PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2026-02-10T06:00:00+00:00

Cybercrime Ethos: The Shifting Sands of Medical Neutrality

In this blog, Cofense Chief Security Officer Josh Bartolomie explores how cybercriminals have abandoned any notion of medical neutrality, with phishing-driven attacks now deliberately disrupting healthcare operations and putting patient lives at risk. Using real-world incidents like the Change Healthcare and Ascension breaches, Bartolomie shows how a single phishing email can trigger cascading failures, from delayed cancer treatments to massive financial and operational fallout. He concludes that phishing defense must be treated as a life-critical investment, because in today’s healthcare threat landscape, cybersecurity failures can truly become matters of life and death.

By: Josh Bartolomie, Chief Security Officer, Cofense

Introduction: A Paradigm Shift in Threat Actor Behavior

I have always told myself that I never want to become a stereotypical "stuck in time" security graybeard, the infosec equivalent of "back in my day, we walked to school uphill, both ways, in the snow!" My fear is not of being nostalgic, but that I would become unknowingly rigid in my viewpoints and fail to adapt to the ever-changing threat landscape. After closing out the whirlwind of the last few years, I decided to reflect on the trends and patterns I have observed in my 25+ years within the cybersecurity realm. What I found was deeply unsettling.

For as long as I can remember, threat actors appeared to hold themselves to an overall creed, an "honor among thieves" type of ethos. In real-world combat, those involved generally abide by medical neutrality and do not target hospitals or medical personnel in ways that would impact their ability to save lives. In the cyber realm, while healthcare has always been a target, historically when threat actors went after hospitals, clinics, and insurers, it was primarily for information collection rather than actions that could cause immediate operational impact and threaten patient lives.

That implicit demarcation line has shattered. The evidence is now overwhelming: threat actors have abandoned medical neutrality and are targeting not just hospitals but the entire healthcare ecosystem, from small physician practices to the insurance carriers and claims processors that enable care delivery. In 2024, healthcare cyberattacks affected more than 276 million individuals, more than double the prior year.[1] More alarmingly, 28% of healthcare organizations now report increased patient mortality rates following cyberattacks, a staggering 21% increase over 2023.[2]

Phishing: The Gateway to Catastrophe

At the heart of nearly every major healthcare breach lies a deceptively simple attack vector: phishing. Whether the ultimate payload is ransomware, credential theft, or data exfiltration, the initial foothold almost always begins with a carefully crafted email designed to trick a human being into making a mistake. The numbers are staggering: in 2024, 88% of healthcare workers opened phishing emails, and more than 90% of all cyberattacks against healthcare industries are phishing scams.[3]

Healthcare remains uniquely vulnerable for several reasons. Medical records fetch up to 50 times more than financial information on the black market. The time-sensitive nature of healthcare operations pressures staff into making quick decisions. Complex vendor ecosystems provide countless impersonation opportunities. And IT security has been historically underfunded. The American Hospital Association's 2025 Cybersecurity Year in Review revealed a critical insight: over 80% of stolen protected health information records were not stolen from hospitals; they were stolen from third-party vendors, software services, and business associates.[4]

The financial toll reflects this impact. IBM's 2024 Cost of a Data Breach Report found that phishing-related breaches cost an average of $9.77 million per incident in healthcare, making it the most financially impacted industry for the 14th consecutive year.[5]

The AI Arms Race

The phishing landscape has transformed dramatically with artificial intelligence. Security experts have documented a 1,265% surge in malicious phishing emails since Q4 2022, coinciding with the public release of advanced language models.[6] No longer are threat actors sending clumsy emails with multiple typos in the first sentence. Now they are using AI to craft hyper-personalized messages that reference real projects, mimic executive communication styles, and exploit trust relationships with perfect grammar and contextual awareness. The KnowBe4 2025 Phishing Threat Trends Report found that 82.6% of phishing emails now contain AI-generated content.[7]

Consider this: IBM security researchers found that AI needs only 5 prompts and 5 minutes to build a phishing attack as effective as one that would take human experts 16 hours.[8] What took people many hours can now be done in seconds.

Perhaps most alarmingly, voice cloning technology can now replicate executive voices using as little as 3 seconds of audio from earnings calls, podcasts, or conference presentations. In early 2024, a multinational firm lost $25 million when a finance worker attended what appeared to be a legitimate video conference with the company's CFO and senior leadership, every face on screen was an AI-generated deepfake.[9] Healthcare organizations face the same exposure: executive voices from conference presentations and webinars provide ample training data for attackers.

When the Ecosystem Fails: Change Healthcare

The consequences of successful phishing attacks have evolved dramatically. What once resulted primarily in data theft has expanded over the years to include ransomware deployment, operational disruption, and extortion. Today, attackers understand that healthcare organizations face unique pressures: an inability to simply "shut down" while systems are being restored, multiple regulatory obligations, and most critically, the knowledge that delays in healthcare can, and have, cost lives. These pressures make healthcare organizations more likely to pay ransoms and more vulnerable to rushed decision-making.

The February 2024 attack on Change Healthcare became the most significant cyberattack on the U.S. healthcare system in history, according to the American Hospital Association. Perpetrated by the Russian-speaking ransomware group BlackCat/ALPHV, the breach affected 190 million individuals, approximately 3 in 4 Americans.[10] As the predominant processor of healthcare transactions that handles over 15 billion transactions annually and on average interacts with 1 in 3 patient records, Change Healthcare's incapacitation had immediate and devastating effects nationwide.

The disruption extended far beyond billing. Oncology practices reported they could not obtain prior authorization for cancer treatments, which forced them to either administer chemotherapy "flying blind" with no guarantee of payment, or delay potentially life-saving treatment. "If patients can't get their treatment, not just cancer patients, any patients can't take vital drugs... absolutely, positively, I'm sure it's already put some people at risk," stated the Community Oncology Alliance.[11] An AHA survey found 94% of hospitals experienced financial impact, while the American Medical Association reported 80% of practices experienced revenue impact. UnitedHealth Group paid a $22 million ransom, one of the largest payouts in history.[12]

Just three months later, Ascension Health, one of the largest non-profit healthcare systems with 140 hospitals across 19 states, was compromised by a single phishing email. One employee inadvertently downloaded a malicious file, and the Black Basta ransomware group was in. Hospitals diverted ambulances, delayed surgeries, and reverted to manual documentation for over a month.[13] A neonatal ICU nurse reported: "Medications are taking longer to get to patients, lab results are taking longer to get back... if there's a delay in access to the labs, there's a delay in access to the care that they order."[14] The attack compromised 5.6 million patient records and contributed to a $1.8 billion operating loss.[15]

When Cyberattacks Kill

The erosion of medical neutrality is not theoretical or hyperbole; it has resulted in documented patient deaths. The 2024 Ponemon Institute study found that 28% of organizations reported increased patient mortality rates following cyberattacks, with 56% reporting poor patient outcomes due to delays and 53% seeing increased medical procedure complications.[16]

[...]

Original source

Reply