Inside the Breach: Part 2 of the Healthcare Under Siege Series
Inside the Breach: Part 2 of the Healthcare Under Siege Series
What Hackers Want and How Healthcare Networks Hand it Over
A firewall isn’t what stops modern healthcare breaches. In most cases, it isn’t even where they begin. Attackers aren’t always breaking in; more often than not, they’re logging in. Reusing leaked credentials. Exploiting forgotten VPNs. Following the paths your network has laid out for internal users, third-party vendors, and critical applications.
Once inside, they don’t have to search very hard to find what they’re looking for.
Healthcare networks are often designed for speed and availability, not containment. That means systems like EHRs, diagnostics platforms, billing software, and even prescription tools are frequently a few lateral hops away from wherever an attacker lands. And thanks to flat architectures and unsegmented traffic flows, the path between them is often wide open.
In 2024 alone, healthcare breaches exposed more than 259 million patient records, a 26% increase from the year prior. And a staggering 77% of those records were compromised not through direct attack, but through third-party vendors with access to internal systems.
The attackers know what they’re after. And whether they succeed depends largely on how your network is built.
In this section, we’ll walk through:
- The specific systems and data hackers are targeting
- The infrastructure weaknesses that make those targets reachable
- The entry points most commonly exploited in modern healthcare environments
Because understanding what they want is only half the equation. To protect your organization, you need to understand how your network is helping them get it.
High-Value Data Systems: The Crown Jewels of Healthcare
If attackers could draw a straight line to the most valuable assets in your organization, it would end at your clinical systems. Electronic Health Records (EHRs), diagnostic databases, and prescription platforms are among the most targeted assets in healthcare, not because of the data they hold, but because of what that data enables. One compromised EHR can unlock everything from identity theft and insurance fraud to blackmail and espionage.
Medical data was involved in 45% of all healthcare breaches in 2024, making it the most frequently compromised data type.
The problem is that too many of these systems are easily reachable.
In many healthcare environments, clinical platforms share the same network paths as non-critical tools: guest Wi-Fi, internet-connected billing platforms, vendor portals, even smart TVs and IoT devices. Without segmentation, a single compromised system can serve as a launch point for an attacker to move freely toward more critical targets.
These systems are built to be accessible to clinicians, care teams, and administrators. But that accessibility often extends to adversaries, especially in environments designed for convenience rather than containment.
It doesn’t take an advanced attack to reach your most sensitive systems. All it takes is one entry point left unguarded and a flat network.
Operational Systems: Soft Targets That Bring Everything to a Halt
Not every attack is about stealing data. In fact, for many attackers, data is secondary. Their real weapon is operational paralysis.
Our hospitals run on connected infrastructure, from scheduling and communication tools to diagnostic machines and infusion pumps. Even if they don’t store sensitive data, they power the workflows that make care possible. A delay in scheduling can push back surgeries. A downed nurse call system can slow emergency response. An unreachable imaging device can postpone a critical diagnosis.
Many of these platforms and devices are internet-facing, shared across departments, or connected through public cloud portals, which makes them accessible but also increasingly vulnerable. In many environments, they sit on the same flat networks as clinical systems, with no segmentation or containment between them.
The risks aren’t hypothetical:
- In January 2025, the FDA issued a cybersecurity warning about vulnerabilities in patient monitors from Contec and Epsimed that could allow unauthorized remote access to device settings and patient data. (FDA.gov)
- In June 2024, a ransomware attack against NHS pathology services in London disrupted blood transfusion safety checks, forcing hospitals to delay surgeries and cancer treatments due to compromised diagnostic equipment. (The Times)
These are systemic breakdowns that endanger patient care, all because one compromised system wasn’t properly isolated from the rest.
Third-Party Vendors: The Breach wasn’t Yours, But the Consequences Are
Hospitals rely on dozens of third-party partners to deliver care, from lab services and radiology to billing, transcription, and cloud-based diagnostic tools. These vendors often have direct access to internal systems or share the same network environment without the visibility or control needed to manage the risk they bring.
In 2024, 77% of breached healthcare records were accessed through business associates, not the healthcare organizations themselves.
That risk multiplies when vendor systems aren’t segmented. If a compromised lab partner shares the same flat network as your EHR or diagnostic imaging platform, attackers don’t need a second breach. They already have a path in.
“Every third-party connection is an open invitation, unless your network knows how to say no.”
James Coberly | Massive Networks CTO
We watched this unfold during the 2024 ransomware attack on NHS pathology services. The disruption didn’t stem from a breach in every hospital; it started with Synnovis, a third-party pathology services provider whose systems were deeply embedded in regional care delivery.
Critical transfusion, safety checks, and diagnostic services were brought to a halt, delaying surgeries and cancer treatments. The problem wasn’t that Synnovis was compromised; it was that their systems were tightly woven into all frontline hospital operations.
In many environments, the network doesn’t distinguish between internal systems and trusted vendors. But attackers do, and they exploit that trust to move laterally, escalate access, and do maximum damage. Without network-level isolation, every vendor connection becomes a potential breach in waiting. And once the attack spreads, your organization, not the vendor, pays the price.
AI-Powered Attacks: The New Speed of Breach
Artificial intelligence isn’t changing what attackers want; it’s changing how fast they can get it.
Today’s threat actors are using AI to automate nearly every phase of an attack. What once took weeks of reconnaissance, scanning, and trial-and-error now happens in minutes.
Healthcare makes an ideal target for this kind of automation because of its sprawling infrastructure, layered systems, and countless third-party connections. Medical records are rich with identifiers and context. Vendor connections are numerous and often under-secured. Flat network architecture gives attackers the freedom to explore once they’re in. And AI is built to explore.
So what does that mean for you?
- Time is not on your side.
- Reactive detection isn’t fast enough.
- Containment is your best chance of limiting damage.
AI helps attackers move faster, but a private, segmented network is what will quickly force them into a dead end.
Built to Protect or Built to Be Breached?
When every system connects without boundaries, when credentials grant broad access, and when vendors plug directly into core environments, the network stops being a safeguard and starts being a hazard.
Understanding what attackers want and how your infrastructure helps them reach it isn’t about security posture. It’s about business survival. Because the true impact of a breach isn’t defined by how far an attacker can go, it’s determined by how much it’s going to cost you.
In Part 3: In the Aftermath, we’ll look at what a breach really costs, from lost revenue and downtime to long-term reputational fallout, and show how designing for containment from the start can dramatically reduce the impact.
