K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 9
“ hub and spoke” strategy, and it is increasing in popularity amongst criminals [ 39 ]. Hospitals can place defenses from third-party breaches by ensuring that they have incident response plans, alternative supply sources, and good business associate agreements that require cybersecurity and cyber-insurance for all parties, including any subcontractors the vendor chooses to employ [ 39 ].
Third parties who supply medical devices have a second source of risk in the form of the device software inherent to their product. MDMs often generate their own proprietary internal software and can be reluctant to share access to it, even with individuals intent on making the product more secure, such as hospital IT teams [ 6, 7 ]. However, as such, it is imperative that MDMs provide their own cybersecurity on the devices in question [ 6 ]. Up until March 29, 2023, it was not a legal requirement that they do so. And even past that date, only new products going through the Food and Drug Administration( FDA) approval process are required to have reasonable cybersecurity measures, and to provide upgrades and patches to this security throughout the lifetime of the device. More worryingly, MDMs are not required to provide upgrades and patches to preexisting or legacy devices, though some may choose to do so.
Information technology teams
Healthcare IT teams, though broadly understaffed and underfunded, are the primary implementers of cybersecurity measures around healthcare infrastructure. As with many other aspects of the healthcare field, IT teams have developed over time, and with the needs of new technologies. Current advancements that make healthcare IT teams more effective include the use of AI to monitor and analyze network use. This is a reasonably useful and cost-efficient method of increasing security for the time being [ 2, 14, 31 ].
End users
The average user of healthcare-related devices or systems is often the weakest link in the cybersecurity system, especially if unprepared or undereducated [ 9 ]. This group consists of everyone from administrators and their assistants to perfusionists, surgeons, nurses, environmental service employees, and patients themselves. Though each of these groups will have access to different parts of the overarching hospital network, they all may serve as gateways through which cybercriminals may attempt to gain access to the network. Network segmentation, implemented by the hospital’ s IT team, can help keep individual end users from becoming too large a risk, but education and vigilance are the best tools that employees can utilize to help IT personnel keep everyone safe [ 2 ].
Insurance companies
The emerging field of cyber insurance is in response to the increased threat and costs of a cybersecurity breach. Much like any other insurance company, they help cover costs should a covered event occur, but in this case, they can help pay for things like fines, penalties, litigation defense, the costs associated with notifying affected patients, and supplying them with identity and credit monitoring [ 9 ]. While this does help mitigate the financial consequences of cyberattacks, it does not change the loss of personal data and privacy that the patients experience [ 6 ]. Media
The media can also play a role in cybersecurity advancement. Media attention can be a double-edged sword, as it can raise awareness and pressure institutions or governing bodies to take action to make healthcare more cybersecure, but it can also spread distrust for specific institutions or in the healthcare system entirely [ 4 ]. While hospitals may assume that negative media attention will erode their patient base in the short term, it may be worse in the long run to be caught hiding a cyber-breach [ 4 ].
Cybercriminals
There are many reasons a group or individual may resort to cybercrime. A common way of sorting this group is by motivation, the primary of which tends to be financial gain. There are several means by which financial gain can be achieved from a hospital cyberattack. If a hospital is held for ransom, they either gain ransom money or, if the ransom is not paid, cybercriminals may choose to either sell the hospital data, including patient information, on the dark web. These transactions are often completed in cryptocurrency, which makes them difficult to trace [ 40 ]. Data that ends up online is sold at a premium price.
Health information is more valuable than other types of identifying information [ 3, 5, 6, 10, 11 ], primarily because it is immutable. Financial information can be changed, some identifiers can be locked down, but genetics and physical health data cannot be altered by the individual in question. A full medical record often comes with a variety of other data as well, from financial information to names, social security numbers, phone numbers, email and physical addresses, and insurance numbers [ 7 ]. This data can be used to commit identity theft or fraudulently acquire health insurance benefits, such as prescriptions, which can be resold online [ 2, 6 ]. It can also be used to blackmail high-profile individuals [ 2, 7 ]. Often, money gained by a developed ransomware group essentially funds future cyberattacks on other institutions. There is always the possibility that the ransomware group will not release the decryption key regardless of payment, as happened to Change Healthcare in February of 2024 [ 24 ]. There are several wellknown Russian ransomware gangs, and while they appear to be the largest single nation source of cybercrime, China, Ukraine, and the United States are reportedly frequent sources as well [ 41 ]( Tab. 3).
A second motivation for cybercrime is espionage. Nationstates can commit or fund acts of cybercrime against healthcare institutions to gain insight into opponents, sow distrust in the government and public systems, and fund and fuel their own political agendas [ 5 ]. Occasionally, state-backed cyberattacks