For years, cybersecurity in healthcare has been framed through a lens that depicts ransomware disrupting hospitals, data breaches exposing patient records and overstretched IT teams struggling to keep pace. While these threats remain real and persistent, healthcare cyber risk is evolving faster than the security models designed to manage it.
Healthcare organisations handle highly sensitive patient and financial data, operate under strict regulatory pressure and have a very low tolerance for downtime. When care delivery is disrupted, the pressure to restore services quickly can create strong incentives for attackers, making the sector particularly vulnerable to extortion and disruption-based attacks. Key forces reshaping the threat landscape include the expansion of connected medical technology beyond hospital walls, the growing exposure of network infrastructure as an entry point, and the expected rise of AI-enabled attacks targeting healthcare-specific systems.
At the same time, these dynamics expose the limitations of traditional security models. Approaches that focus primarily on managed IT endpoints or static network boundaries are struggling to account for the diversity of devices, locations, and connections that now define healthcare environments. This is accelerating a shift towards more adaptive models, such as Universal Zero Trust Network Access (UZTNA), which extends visibility and control across all users, devices, and environments.
The dissolving boundary of the healthcare network
Healthcare delivery organisations (HDOs) have always operated complex environments, blending legacy systems with modern digital technologies. The rapid adoption of telehealth, remote monitoring and connected medical devices, for example, has significantly expanded the healthcare attack surface. Today, patient care increasingly relies on devices and applications operating outside traditional hospital perimeters, across home networks, cloud services, and third-party platforms — effectively dissolving the conventional network boundary. Sensitive clinical data now flows across environments that organisations do not fully control, while medical devices in patients’ homes may lack even basic security controls.
The result is a larger, more fragmented attack surface. Attackers no longer need to breach a hospital directly. They can target weaker links in the ecosystem, from consumer-grade devices to third-party suppliers and pivot into clinical environments.
Legacy meets modern: a dangerous intersection
Healthcare networks are becoming more interconnected internally. Traditional IT systems, Internet of Things (IoT) devices, operational technology (OT), and specialised medical equipment like IoMT coexist on shared infrastructure.
Many of the most critical medical devices, such as CT scanners, PET-CT systems, X-ray machines, and clinical workstations, were not designed with modern cybersecurity requirements in mind. They often run outdated operating systems, rely on continuous connectivity, and cannot be easily patched often due to regulatory and operational constraints. When these legacy systems connect to modern IT and cloud environments, they become attractive footholds for attackers seeking lateral movement.
Unlike some sectors, healthcare systems cannot easily be taken offline. Devices supporting patient care cannot simply be disconnected, and patches may require extensive validation to ensure they do not affect clinical performance. The need for continuous availability means vulnerabilities can persist longer, therefore increasing exposure over time. Crucially, the impact goes beyond data. Exploitation of these systems can directly affect diagnostics, treatment delivery and, ultimately, patient safety.
The rise of network infrastructure as a primary target
While endpoints and medical devices have traditionally dominated security discussions, network infrastructure is quietly becoming more critical. Routers, firewalls, and other edge devices that sit at the boundary of healthcare networks are often directly exposed to the internet, making them attractive targets for attackers – particularly when combined with weak credentials, unpatched vulnerabilities, or misconfigurations.
Recent research shows that routers alone account for roughly one-third of the most dangerous vulnerabilities observed in organisational networks, with exploitation of network infrastructure continuing to grow year-on-year. Compromising a network device can provide attackers with broad visibility and control, enabling them to intercept data, redirect traffic, or move laterally across systems without immediately triggering alarms.
AI lowers the barrier to targeted attacks
Overlaying these structural issues is the use of artificial intelligence by threat actors. AI lowers the barrier to sophisticated attacks, enabling attackers to analyse complex environments, identify vulnerabilities and even generate custom tools targeting specific protocols or devices. Our research has already demonstrated how AI can be used to develop tools capable of extracting sensitive data from unencrypted medical communications, exploiting the unique protocols used in clinical environments. Further research demonstrates that AI models are making significant strides in finding and exploiting vulnerabilities.
By using AI, attackers can more aptly create tailored, context-aware attacks that are harder to detect and defend against using traditional methods. This may also enable more targeted disruption campaigns, including the potential for hacktivist groups to shift focus towards healthcare systems.
Why current approaches are falling behind
Despite growing investment in cybersecurity, many healthcare organisations are struggling to keep pace with these changes. The issue is not necessarily a lack of tools or controls. In fact, many organisations have accumulated extensive security capabilities over time. But these often operate in silos, creating limited visibility and making it difficult to build a coherent understanding of risk.
This fragmentation is particularly problematic in healthcare, where unmanaged devices, legacy systems and third-party connections are common, and often represent the highest risk with the least visibility. Resource constraints compound the issue. Cybersecurity investment is frequently balanced against immediate clinical priorities, leading to gaps in staffing, tooling, and proactive risk management. Static approaches such as periodic assessments or compliance-driven audits struggle to reflect environments where assets, connections, and threats constantly change.
What needs to change
The first priority is visibility. Organisations need a comprehensive, real-time understanding of all assets across IT, OT, IoT, and IoMT environments. Without this, it is impossible to accurately assess risk or prioritise action. Visibility goes beyond creating a mere inventory, it should build a continuous understanding of how devices are configured, how they communicate and how their risk profile changes over time.
Second, access control and segmentation must evolve beyond traditional models. Within a UZTNA framework, segmentation becomes dynamic and context-aware, adapting to device identity, behaviour, and risk. This allows healthcare organisations to enforce least-privilege access across clinical systems, medical devices and remote environments without disrupting care delivery and limits lateral movement. If attackers gain initial access through compromised credentials, vulnerable devices, or exposed infrastructure, dynamic segmentation contains the risk and prevents attackers from reaching critical clinical systems.
Third, supply chain risk must be treated as an extension of organisational risk. Healthcare ecosystems rely heavily on external vendors, service providers, and device manufacturers. Understanding these dependencies and planning for their failure is essential for resilience.
Finally, collaboration needs to increase. Threat intelligence sharing, both within healthcare and across sectors, can help organisations stay ahead of emerging threats and respond more effectively.
Looking ahead
The next phase of healthcare cybersecurity will not be defined by a single threat, but by convergence. Connected care will expand. Network infrastructure will remain a critical battleground. AI will make attacks faster and more adaptive. And the line between clinical and digital risk will continue to blur. For healthcare leaders, security must be understood as a core component of patient safety and operational resilience. The organisations that succeed will be those that move beyond reactive, fragmented approaches and build security strategies that reflect the complexity and dynamism of modern healthcare, where protecting patient care comes first.
By: Daniel dos Santos, VP of Research at Forescout
