Cascade of Attacks: From IT and OT to Patient Care

A report from cybersecurity firm Trellix reveals that email phishing, identity failures, and device vulnerabilities were the predominant vectors for non-clinical IT compromises in healthcare IT environments last year. Such breaches are said to “cascade” into disruptions in patient care workflows, leading to substantial financial losses, estimated at nearly $2 million per day.

Of the 54.7 million threats detected by Trellix across its global healthcare clientele, approximately 75% originated from organizations based in the United States. Notably, email incidents, particularly phishing-related, accounted for over 85% of these detections.

Anne An, principal threat intelligence analyst at Trellix, emphasized that the most significant weaknesses lie in email and identity management failures, outdated medical devices, and a lack of visibility into lateral movements and data exfiltration. These vulnerabilities allow attackers entry into clinical environments, posing risks that evolve into patient safety crises.

The response to ransomware and other cyber incidents often necessitates a complete shutdown of IT systems, which inhibits clinicians from accessing critical patient records. Trellix highlighted that some healthcare organizations may incur costs upwards of $9,000 per minute due to these outages, resulting in significant operational downtime averaging over 17 days for each incident.

The repercussions extend beyond financial losses. A study conducted by researchers at the University of California, San Diego, revealed that ransomware attacks can adversely impact patient outcomes, particularly for cardiac arrest and stroke patients. Those diverted from affected hospitals may experience delays in care, exacerbated by increased caseloads at nearby facilities.

Emerging Trends in Cybersecurity

Trellix also noted a troubling increase in incidents involving data theft and extortion. Attackers are moving towards what is termed “triple extortion,” which may include direct harassment of patients. The firm reported that “extortion-only” hacks represented 12% of healthcare attacks in 2025, marking a dramatic 300% rise since 2023. Meanwhile, the average ransom payment dropped to $150,000.

Among the active cybercriminal groups are Qilin, Inc., and DevMan2, the latter being a former affiliate of IncRansom and RansomHub. As of April 2025, DevMan2 reportedly had 174 victims, noted for its substantial data exfiltration efforts, with individual breaches yielding between 200 to 300 gigabytes of stolen patient data.

Looking to the future, An predicts that patient extortion tactics will grow more prevalent and personal. “Quiet breaches” are expected to outstrip more disruptive ransomware attacks, as adversaries leverage the element of stealth to enhance their bargaining power.

To combat these escalating threats, healthcare organizations must adopt security strategies informed by patient safety imperatives and driven by threat intelligence. Such strategies should integrate people, processes, and technology across IT, clinical, and OT environments. The prioritization of email and identity security, along with the implementation of phishing-resistant multifactor authentication and stringent access control, can mitigate risks before breaches occur.

Additionally, segmentation of IT, clinical, and OT networks will help contain potential lateral movements and cascading failures. Enhancing visibility through endpoint and network monitoring systems is equally crucial to identify anomalies and detect exfiltration early.

Addressing known vulnerabilities and actively managed Common Vulnerabilities and Exposures (CVEs) remains vital. If patching is unfeasible, compensatory controls must be employed, including isolating affected systems and monitoring for unusual behavior. Moving forward, email and identity will likely remain primary attack vectors, compounded by the persistent risks posed by outdated medical devices.