: sent to PACS or viewing stations.
• Exploiting vulnerabilities: in image viewers (e.g., improper buffer management or invalidated metadata).
• Embedded malware: that activates on viewing, often bypassing antivirus due to non-standard file structures.
• Third-party USB/image media: used by technicians containing malicious files.

Related use case

In 2019, security researchers revealed that DICOM files, used to store medical imaging data, could be manipulated to embed malware. They demonstrated that malicious code could be injected into the metadata of DICOM files without altering the visible medical images. This technique exploited the file format’s flexibility, allowing attackers to disguise malware as legitimate diagnostic files. Since medical imaging systems typically trust and process these files, the attack could bypass traditional security measures. The discovery raised serious concerns about the cybersecurity of healthcare systems and the potential for targeted attacks on medical infrastructure.

Challenges CISOs may face in preventing such attacks

• Legacy PACS systems: Many are unpatched or run on unsupported OS.
• Trusted file extensions: .dcm files are implicitly trusted and often ignored by standard antivirus.
• Interoperability dependencies: A typical PACS interacts with dozens of systems, increasing risk exposure.
• Limited DICOM file validation tools: Few systems deeply inspect DICOM metadata or payloads.
• Technician workflow risks: Use of external media, manual imports, and insufficient endpoint protection.

Security policies to mitigate such threats

• DICOM file validation: Enforce the use of secure DICOM parsers and validators to scan all image files for hidden payloads before importing into PACS.
• Endpoint hardening for viewing stations: Ensure all PACS viewers and imaging workstations are patched and isolated from external internet access.
• Read-only and media control: Disable AutoRun and enforce read-only access on USB drives used for importing external imaging files.
• Segmentation and zero trust access: Isolate PACS and imaging modalities in secure network zones and implement authentication measures even for intra-network transfers.
• Threat detection and file activity logging: Maintain detailed logs for file uploads, viewer access, and anomaly detection via integrated security tools.

Role of SIEM in preventing such attacks

• File integrity monitoring (FIM): Detects unauthorized changes or anomalies in stored imaging files.
• Threat pattern detection: Uses threat intelligence feeds to flag DICOM payloads associated with known malware hashes.
• User and entity behavior analytics (UEBA): Monitors unusual access to PACS (e.g., large image exports or access during odd hours).
• System exploit monitoring: Correlates OS logs, PACS server logs, and antivirus alerts for signs of exploit attempts.
• Automated alerting and response: Sends real-time alerts for suspicious image imports or system crashes triggered by rendering processes.

Related use case

A PACS viewer crashes repeatedly when opening files from a particular source. A SIEM solution correlates logs showing unusual metadata in those files, outbound C2 traffic from the viewer, and recent USB insertion events, helping to trace and isolate a DICOM-based malware exploit.

5. Administrative systems

Billing, procurement, scheduling, human resources, legal affairs, and interdepartmental communication are all managed via administrative systems in the healthcare industry. Due to their heavy reliance on email communication for sensitive data transfers, internal approvals, and vendor coordination, these systems are particularly vulnerable to business email compromise attacks. To redirect payments or compromise vendor communications, cybercriminals spoof or hijack email accounts of key staff or executives.

Types of data that gets affected

• Financial data: Vendor invoices, payment authorizations, payroll, insurance claims.
• Employee records: Social Security numbers, bank details, W-2s, contact info.
• Vendor contracts and procurement info: Pricing, contract terms, bank accounts.
• Email communications: Strategic plans, legal correspondence, operational discussions.
• Credential information: Login info is often shared or stored insecurely within email chains.

Methods by which it is executed

• Phishing emails crafted to appear legitimate and urgent.
• Email spoofing or account takeover to impersonate executives (CEO, CFO, CMO).
• Domain lookalikes (e.g., @h0spital-admin.com instead of @hospital-admin.com).
• Social engineering using public data (LinkedIn, hospital press releases, etc.).
• Delayed detection as the email content often appears routine and professional.

Real world incident that occurred

In 2021, a large Midwest U.S. hospital network fell victim to business email compromise (BEC) when attackers impersonated a construction contractor via a spoofed domain. A fraudulent invoice of over $700,000 was processed for a legitimate hospital expansion project. The attack bypassed antivirus and firewalls because it used no malware, just email and human manipulation.

Challenges CISOs may face in preventing such attacks

• High email volume: Difficult to monitor every transaction and message.
• Staff unawareness: Admin personnel may lack cybersecurity training.
• Slow detection: No malware or payloads makes BEC hard to flag.
• Trust in internal email: Employees tend to trust requests from familiar names/domains.
• Lack of authentication protocols: Missing or weak DMARC, SPF, and DKIM settings.

Security policies to mitigate such threats

• Email authentication policy: Enforce SPF, DKIM, and DMARC across all healthcare domains to prevent spoofing.
• Financial verification policy: Mandate multi-person verification and out-of-band confirmation (e.g., phone calls) for large fund transfers.
• Employee awareness and phishing training policy: Train all staff, especially administrative and finance teams, on identifying impersonation and phishing attempts.
• Email access and privilege policy: Limit email account access based on roles and implement MFA for all email logins.
• Incident reporting and quarantine policy: Require immediate reporting of suspicious emails and enable auto-quarantine of high-risk messages via secure email gateways.

Role of SIEM in preventing such attacks

• Anomalous login detection: Monitors login behavior for impossible travel, geolocation mismatch, or unusual access times.
• Email flow analysis: Correlates metadata from mail servers (e.g., sudden spike in external communications).
• Threat intelligence integration: Flags domains or IPs known for phishing or spoofing activity.
• Correlation with financial logs: Connects suspicious emails with corresponding financial activity (e.g., invoice processing).
• UEBA: Detects impersonation attempts based on deviations from regular communication patterns.

Related use case

The SIEM solution flags a login from Nigeria into an email account typically accessed only in California. Within 15 minutes, a vendor invoice is approved. The SIEM solution alerts the SOC team, halting the transfer and isolating the compromised account.

Financial benefit of implementing SIEM in preventing such attacks

Related solutions