Health-ISAC’s 2025 Fourth Quarter Health Sector Heartbeat shows a sharp rise in cyber incidents, pointing to continued escalation into 2026. A total of 4,043 incidents were recorded across all sectors in the first half of 2025, increasing to 4,860 in the second half. With 8,903 incidents logged for the full year, activity surpassed 2024 levels of 5,744, marking a 55% increase year over year. Incidents affecting the health sector also climbed, though at a slower pace. In 2025, 585 health-sector incidents were recorded, up from 476 in 2024, a 21% increase.
During the last quarter, Health-ISAC issued 183 targeted alerts to member organizations with potentially vulnerable infrastructure, focusing on risks such as open and exposed databases, exposed remote access tools, vulnerable Ivanti Endpoint Manager instances, and Windows Server Update Services remote code execution flaws. The most common themes of Targeted Alerts sent in Q4 of 2025 included the vulnerable Ivanti Endpoint Manager Critical XSS Vulnerability, open and exposed databases, remote access tools, and Remote Code Execution (RCE) bugs in Windows Server Update Services (WSUS).
Health-ISAC observed a trend of cybersecurity incidents and data breaches impacting health sector organizations over the past year. Ransomware events have exhibited a consistent upward trend over the past few years. The fourth quarter of 2025 was no exception, marking a ‘significant increase’ in health sector ransomware incidents compared to previous quarters of 2025.
Threat actors frequently advertise stolen data or access to organizations’ systems for sale on various underground forums. In some cases, these posts reveal the names of organizations allegedly breached. Sometimes, threat actors conceal the victims’ identities and provide details such as the company’s revenue or sector to indicate the value of the data being auctioned.
The agency noted that payment is typically demanded in a selected cryptocurrency. “These transactions are sometimes facilitated by middlemen like forum administrators. Often, threat actors share a sample of the stolen data to demonstrate its legitimacy; however, there are rarely any details regarding the origin of the data present in the samples.”
Health-ISAC also disclosed that in the fourth quarter of 2025, there were multiple cases in which threat actors listed data allegedly stolen from health sector organizations. On Nov. 14, a user operating under the name RAZOR-X posted on a Russian-language cybercrime forum claiming to sell initial access to networks in the U.S., Canada, the U.K., Australia, and the European Union, including access to two health sector companies.
The agency disclosed that the first company was described as having an annual revenue of US$11 million. The forum user said that access to this company was through a Fortinet VPN, which includes domain administrator privileges on the network. At the same time, the second health-sector entity is described as having annual revenue of $25 million. “The access to this network is also through Fortinet VN and includes domain user privileges, according to the forum user. They did not state a price for the alleged network accesses and encouraged interested parties to contact them via private message on the forum for more information.”
Highlighting the Akira ransomware, Health-ISAC said that since its inception, the group has been an opportunistic and financially motivated threat actor, targeting critical infrastructure organizations worldwide, including healthcare organizations across various subsectors, such as hospitals and medical device manufacturers. “The group’s operational methodology follows a double-extortion model, beginning with aggressive initial access frequently exploiting Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) vulnerabilities, or using stolen credentials. Once a foothold is established, Akira affiliates employ a living-off-the-land approach, utilizing specialized reconnaissance tools like AdFind and SoftPerfect Network Scanner to map Active Directory environments and identify high-value targets for lateral movement.”
The agency noted that Akira has Rust-based variants and variants that use C++, once again showing its adaptability. “The group’s persistent focus on VMware ESXi hypervisors underscores a broader trend in the ransomware industry. Because virtualization is the backbone of modern enterprise infrastructure, compromising a single hypervisor enables an attacker to simultaneously paralyze an entire suite of virtual machines. As one of the more prolific threat actors on the scene, Akira Ransomware is likely to continue posing a persistent threat to the health sector.”
Clearly, the health sector organizations are prime targets for Akira Ransomware due to the critical nature of their operations and the high value of the medical data they hold. The group exploits the sector’s reliance on legacy systems, limited cybersecurity budgets, and the critical need for operational continuity.
The Health-ISAC called upon organizations to maintain strong patch management by regularly updating all systems, with priority given to public-facing applications, strengthen email security through advanced filtering and continuous employee training to detect and report phishing attempts, protect endpoints by deploying endpoint detection and response tools and enforcing application whitelisting to block unauthorized software, and tighten access controls by enforcing least-privilege access and requiring multi-factor authentication, especially for remote access accounts.
Organizations must also reduce lateral movement risk through network segmentation, restricted RDP access, and continuous monitoring for abnormal activity, ensure backup and recovery readiness by maintaining regular offline backups, encrypting stored data, and routinely testing restoration procedures, improve detection and response by monitoring indicators of compromise such as suspicious administrative tools, abnormal RDP use, and unusual file activity, and prepare for ransomware incidents with a regularly updated incident response plan and tabletop exercises to test organizational readiness.
The agency also highlighted the importance of enhancing situational awareness by leveraging ransomware-focused threat intelligence and sharing insights with trusted industry peers; identifying weaknesses proactively through regular penetration testing and red team exercises, strengthening recovery and resilience by restoring systems from offline backups and validating that recovered data is malware-free, and reducing future risk by conducting post-incident root cause analysis and applying lessons learned to harden defenses.
Last week, the Health-ISAC published the 2026 Global Health Sector Threat Landscape survey findings, which show that health sector security professionals ranked ransomware deployments as the top cyber threat facing their organizations in 2025, followed by phishing attacks, third-party or partner breaches, data breaches, and zero-day exploits.
Medical device manufacturers reported that their top challenges in developing secure medical devices include integrating security into the design and development process, providing regular and secure updates and patching, and ensuring ongoing security across the long operational lifespan of medical devices.
Healthcare delivery organizations, by contrast, identified significant impacts as disruptions to the normal operation of medical technology, unauthorized access to or exposure of patients’ personal health information, and broader disruptions to hospital operations, including administrative processes, scheduling, and communication.
Looking ahead to 2026, health sector security professionals identified AI-enabled attacks as the leading cyber threat, followed by zero-day exploits, ransomware deployments, third-party breaches, and phishing and spearphishing campaigns.
