Recent findings from Trellix highlight that cybersecurity has ascended to a critical issue within the boardrooms of healthcare organizations, influenced by ongoing digital transformation and the escalating risks associated with cyber threats. In the 2025 Healthcare Cybersecurity Threat Intelligence Report, Trellix issues a stark warning regarding the broadened attack surface resulting from cloud adoption, remote access, and AI-driven workflows. This evolution has transformed cyber incidents from mere IT disruptions into direct threats to patient safety, necessitating robust oversight from C-suite executives rather than relegating cybersecurity to a technical concern.
“In 2025, our global healthcare clientele reported 54.7 million detections,” stated John Fokker, Vice President for Threat Intelligence Strategy at Trellix, in a recent blog post. He emphasized that these statistics represent genuine threats, occurring daily, with a shocking 75 percent of these incidents happening in the United States. Email remains the principal attack vector, accounting for 85 percent of the recorded detections.
The report further reveals that healthcare continues to suffer the highest data breach costs, marking its fifteenth successive year in this regard. The average cost of a healthcare breach in the U.S. soared to $10.22 million per incident, reflecting a year-over-year increase of 9.2 percent.
A key insight shared in the report is the emerging trend known as the ‘Cascading Effect.’ In 2025, breaches that infiltrated administrative networks or operational technology (OT) systems—like HVAC—were noted to disrupt entire clinical workflows. These incidents had severe consequences, including a 29 percent increase in inpatient mortality rates at affected hospitals, and neighboring facilities recorded an 81 percent rise in cardiac arrest cases linked to emergency diversions.
An alarming evolution in cybercrime, according to Fokker, is the rise of patient extortion. Ransomware attackers are extending their tactics beyond server encryption to stealing medical records and contacting patients directly for ransom, demanding fees to prevent the exposure of sensitive health information. In one notable incident, the Qilin group exfiltrated 852 gigabytes of patient data from Covenant Health. The underground market now values a single electronic health record at about $60, significantly increasing the incentive for attackers to pursue exfiltration strategies, which tripled in occurrence throughout 2025.
Trellix’s findings underscore an intricate healthcare attack surface littered with vulnerabilities. Medical devices, many still running outdated operating systems, become prime targets for adversaries seeking entry into clinical networks. Research found that 99 percent of hospitals are managing at least one device with known vulnerabilities. Alarmingly, 60 percent of medical devices are considered end-of-life and unpatchable, offering attackers a pathway to infiltrate from HVAC systems to electronic health record databases.
The report illustrates that the cybersecurity landscape in healthcare extends beyond conventional endpoints, engaging an intricate network of Internet of Medical Things (IoMT) and organizational technology systems. Medical devices, especially imaging systems, are vulnerable to attacks; nearly one-third of DICOM and PACS workstations analyzed had at least one critical patchable vulnerability. In contrast, patient monitoring systems lack essential security measures and serve as potential gateways into clinical networks.
In 2025, Trellix recorded a staggering frequency of adversarial activity tailored to exploit unique vulnerabilities in the healthcare sector. Detections surged notably in the U.S., representing 75.14 percent of the total activity across healthcare organizations. The financial impact of these breaches, coupled with operational downtime—averaging $9,000 per minute—illustrates a complex challenge. Organizations reported extensive recovery times post-attack, with major systems struggling to regain functionality, often taking over 100 days to fully recover.
Given the highly professionalized threat landscape anticipated for 2026, healthcare security leaders need to shift towards comprehensive, risk-based security strategies. This transformation should incorporate healthcare-specific threat intelligence to facilitate proactive risk prediction and develop a unified response framework against escalating adversary tactics, which are likely to include initial access via phishing and lateral movement through vulnerable OT environments.
As healthcare organizations grapple with the increasing risk of data breaches—exemplified by the prevalence of email-based attacks—strategic measures must be implemented. This includes enhanced segmentation of IT environments, robust identity governance, and ongoing monitoring to detect potential compromises. With many hospitals still reliant on devices plagued with known vulnerabilities, remediation strategies should prioritize the likelihood of exploitation rather than simply the age of patches, ensuring that data protection protocols are effectively fortified to mitigate risks from emerging threats.
