Ransomware in Healthcare: The Application Threat Vector
The healthcare industry remains a favorite target for attackers as it faces an increasing curve of security incidents and slow recovery times. Tight budgets and complex infrastructure modernization efforts inevitably result in cybersecurity gaps. While ransomware targets all industry verticals, in healthcare, threats are increasingly driven by application-level attacks—notably through exploited vulnerabilities and compromised credentials.
Meeting compliance mandates such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Payment Card Industry Data Security Standard (PCI-DSS) are business imperatives, but protecting personal health information (PHI) is paramount for maintaining competitiveness and customer trust in a rapidly changing industry.
In this blog post, we explore how healthcare organizations are navigating an increasingly difficult balance between delivering personalized patient and provider experiences— now enhanced by AI—and defending against ever-increasing ransomware security threats that target the apps and APIs that connect them.
Apps, APIs, and AI are critical to patient care
The convenience of online access to patient portals through electronic health record (EHR) systems and the ability to make payments online is table stakes.
This has not gone unnoticed by bad actors. As described in an article in Healthcare IT News, Silk Typhoon is a Chinese state-sponsored hacking organization that targets various sectors, including healthcare and hospitals. The threat actors disrupted supply chains and posed significant threats to critical infrastructure by exploiting vulnerabilities in cloud applications to gain unauthorized access to sensitive data.
According to Forrester predictions, half of the top 10 U.S. health insurers will use AI to bolster member advocacy. Epic, a trailblazer in the space, notes that one in four patients would be concerned if their health system was not using AI. Given that AI ecosystems are connected via APIs, and their underlying software supply chains include components that extend across hybrid and multicloud environments, AI will further risk exposure and increase security hacking incidents, such as vulnerability exploitation and business logic abuse via bots and malicious automation. These same risks apply to natural language processing (NLP) interfaces exposed to patients and providers to improve customer experiences and streamline care through generative AI.
Compliance mandates are starting to have teeth
U.S. healthcare organizations are quickly finding themselves in an untenable risk position. Despite a 239% increase in hacking-related breaches since 2018, only 42% plan to maintain, and some may even decrease, investments in technology that improve cybersecurity and protect privacy. This gap exists despite intelligence agencies and industry associations ringing alarm bells over imminent threats to patient care data. While HITECH and PCI-DSS mandates push responsibility for adequate security, the healthcare industry must understand that simply meeting compliance requirements is no longer sufficient.
Ransomware is being fueled by app attacks
In 2024, the most common attack vectors in healthcare ransomware attacks were exploited vulnerabilities and compromised credentials, and recovery is taking longer due to the increased complexity and severity of the attacks. As an example, a series of in-the-wild attacks that exploit an application vulnerability and execute arbitrary code without authentication have been ongoing since January, with threat actors targeting the bugs to deploy web shells that are then abused for follow-up activities.
In addition to vulnerabilities, the business logic exposed by apps and APIs are inherently vulnerable to abuse from bots. According to F5 Labs, advanced persistent bots targeting login flows are most prevalent in the healthcare industry. For example, the decline of genetic testing firm 23andMe was, in part, attributed to a credential stuffing campaign that exposed customer health and ancestry information. Since the bots use legitimate credentials and are not trying to exploit software vulnerabilities, they may not trigger a security alarm. Multi-factor authentication (MFA) can help prevent credential stuffing but, due to the rise in real-time phishing proxies (RTPP), it's not foolproof.
A new baseline is in order
The good news is that the security industry is already ahead of the curve. For years, organizations have optimized their security inspection capabilities through dynamic, policy-based steering of SSL/TLS traffic to maximize investments, streamline policy, and detect ransomware within infrastructure and applications using a defense-in-depth approach.
Web app and API protection platforms further bolster application security defenses against ransomware. Integrated controls can mitigate vulnerability exploits and protect business logic from abuse—for web, API, and AI apps—across multiple environments, including client browsers, mobile devices, clouds, new interactive interfaces, and the software development lifecycle.
F5 solutions for healthcare help organizations flatten the curve—meeting compliance mandates and mitigating exposure of patient and provider data by thwarting ransomware for any app, any API, anywhere.
For more information, see our Web Application and API Protection webpage.