Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jun 01 2026
Security

The Threat Landscape Is Evolving. How Can Healthcare Organizations Protect Themselves?

High-impact ransomware and multivector attacks are becoming more disruptive and visible, underscoring the need for faster, more coordinated response strategies.

Cyberattacks in healthcare are no longer slow or opportunistic. They are fast, coordinated and increasingly difficult to contain.

According to CrowdStrike’s latest Global Threat Report, the fastest threat actors can move from initial access to lateral movement in under 30 seconds, shrinking the window for detection and response to near zero.

That speed is redefining what effective defense looks like. For healthcare organizations — where uptime, patient safety and regulatory compliance are nonnegotiable — the stakes are especially high. Healthcare leaders need to understand how the threat landscape is evolving and what they can do to protect themselves.

DISCOVER: CrowdStrike protects your organization from today’s most dangerous adversaries.

A Threat Landscape of Convergence

Financially motivated cybercriminals, ransomware groups, hacktivists and nation-state actors are all targeting the same environments, often for different reasons but with overlapping methods.

“Healthcare is at the center of threat activity from a lot of angles,” says Rob Sheldon, senior director of public policy and strategy at CrowdStrike. 

That convergence increases both frequency and complexity. Threat actors are targeting everything from payment systems and patient records to critical infrastructure and research data.

Sheldon points to continued, disruptive ransomware incidents that quickly become public and operationally damaging.

Click the banner below to sign up for HealthTech’s weekly newsletter.

 

Why Healthcare Remains Exposed to Cyberthreats

Healthcare IT environments are highly distributed, often spanning hospitals, clinics and third-party providers, and must support continuous, real-time operations.

“There are a lot of entities in the sector that are quite complex,” Sheldon says. “They must interconnect with different facilities across different regions, which becomes unwieldy from the defender’s perspective.” 

Unlike other industries, healthcare organizations cannot easily take systems offline to patch or isolate them without affecting patient care.

“There’s a high degree of continuity that’s required, with little room for error,” Sheldon says. 

Meanwhile, legacy systems and specialized medical devices often remain in use for years or decades. These systems may not support modern security controls, creating persistent vulnerabilities that must be managed rather than eliminated.

READ MORE: Ensure healthcare business continuity when IT fails.

Identity Is Now the Front Line of Healthcare Security

Threat actors are increasingly bypassing software vulnerabilities altogether and focusing on credentials.

“Rather than hunting for vulnerabilities, they’re going straight after credentials as the fastest, most reliable path into the environment,” Sheldon says.

Once attackers gain access through compromised credentials — whether via phishing, social engineering or reused passwords — they can move laterally across systems with speed and precision.

Defending against this requires a more dynamic approach to identity security. Organizations are moving beyond static access controls toward conditional models that continuously evaluate risk.

“There’s more need to have conditional access based on what someone’s role might be, but also whether their device is compliant, their location is expected or their behavior is normal,” Sheldon says. 

This level of granularity allows security teams to detect anomalies earlier and intervene before attackers can escalate privileges or expand their reach.

Rob Sheldon
Having a managed security service in place ends up being a huge lever to drive efficiencies.”

Rob Sheldon Senior Director of Public Policy and Strategy, CrowdStrike

AI as Both Force Multiplier and Risk

AI is playing a growing role in cybersecurity operations, particularly in helping organizations keep pace with the speed of modern threats. AI-driven detection and response tools can analyze large volumes of data, identify patterns and automate remediation actions in near real time.

“You really have to move extremely quickly to match the pace that the threat actor is able to move at,” Sheldon says. 

However, as organizations adopt AI tools across workflows, they are expanding the attack surface in ways that are not always fully understood.

Use of unauthorized or “shadow” AI is a particular concern, as employees may connect sensitive systems to tools that are not governed by enterprise security policies.

Sheldon notes that even approved AI systems require careful oversight to ensure credentials, data access and workflows are properly controlled.

Scaling Defense in Resource-Constrained Environments

For many healthcare organizations, limited budgets, staffing shortages and competing priorities make it difficult to build and maintain comprehensive security programs.

Shared services models are emerging as a practical way to address these constraints, Sheldon explains, particularly for distributed or public sector healthcare systems.

“Shared services allow a uniform, high level of protection and allows one centralized operator to act as a service provider to smaller connected entities,” he says.

EXPLORE: Quantify cyber risk to justify strategic cybersecurity investments.

By centralizing security operations, organizations can standardize policies, improve visibility and reduce duplication of effort. This approach also makes it easier to detect coordinated attacks that target multiple facilities within the same network.

Managed security services are another critical lever. Many organizations are turning to external providers to augment or replace in-house capabilities, particularly for 24/7 monitoring and response.

“Having a managed security service in place ends up being a huge lever to drive efficiencies,” Sheldon says. 

He adds that foundational practices remain essential, including deployment of endpoint detection and response tools where possible and ensured visibility across the entire environment.

Brought to you by:

Hiraman/Getty Images