10 K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18
Table 4. Common points of access for cyberattacks.
Category Method Example
Social Engineering( e. g., Phishing, Spear Phishing)
Malicious Insider
Carelessness
Use of personal information, sometimes gathered from social media, to convince an individual to give malware access to a system, or to give an interloper credentials for that purpose. Spear phishing is a more individually targeted version of Phishing.
Deliberate action by an individual with valid institutional access to access data, encrypt systems, or inject malware into a system, or to release sensitive data they have access to onto the internet.
Accidental failure of an individual who has valid access to a system to adhere to the security policies, or lax policies allowing excessive access, amongst others, means of unintentionally reaching data the individual should not access.
Kaleida Health( 2017) [ 9 ] Premera Blue Cross( 2014)
[ 18 ] Anthem, Inc.( 2015) [ 18 ] University of Vermont Health Network( 2020) [ 4 ]
Cerebral third-party data breach( 2023) [ 18 ] have been known to target healthcare facilities for their intellectual property, such as medical research [ 2, 42 ].
Hacktivism is a source of politically motivated cybercrime that is often not aligned with overarching governing bodies. They often have a particular political or theological motivation [ 27 ]. As such, hacktivism can be much smaller-scale than other politically motivated attacks, and can be internally generated within a country [ 6 ].
A mildly unacknowledged source of cybercrime is one with no malicious intent, but simply because an individual wanted to prove that they could. Prior to the availability of broadly available vulnerability disclosure processes through MDMs, individuals who tested the cybersecurity of devices or systems for this reason could and would be prosecuted [ 27 ]. This would result in cyber-savvy individuals knowing that there was a security flaw in a device but being unable to safely communicate that information, leaving the vulnerability for malicious hackers to find and abuse. Medical devices can now be tested, and flaws can be acted on in a collaboration between hackers and MDMs.
Cyberattacks could easily tamper with patient data, resulting in delays of life-saving treatment or incorrect diagnoses [ 2 ]. Though no cyberattack has yet been proven to be motivated by patient death, cyberattacks have been linked to patient deaths in hospitals through a broadly increased 30-day mortality rate, and also directly, as happened in Germany in 2020 when a woman was transferred out of Düsseldorf University Hospital while it was held by ransomware, and did not survive to surgery [ 43 ]. A second potential cybercrime mortality was a baby in Alabama in 2021 who was born while Springhill Medical Center was using paper charting due to an attack. In the confusion, the care team missed an abnormal fetal heart rate, allegedly resulting in the infant’ s death [ 44, 45 ].
Cybercriminal methodologies
Ransomware is a common type of cyberattack, but there are many other types of attacks. Classification of these is best left to the experts [ 46 ], but descriptions and examples of some of the more common types can be found in Table 1. Table 4 describes three of the most common access points for cyberattacks. These access points are of concern to all end users, including perfusionists. Phishing and other social engineering-based attacks are the most common, but with education and understanding of hospital policy, a healthcare worker can reduce the chance of precipitating a data breach in this manner.
Most successful cyberattacks use known exploitable vulnerabilities( KEVs) and work because of a lack of updated security policies that would have prevented such an attack [ 2 ]. Public Wi-Fi is another point of concern, as they often have readily available or easily guessed passwords. Even with secure Wi- Fi, a common tactic to gain access to a hospital network is to simply ask for log-in credentials off a link in a phishing email [ 2 ]. This gives an attacker a gateway to more secure systems that often have unsecured IoMT devices attached to them.
There are, of course, many other types of ways that hospitals can come under attack that have nothing to do with any motivation directly against the hospital itself. Attacks that are so broad-spectrum that they simply catch healthcare systems in the crossfire, such as the WannaCry attack [ 17 ]. The recent CrowdStrike downtime had an impact similarly wide-reaching, even though it was not a deliberate malicious attack. Being prepared to face cyberattack-based downtime should prepare a hospital to deal with this kind of less malicious interference as well.
The current state of healthcare cybersecurity in US governmental policy
Legislation for cybersecurity over the last decade and a half has been primarily reactive. Due to the lack of core planning at the outset, there has been an ad-hoc method of establishing jurisdiction and oversight. Three major US Departments have jurisdiction over cybersecurity that is of interest to perfusionists. These include the Department of Homeland Security, the Department of Health and Human Services( DHHS), and the Department of Commerce. Each of these departments oversees a different organization or agency that has established ways in which cybersecurity is regulated related to their domain of expertise. Within the last few years, there has been a significant