Attackers aren’t using new techniques – they’re exploiting known weaknesses, and healthcare is paying
Healthcare organizations are being hit by cyberattacks at an alarming rate – about every 10 hours – and attackers are succeeding using vulnerabilities that are already known and fixable, according to new research from Securin.
Ransom payment rates range from 68% to 72%, making the sector one of the most reliable and profitable targets for cybercriminals.Share
“Ransomware in healthcare has become a repeatable business model,” said Dr. Srinivas Mukkamala, CEO of Securin. “Attackers are walking through doors that were left open – and getting paid for it. Once they’re inside, the disruption is so severe that organizations are often forced into costly decisions – in many cases tied to issues that could have been addressed earlier.”
The problem is getting worse for a simple reason: attackers are succeeding – and once inside, the cost of disruption often forces difficult decisions. Ransom payment rates range from 68% to 72%, making the sector one of the most reliable and profitable targets for cybercriminals.
This isn’t about sophisticated, never-before-seen threats. Every vulnerability exploited in these attacks is already listed in the U.S. government’s Known Exploited Vulnerabilities (KEV) catalog.
Attackers are repeatedly exploiting unfixed, well-documented weaknesses, allowing them to scale attacks quickly using proven, repeatable methods.
The report analyzed 592 incidents across 94 ransomware groups between January 2025 and February 2026:
- 59% of attacks involved ransomware
- 56% targeted U.S.- based organizations
How attackers are getting in
Securin identified 29 actively exploited vulnerabilities, with a clear pattern:
- Authentication bypass is the most common entry point
- VPN and remote access systems account for roughly one-third of initial access
- Attackers often exploit vulnerabilities long after they are disclosed and patchable
Across incidents, attackers follow the same sequence:
- Initial access
- Credential harvesting
- Lateral movement
- Data exfiltration
- Encryption
In many cases, access to healthcare systems is purchased for as little as $2,000 to $50,000, lowering the barrier to entry.
Certain groups – including Qilin, Incransom, and Cl0p – have scaled attacks by exploiting the same vulnerability across multiple organizations.
Why healthcare continues to be targeted
Healthcare remains a top target because the economics favor attackers:
- 68-72% ransom payment rate (vs. ~40% in other sectors)
- Medical records sell for $250-$1,000 each
- Hospitals can lose $1M-$2M per day during disruptions
Faced with these pressures, many organizations make difficult decisions to restore operations quickly – reinforcing the cycle attackers rely on.
