Cybersecurity in the healthcare sector: when a breach puts lives at risk

Patient data is worth more on the black market than credit card information. A complete medical record can fetch between €250 and €1,000 on specialized underground forums; when identity documentation is included, the figure exceeds €1,200 per record. A compromised credit card can be cancelled in seconds from a mobile phone. Medical record cannot be cancelled: it is permanent, and the information it contains can be used for identity theft, targeted extortion, and fraud directed at patients with high-cost medical conditions. (Source: Infobae, April 2026)

This reality, combined with the growing digitalization of healthcare systems, has turned hospitals and healthcare providers into the most profitable and most frequently targeted sector for organized cybercrime. Cyberattacks against the Spanish healthcare sector increased by 75% in 2025 compared to the previous year (Source: Pentesting Team, April 2026), and projections for 2026 do not suggest any improvement. According to the Spanish National Cybersecurity Institute (INCIBE), the most common attacks in 2024 involved malware, intrusions, data theft, and ransomware, affecting both primary care centers and large hospitals. (Source: National Health System Cybersecurity Strategy 2025–2028, Ministry of Health) The problem is not merely one of scale, it is structural.

The healthcare attack surface is massive and continues to grow

A modern hospital is not simply a building filled with doctors and patients. It is a network of thousands of interconnected devices, legacy systems, remote access points, third-party providers, and continuous flows of sensitive data. Every one of these connections represents a potential entry point for an attacker. According to the European Union Agency for Cybersecurity (ENISA), the healthcare sector is among the most heavily affected industries, accounting for 8% of all cybersecurity incidents in Europe, behind public administration (19%), but ahead of banking (6%), transportation (6%), and energy (4%). (Source: INCIBE-CERT, January 2024)

Electronic health records and remote consultations

The digitization of medical records has unquestionably improved healthcare delivery. It has also multiplied the number of attack vectors. Physicians accessing patient records from home, nurses reviewing medication schedules on tablets within hospital wards, and specialists providing second opinions through telemedicine all represent potential vulnerabilities if access is not properly controlled and audited.

Unauthorized access to a patient record does not merely compromise privacy. It can alter diagnostic information, modify treatment plans, or serve as an entry point into the broader healthcare infrastructure. Patient information, including electronic health records, laboratory results, demographic information, and administrative data, accounts for 30% of all information stolen during attacks against the healthcare sector. (Source: INCIBE-CERT)

Connected Medical Devices (IoMT)

Internet of Medical Things (IoMT) devices generate average losses exceeding $10 million per incident (Source: Pentesting Team, April 2026), and their adoption in healthcare environments continues to accelerate. These devices include vital sign monitors, infusion pumps, diagnostic imaging equipment, ventilators, and cardiac telemetry systems. An estimated 77% of hospital systems contain known vulnerabilities, making them particularly susceptible to cyberattacks. Many of these devices operate using outdated firmware, lack robust authentication mechanisms, and are connected to the same networks as administrative systems.

A compromised insulin pump or manipulated anesthesia machine is not a theoretical threat. Medical device control systems, including infusion pumps and cardiac monitors, can be compromised and directly impact patient safety in critical situations. (Source: Infobae, March 2024)

Remote intervention and monitoring

Remote robotic surgery, chronic patient monitoring from centralized facilities, and remote intensive care supervision are already realities in many leading healthcare institutions. These systems depend on stable, encrypted, low-latency network connections.

Any disruption, whether through a denial-of-service attack, session hijacking, or identity spoofing, can have immediate and irreversible consequences for patient safety. Digital transformation is revolutionizing healthcare through innovations such as telemedicine and AI-assisted diagnostics, but cyberattacks can delay medical interventions and disrupt emergency services. (Source: European Commission, Healthcare Cybersecurity Action Plan, January 2025)

Critical building infrastructure

Healthcare cybersecurity extends far beyond clinical data. Hospitals rely on Operational Technology (OT) systems to manage essential functions:

• Refrigeration systems: cold-storage facilities for vaccines, temperature-sensitive medications, and biological samples. A cyberattack affecting temperature control systems can destroy high-value inventories.
• Energy infrastructure: emergency generators, UPS systems, and intelligent electrical control panels. Many are connected to remotely managed networks accessible from external locations.
• HVAC and ventilation systems: critical in operating rooms, isolation wards, and high-risk biological environments. Their manipulation can compromise sterility and patient safety.
• Physical access control systems: doors, elevators, and restricted areas integrated with IT platforms.

The convergence of IT and OT in healthcare environments exponentially expands the attack surface, and most healthcare organizations lack comprehensive visibility into it. Researchers warn that an attack against a hospital’s electrical infrastructure could disrupt emergency services and place lives at risk. (Source: IBM Security, November 2025)

The supply chain: the weakest link

Hospitals work with dozens of suppliers, including laboratories, maintenance providers, pharmaceutical distributors, and technology integrators. Many connect directly to internal hospital systems to perform updates, remote diagnostics, or data transfers.

If one of these suppliers is compromised, attackers gain legitimate access, using valid credentials, to the healthcare organization’s internal environment.

Among the healthcare sector’s most significant cybersecurity concerns are supply chain attacks, third-party breaches, and zero-day vulnerabilities. (Source: Health-ISAC Annual Threat Report 2025, cited by SentinelOne)

In 2025, the volume of large-scale supply chain attacks surpassed every previous annual record.

Real cases: what happened and what could have been prevented

Attacks against the healthcare sector are not abstract statistics. They are documented incidents with concrete operational, human, and economic consequences. We analyze the most relevant cases of recent years and the measures that would have mitigated them, or directly prevented them.

Case 1 — Hospital Clínic de Barcelona (2023)

What happened?

On the morning of March 5, 2023, the ransomware group RansomHouse compromised the systems of Hospital Clínic de Barcelona, one of Spain’s most important reference hospitals. The immediate result: 150 surgical procedures cancelled, more than 2,000 consultations and oncology radiotherapy sessions suspended, and the complete shutdown of emergency, laboratory, and pharmacy services. More than 4,000 laboratory tests were not performed and over 11,000 outpatient appointments were postponed.

The attackers demanded a ransom of $4.5 million. Following the refusal of both the hospital and the Catalan regional government to pay, they progressively leaked the stolen data on the dark web: 4 terabytes of sensitive information including medical records, health conditions, and employee data. Hospital Clínic required weeks to recover normal operations. (Source: Channel Partner, February 2024 / Infobae, April 2026)

What failed?

Investigations pointed to compromised credentials and poorly configured systems as the entry vectors. (Source: ESET Spain / Channel Partner) Once inside, the attackers moved laterally across the network without encountering barriers capable of containing the spread. The absence of effective segmentation allowed the ransomware to reach critical systems in a cascading manner.

How could it have been prevented?

With robust multifactor authentication applied to all access points, including remote access, the use of compromised credentials would not have been sufficient to gain entry: with effective network segmentation, even if initial access had been achieved, the attacker would have remained confined to a segment without the ability to reach critical clinical systems; with real-time session traceability, anomalous behavior could have been detected and stopped before the ransomware was deployed.

Case 2 — Change healthcare / unitedhealth group (2024)

What happened?

In February 2024, the ALPHV/BlackCat group carried out the largest known attack against a healthcare organization in history. The entry vector was a Citrix remote access portal that did not have multifactor authentication enabled. Using simple compromised credentials, the attackers gained access to the system and deployed ransomware on February 21, encrypting all Change Healthcare environments.

The impact was catastrophic: billing systems were halted, insurance claims were delayed, pharmacies, including military pharmacies, were disrupted nationwide, and 74% of U.S. hospitals reported direct impacts on their operations, with 60% requiring between two weeks and three months to recover. UnitedHealth paid a ransom of $22 million. In January 2025, the company confirmed that the breach had affected 190 million U.S. citizens: the largest medical data breach in history. Reported losses exceeded $1 billion. (Source: IBM Think, December 2025 / Forgenex, May 2026)

What failed?

A single remote access point without MFA. UnitedHealth’s own CEO stated before the U.S. Congress that the direct cause of the attack was the absence of multifactor authentication on that portal. (Source: IBM Think) One stolen credential was enough to compromise the entire infrastructure of the world’s largest healthcare company.

How could it have been prevented?

This case is the clearest and most documented example of how the absence of MFA turns remote access into an open door. With MFA enabled, credential theft would not have been sufficient: with a centrally managed credential vault, without direct exposure to the remote access provider, the attack surface would have been minimal; with network segmentation, the propagation to billing and operational systems could not have occurred at the speed and scale that it did.

Case 3 — Romania: 21 Hospitals simultaneously (2024)

What happened?

In February 2024, a single ransomware attack simultaneously compromised at least 21 Romanian hospitals, while another 79 healthcare facilities voluntarily disconnected their systems to prevent further propagation. The cybercriminals demanded 3.5 bitcoins, approximately €175,000, in exchange for the decryption key. The healthcare infrastructure of an entire country was brought to a standstill within hours. (Source: COPE / healthcare cybersecurity expert, October 2025)

What failed?

The interconnection of hospital systems without isolation between entities allowed a single compromised entry point to trigger a nationwide domino effect. The absence of segmentation between hospitals, and within each hospital, was the factor that multiplied the damage.

How could it have been prevented?

Network segmentation is the measure that turns an incident into a contained incident. If each hospital, and each functional area within it, operates in an isolated segment with strict access policies, the compromise of one cannot automatically spread to the next. A centralized access management system would have enabled anomalous behavior to be detected before the ransomware reached the second system.

Case 4 — NYC Health + Hospitals: 76 days of invisible access (2026)

What happened?

In May 2026, New York City’s largest public healthcare system confirmed that attackers had accessed its network from November 25, 2025, until February 2, 2026: 76 days of undetected presence. During that period, they stole personal data, medical records, and biometric information, including fingerprints and palm prints, belonging to 1.8 million individuals. The entry vector was the technology supply chain: attackers gained access through an external supplier with legitimate access to hospital systems.

Stolen biometric data is particularly serious: unlike a password or a card, a fingerprint cannot be changed. The breach is permanent for each of the 1.8 million affected individuals. (Source: WWWhatsnew, May 2026)

What failed?

An external supplier with access to internal systems but without adequate session controls and without independent monitoring. This is the most common pattern in attacks against the healthcare sector: large hospitals have dozens of suppliers with access to their systems, and the technology supply chain is the weakest point of perimeter defense. (Source: ibid.) The period of undetected access is precisely what attackers use to map the network, identify the most valuable data, and exfiltrate it.

How could it have been prevented?

With a credential vault for external suppliers, third-party access would have been managed through temporary, single-use credentials audited in real time, without the supplier retaining reusable credentials. With complete session traceability, a 76-day access period would have generated alerts within the first hours: after-hours activity, data access volumes outside normal patterns, and unusual navigation paths. Early detection would have transformed a massive breach into a minor and contained incident.

Case 5 — Managed service provider attack with cascading impact (2025)

What happened?

In 2025, the DragonForce ransomware gang compromised the infrastructure of a Managed Service Provider (MSP) and distributed its ransomware simultaneously across all of the provider’s customers. The vector was a known critical vulnerability in the SimpleHelp remote management tool, patched in January 2025 but not applied by the MSP. Healthcare organizations relying on that provider found themselves compromised despite having done nothing wrong themselves. (Source: Kaspersky Blog, April 2026)

What failed?

Implicit trust in the provider. The MSP’s access to customer systems lacked granular restrictions and independent monitoring. Once the MSP was compromised, its customers were automatically compromised as well. The lack of visibility over third-party access transformed the provider’s negligence into a widespread incident.

How could it have been prevented?

With a supplier access architecture based on credentials centrally managed by the hospital, not by the provider, the MSP’s access would have been limited, monitored, and revocable in real time. At the first sign of anomalous behavior, access could have been terminated without affecting hospital operations. Traceability of every action performed during the session would have made it possible to determine the exact scope of the damage and respond in an informed manner.

The common pattern: attacks that should never have been possible

The analysis of these cases reveals that most major incidents in the healthcare sector share a common denominator: remote access without sufficient authentication, lack of segmentation, and limited visibility into what third parties are doing within the network.

These are not failures of technological sophistication. They are failures of access architecture. And they are failures that have a solution. As leading industry analysts point out, ransomware rarely begins with encryption: it begins with access, persistence, and sufficient time to map the internal structure before applying visible pressure. (Source: ZDU, March 2026)

On average, an attacker needs only six hours to design and execute a successful attack against a healthcare organization, while the victim organization will require more than 420 hours of technical staff time to identify, contain, and recover from it. (Source: Infobae, March 2024)

The healthcare sector can no longer afford perimeter security models that assume everything “inside” is trustworthy. In a hospital, the perimeter no longer exists: there are external suppliers, remote clinical access, IoMT devices without security agents, building OT systems, and connections with laboratories, pharmaceutical companies, and insurers. Trust cannot be the default condition. Access must be earned during every session.

The regulatory framework tightens: NIS2 and the National Health System strategy 2025–2028

The NIS2 Directive designates hospitals and healthcare service providers as highly critical sectors, with specific obligations including risk management, proportionate technical measures, incident notification within less than 24 hours, and periodic audits. Non-compliance may result in significant financial penalties.

In November 2025, the Interterritorial Council of the National Health System approved the National Health System Cybersecurity Strategy 2025–2028, built around twelve strategic pillars that explicitly include supply chain protection, crisis management, and secure technology procurement. (Source: Spanish Ministry of Health, November 2025)

In January 2025, the European Commission launched a comprehensive Action Plan structured around four pillars: prevention, early detection, rapid response, and deterrence. As part of the plan, an EU-wide early warning service will be established to provide near real-time alerts regarding potential cyber threats targeting the healthcare sector, expected to be operational before the end of 2026. (Source: European Commission / EU Public Health)

The regulatory clock is ticking. Organizations that fail to act now will assume both operational and regulatory risk.

How Endurance protects critical access in healthcare environments

Cybersecurity in healthcare is not solved with antivirus software or perimeter firewalls. It requires controlling who accesses systems, from where, to what resources, and with what level of privilege, in real time, with complete traceability and without operational friction for healthcare professionals.

Endurance, Cosmikal’s secure remote workspace solution, is designed for environments where remote access is unavoidable, assets are highly heterogeneous, and the impact of a breach can be devastating. Among other capabilities, we address five key areas that directly mitigate the vulnerabilities that made the previously described incidents possible.

Multifactor Authentication (MFA) without third-party dependency

The Change Healthcare attack was possible because a remote access portal did not have MFA enabled. Endurance implements robust multifactor authentication across all access points, clinical, administrative, and maintenance, without relying on third-party providers. Every access request is authenticated through multiple factors before being granted. Stolen credentials alone are not enough.

Encrypted credential vault for third-party access

External providers access systems through credentials managed centrally by the hospital, without the providers themselves knowing or being able to reuse those credentials outside the authorized context.

When DragonForce compromised the MSP, the provider’s own credentials became the bridge into the customer environment. With a credential vault managed by the hospital, that bridge does not exist: the credentials belong to the hospital, not to the provider.

Complete traceability of remote sessions

NYC Health + Hospitals had an intruder inside its network for 76 days without detecting them. With Endurance’s full session traceability, every access is recorded with complete metadata: user, origin, duration, and actions performed.

Anomalous behaviors generate alerts. A 76-day access period leaves visible traces within the first few hours: unusual schedules, abnormal volumes of accessed data, and uncommon navigation paths. This traceability is also essential for compliance with NIS2 and the Spanish National Security Framework (ENS).

Network segmentation

Hospital Clínic de Barcelona and the 21 Romanian hospitals shared the same problem: once inside, the ransomware spread without encountering internal barriers.

Endurance enables logical isolation of the hospital’s different environments: clinical systems, administrative systems, IoMT devices, and OT infrastructure. The compromise of a diagnostic device does not imply that an attacker can move laterally into electronic health record systems or infrastructure controls.

Segmentation transforms a potentially catastrophic incident into a contained and manageable problem.

Technological sovereignty: a Spanish manufacturer listed in the NATO catalogue

Endurance is the only Spanish solution included in NATO’s NIAPC catalogue within the Access Control category: the benchmark standard for critical infrastructures and high-security environments.

For the Spanish healthcare sector, this means choosing a certified solution validated against the most demanding standards, developed in Spain, with full control over source code and data, without dependence on foreign manufacturers, and with direct support from the Cosmikal team.

The cost of not acting

A typical ransomware attack costs healthcare organizations up to $900,000 per day in downtime alone. (Source: Microsoft Security Insider, 2024) The average ransom cost in the sector is $4.4 million. In cases such as Change Healthcare, the figure exceeded $1 billion. Healthcare data breaches have remained the most expensive of any industry for 12 consecutive years. (Source: Computing.es / ENISA, September 2023)

But beyond the numbers: when a core system fails, physicians cannot check allergies before administering medication. Surgeons cannot access preoperative tests. Oncologists cannot continue treatment protocols. Contingency plans may allow healthcare delivery to continue for 48 hours; maintaining normal standards of care is impossible without IT systems. As healthcare leaders who have experienced these incidents point out: returning to the 1990s is simply not an option, because many things would no longer function at all.

The healthcare sector can no longer afford to treat cybersecurity as an additional layer placed on top of existing systems. It requires a secure access architecture that is native to its operations: transparent for healthcare professionals, strict with attackers, and fully traceable for auditors.

Endurance protects access. Protects assets. Protects continuity of care.

Frequently asked questions about cybersecurity in the healthcare sector

Why is the healthcare sector the most targeted by cybercriminals?

The healthcare sector combines three factors that make it the preferred target of organized cybercrime: the high criticality of its services (any disruption can have life-threatening consequences, increasing the likelihood that a ransom will be paid), the enormous value of its data on the black market (a complete medical record can be worth between €250 and €1,000, compared to only a few cents for a credit card), and the heterogeneity of its technological infrastructure (legacy systems, IoMT devices, third-party remote access, and IT/OT convergence that continuously expands the attack surface).

What is ransomware and how does it affect a hospital?

Ransomware is a type of malware that encrypts the victim organization’s systems and data, making them inaccessible until a ransom is paid. In a hospital, this can mean the cancellation of surgeries, the disruption of emergency services, the inability to access medical records, or the inability to operate diagnostic equipment.

In double-extortion attacks, which are becoming increasingly common, attackers also threaten to publish stolen data if the ransom is not paid. Hospital Clínic de Barcelona (2023) and Change Healthcare (2024) are two of the most extensively documented examples.

What obligations does the NIS2 Directive impose on healthcare organizations?

The NIS2 Directive classifies hospitals and healthcare service providers as highly critical entities. This entails the obligation to implement a cyber risk management framework, apply technical and organizational measures proportionate to the threat level, report any significant incident to the competent authority within 24 hours of detection, and undergo periodic audits.

Failure to comply may result in significant financial penalties, in addition to the reputational and operational consequences arising from the incident itself.

What is network segmentation and why is it crucial in healthcare?

Network segmentation consists of dividing a hospital’s technological infrastructure into isolated segments, clinical, administrative, IoMT, and OT, with strict access controls between them.

Its importance lies in containment: if an attacker succeeds in compromising a device or system within one segment, segmentation prevents lateral movement to the rest of the network. Without it, as demonstrated by Hospital Clínic de Barcelona and the 21 Romanian hospitals attacked simultaneously in 2024, a single point of entry can compromise the entire organization’s infrastructure.

How does multifactor authentication (MFA) protect against cyberattacks in healthcare?

MFA requires users to verify their identity through at least two independent factors before accessing a system: something they know (password), something they have (mobile device, token), or something they are (biometrics).

This means that even if an attacker manages to steal or purchase valid credentials, they cannot access the system without the second factor. The Change Healthcare attack in 2024, the largest in healthcare history, affecting 190 million individuals, was made possible directly by the absence of MFA on a remote access portal.

What cybersecurity risks do external providers pose to a hospital?

External providers, maintenance companies, MSPs, laboratories, technology integrators, and others, often require legitimate access to the hospital’s internal systems to perform updates, remote diagnostics, or data transfers.

If that provider is compromised, the attacker inherits its credentials and access privileges, entering the hospital network without triggering alarms. This attack vector is known as a supply chain attack, and it is among the most difficult to control using traditional perimeter security models.

The solution is to manage third-party credentials centrally from within the hospital, using temporary, audited, and real-time revocable access.

What is Endurance and how does it help protect healthcare infrastructures?

Endurance is Cosmikal’s secure remote workspace solution, developed by the Spanish cybersecurity company Cosmikal.

It integrates multiple capabilities into a single solution. These include, among others: multifactor authentication (MFA), Single Sign-On (SSO), a credential vault for external providers, complete traceability of remote sessions, and network segmentation.

It is designed for critical infrastructure environments where remote access is unavoidable and the impact of a security breach can be severe.

It is the only Spanish solution included in NATO’s NIAPC catalogue within the Access Control category, making it a benchmark for organizations that require the highest standards of security and technological sovereignty.

Why is it important for a healthcare cybersecurity solution to be developed in Spain?

Technological sovereignty in cybersecurity means that the organization adopting the solution knows who develops it, where the data is stored, which third parties have access to the source code, and under which legal framework the manufacturer operates.

A Spanish solution is subject to both European and Spanish legislation, audited by national authorities, and its support does not depend on external supply chains or geopolitical decisions.

In the case of Endurance, its inclusion in NATO’s NIAPC catalogue adds a level of international validation that very few solutions can demonstrate.

---

Would you like to know how Endurance can be adapted to your healthcare organization’s infrastructure? Contact the Cosmikal team and we will analyze your case with no obligation.