As cyber and physical threats continue to disrupt healthcare delivery worldwide, the Health Information Sharing and Analysis Center (Health-ISAC) is marking its fifteenth year by doubling down on sector-wide resilience. In its newly released Annual Report 2025, the organization details expanded global threat intelligence operations, including round-the-clock ‘follow-the-sun’ coverage with new analysts in Asia-Pacific, and broader international collaboration, such as the onboarding of 90% of Belgium’s public hospitals.
Over the past year, the Threat Operations Center (TOC) at the Health-ISAC issued over 1,300 targeted alerts addressing high-risk vulnerabilities, underscoring its expanding role as a frontline intelligence hub for the healthcare sector. The center continues to serve as a primary pipeline for actionable intelligence, producing pre-public and targeted alerts, vulnerability and threat bulletins, situational awareness reports, daily cyber briefings, and benchmarking surveys. Its capabilities are further reinforced through strategic partnerships, including collaboration with the Office of the CISO at Google Cloud, strengthening its ability to track global developments, assess emerging threats swiftly, and coordinate protective action across the healthcare community.
The Health-ISAC also launched a new Member Tabletop Exercise program, delivering customized simulations designed to help healthcare organizations identify and close operational gaps before adversaries can exploit them.
“The 2025 report showcases how much we have cultivated over the past year to ensure global resilience,” Denise Anderson, Health-ISAC president and CEO, said in a media statement. “Just as circle irrigation revolutionized farming by efficiently nourishing crops, Health-ISAC fosters a thriving community dedicated to protecting the health sector. Our expansion in APAC and our efforts in taking down threat actor infrastructure are just a few examples of our community’s success in 2025.”
In its ‘Cultivating Resilience’ report, the Health-ISAC detailed that in 2025, it continued to deliver its quarterly Health Sector Heartbeat reports, providing the sector with critical situational awareness regarding the evolving cyber threat landscape. These briefs offer deep-dive analyses of quarterly ransomware trends, cybercrime statistics, and activity from underground forums. Each report features detailed threat actor profiles, maps Tactics, Techniques, and Procedures (TTPs) to the MITRE ATT&CK framework, and includes targeted alert trends for active exploitation.
By combining high-level statistical data with actionable mitigation guidance, the Heartbeat ensures organizations remain resilient against the specific vulnerabilities and threat groups targeting the global health ecosystem.
The Health-ISAC Annual Report 2025 disseminated more than a thousand vulnerability, threat, and incident bulletins in 2025, covering a wide range of cyber and physical risks affecting the health sector. In January, the center warned that Ivanti Connect Secure remote access appliances were being actively exploited through a zero-day attack. In February, it reported on heightened threats to CEOs following the December 2024 murder of a health executive and detailed how North Korean actors were using stolen identities to infiltrate health sector jobs.
March alerts included fake ransomware extortion letters sent through U.S. mail to health executives and reporting on Microsoft’s disclosure that Silk Typhoon had shifted toward IT supply chain and cloud-based attacks. In April, the center highlighted massive power outages across the Iberian Peninsula. In May, it covered North Korean fake IT workers targeting healthcare employers and shared indicators of compromise released by the American Hospital Association and Health-ISAC related to Interlock ransomware activity.
June bulletins addressed vulnerabilities such as dangling DNS exposures affecting health organizations and shared Amadey botnet IP addresses linked to activity that preceded Scattered Spider ransomware campaigns. Federal agencies also warned in late June of Iranian cyber threats to critical infrastructure.
Throughout the second half of the year, the Annual Report 2025 disclosed that the TOC issued alerts on proof-of-concept exploits for a critical Citrix NetScaler vulnerability, active exploitation of SonicWall SSL VPNs by Akira ransomware actors, and an Erlang/OTP SSH flaw used to breach health entities. It also reported on Chinese nation-state actors exploiting on-premises SharePoint servers, FBI warnings about cybercriminals targeting Salesforce environments through vishing and compromised OAuth tokens, and SAP patches addressing critical NetWeaver flaws enabling remote code execution.
Later in the year, bulletins covered a nation-state breach confirmed by F5 involving BIG-IP source code exposure, active zero-day exploitation of Fortinet FortiWeb, and Operation WrtHug targeting end-of-life ASUS routers in a China-linked espionage campaign. Additional alerts included warnings about criminals using retrieval-augmented generation AI to enhance business email compromise schemes, active exploitation of SonicWall SMA1000 appliances, a critical authentication bypass in Asseco mMedica that exposed health databases, and opportunistic attacks by pro-Russia hacktivists against critical infrastructure, including health-sector ICS (industrial control systems).
Health-ISAC remains committed to its mission in Europe, fostering a connected community and providing a platform to address cyber and physical threats to the health sector across the region. 2025 has marked a year of significant expansion and deepened strategic engagement across the European region.
Under the continued leadership of European Operations Director Vasileios Mingos, Health-ISAC has strengthened its position as a key player in European health sector cybersecurity. In 2025, Mingos was appointed to the Health Cybersecurity Advisory Board, an expert group established to enhance the cybersecurity resilience of healthcare systems across the European Union.
Health-ISAC said in its Annual Report 2025that it strengthened its global resilience mandate this year with a critical expansion effort in Brazil, establishing a Health-ISAC community for Latin American health systems. High-impact local engagement included a São Paulo workshop, which saw significant interest, resulting in over 55 attendees from 70+ registrations, alongside a focused CISO dinner. Both events were crucial for fostering collective defense and security maturity among prospective members.
The report observed that the commitment was reinforced by the geopolitical report, The Brazilian Critical Infrastructure Threat Landscape. Published in English and Portuguese, the report analyzes structural strain from fragmented care delivery and evolving cyber threats, offering tailored guidance to help organizations respond.
In 2025, the Health-ISAC Medical Device Security Council (MDSC) advanced medical device cybersecurity through collaborative development of educational materials, lifecycle guidance, and coordinated vulnerability disclosure practices. The MDSC released a comprehensive set of education materials to help health delivery organizations and manufacturers understand and communicate medical device cybersecurity risks.
The council brought together 506 volunteers from 62 medical device manufacturers and 106 health delivery organizations (HDOs). This cross-sector collaboration focused on sharing real-world security challenges, developing actionable solutions and best practices, and promoting secure and efficient use of medical devices across diverse healthcare environments.
On February 4, 2025, Health-ISAC released a white paper titled ‘Exploring the Roles of Manufacturers and Healthcare Organizations During the Medical Device Lifecycle.’ This white paper, written by Taylor Porter, Health-ISAC Medical Device Security Analyst outlines the shifts in responsibilities between health delivery organizations and medical device manufacturers throughout the device lifecycle. During Cybersecurity Awareness Month, Health-ISAC published a PACS Tip sheet, which provides valuable ‘dos and don’ts’ on securing Picture Archiving and Communication System (PACS) systems.
“An emerging theme this year was for clarifying roles across the medical device lifecycle, the Council supports RACI-based coordination and cross-functional planning to help manufacturers and HDOs respond to vulnerabilities quickly and transparently, reducing patient risk and regulatory exposure,” Phil Englert, vice president for medical device security at the Health-ISAC, said.
Earlier this month, the Health-ISAC released its 2025 Fourth Quarter Health Sector Heartbeat report, showing a marked surge in cyber incidents and signaling continued escalation into 2026. A total of 4,043 incidents were recorded across all sectors in the first half of 2025, rising to 4,860 in the second half. With 8,903 incidents logged for the full year, activity exceeded 2024’s total of 5,744, representing a 55% year-over-year increase. Incidents affecting the health sector also rose, though at a slower rate, climbing from 476 in 2024 to 585 in 2025, a 21% increase.
Source link