Health-ISAC Insights: When Healthcare Becomes the Bullseye

The latest Health-ISAC Quarterly Threat Insights Report (Q3 2025) underscores what many healthcare security leaders already feel on the ground: the threat landscape is expanding in both volume and complexity. The report highlights everything from AI-driven phishing and typosquatting to medical device vulnerabilities, ransomware targeting hospitals, and geopolitical cyber spillover.

For CISOs and cybersecurity teams across the healthcare and life sciences sectors, the Q3 2025 report's findings represents a confluence of digital risk, regulatory change, and renewed urgency for sector-wide information sharing.

Health-ISAC's threat level remains elevated as "a threat of increased cyber activity stemming from general events or threats" persist.

Analysts cite several active campaigns shaping current defense priorities:

• NPM worm ("Shai-Hulud") – Malicious JavaScript packages spreading through open-source repositories, embedding themselves in dependencies and exfiltrating to public GitHub repositories

• QR code phishing – A marked increase in phishing campaigns using QR codes that bypass link scanners and security appliances because they're perceived as benign images

• Typosquatting using .med domains – Attackers registering fake healthcare domains to harvest credentials and impersonate legitimate providers

• Remote-IT worker fraud (DPRK) – Fraudulent job applicants from North Korea targeting healthcare organizations in a long-running revenue-generation campaign

Each of these exemplifies the growing trend of adversaries exploiting the trust fabric of healthcare systems—from open-source code to recruitment platforms—rather than relying solely on direct network intrusion.

"The large number of small and mid-sized healthcare organizations continues to be targeted because they are in a weaker position due to lack of budget and resources. Good for H-ISAC for being a hub for information and vulnerability sharing in light of the CISA act expiring," said Rick Doten, a former health plan CISO.

Health-ISAC's report highlights major updates to the FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, finalized in June 2025.

The guidance now:

• Incorporates Section 524B of the FD&C Act, specifying who must comply and what devices are covered

• Requires device manufacturers to design, develop, and maintain cybersecurity plans and SBOMs (Software Bills of Materials)

• Aligns FDA guidance with the EU Cyber Resilience Act and other international standards

For security teams, this represents a shift from optional best practice to regulatory expectation—particularly in how vendors must prove ongoing device security and patch management over the product lifecycle.

The global threat web: from KillSec to EvilAI

Health-ISAC's Global Cyber Watch section paints a troubling picture of the international threat environment. Notable incidents include:

• KillSec ransomware group compromising multiple healthcare institutions across the Americas

• EvilAI malware campaigns targeting organizations in the U.S., India, the EU, and the U.K.—showcasing the increasing fusion of AI automation and traditional malware delivery

• Salt Typhoon, a China-linked group, breaching critical infrastructure in the Netherlands

• Data thefts at France's Inovie Labosud (impacting 3 million patients) and Panama's Ministry of Health—part of a larger pattern of healthcare data exploitation for espionage and financial gain

This surge in AI-assisted malware and cross-sector espionage reveals the globalization of healthcare threat vectors. Cybercrime no longer respects sectoral boundaries; pharmaceutical, hospital, biotech, and government networks now exist in one interlinked target space.

"Regardless of an organization's view on AI, it is a tide that can't be stopped, as many enterprise platforms now have it embedded; and some even using independent agents," Doten said. "So, education and guidance on how to secure will be critical."

"Employees often use personal logins to access free tiers of powerful GenAI tools, without realizing that prompts and responses are shared back with the tool's training model. Without guardrails in place around the data entered, users will simply copy-and-paste or upload content to get their jobs done, magnifying the possibilities of data loss or exposure of sensitive information," said Roslyn Rissler, Senior Cybersecurity Strategist at Menlo Security. "Any of the risks posed by the use of GenAI in general are much greater in regulated environments, such as in healthcare, because the majority of data in these organizations is personal, sensitive, and/or proprietary. Not only could sensitive information be shared back with training models, but the very fact of the information leaving the enterprise in any form could be considered a regulatory breach."

The policy vacuum: expiration of CISA 2015

One of the most consequential developments in Q3 is the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) on September 30th.

The lapse threatens the legal protections that historically enabled private-sector sharing of indicators of compromise (IOCs) with CISA and industry peers. As Caitlin Clarke of Venable LLP cautions, healthcare entities should "review internal cyber information-sharing policies with legal counsel and discuss with partners how the lack of CISA 2015 protections may affect collaboration."

Without legislative renewal, hospitals and health networks may become more hesitant to share threat data—potentially reducing sector-wide visibility at a time of peak threat activity.

Per usual, there are implications for healthcare security leaders:

1. Resiliency requires collaboration: The CISA 2015 lapse highlights the fragility of public-private threat intelligence pipelines. Healthcare CISOs should proactively maintain trusted-partner sharing agreements and consider private ISAC channels to preserve information flow.

2. Regulated security is here to stay: With FDA and EU directives emphasizing SBOMs and lifecycle security, medical device manufacturers must operationalize security assurance as part of quality management—not as an afterthought.

3. AI brings a new attack surface: AI-generated phishing (via QR codes or text) and adversarial "EvilAI" malware demonstrate how automation amplifies both defensive and offensive potential. AI must now be part of every healthcare threat model.

4. Supply chain blind spots persist: From NPM worms to .med domain spoofing, attackers exploit supplier ecosystems and open-source dependencies. Continuous monitoring and code-integrity verification are now as critical as network firewalls.

5. Workforce awareness matters: Fraudulent remote-IT hiring scams highlight the human dimension of cybersecurity. Vetting and awareness training remain essential, particularly as global threat actors disguise themselves as legitimate remote candidates.

[RELATED: Understanding CISA's New Guide on Software Bill of Materials (SBOM)]

The Health-ISAC Q3 2025 Report concludes with a call to action: collaboration remains the healthcare sector's greatest defense. Whether through Health-ISAC workshops, tabletop exercises, or cross-industry threat sharing, collective intelligence will be the cornerstone of resilience.

As Errol Weiss, Chief Security Officer for Health-ISAC, notes, "Resilience is not a solo act—it's a shared responsibility across the entire healthcare ecosystem."

Healthcare is now one of the most targeted sectors globally, facing simultaneous regulatory tightening, evolving AI threats, and geopolitical turbulence.

For security leaders, Q3 2025's insights offer both a warning and a roadmap:

• Govern AI and open-source use rigorously.

• Build redundancy into information-sharing frameworks.

• Treat device and data security as continuous obligations, not compliance milestones.

We asked several cybersecurity vendor SMEs for their thoughts on the latest Health-ISAC insights.

Piyush Pandey, CEO at Pathlock, said:

"We are seeing that threat actors are shifting their focus from hospitals and clinics to third-party providers, because this approach allows them to get access to massive amounts of PHI at a time. Once adversaries get their hands on this data, they can misuse it for many years ahead for highly-personalized scams and blackmail campaigns. Large scale data breaches drive compliance risks and more stringent regulatory scrutiny for every entity in the healthcare supply chain."

Guru Gurushankar, Senior Vice President & GM, Healthcare and Life Sciences, at ColorTokens, said:

• "Throughout the year, we have seen healthcare industry breaches which highlight the necessity of preventing unauthorized lateral movement within one's network. This is critical for healthcare organizations to maintain their digital operational resilience in the face of relentless cyberattacks, and it does not appear that there will be any letup from these attacks moving forward. In other words, organizations have to become breach-ready; this is essential to survival."

• "A solution to prevent lateral movement would be an ideal solution to contain breaches. Lateral movement prevention solutions are needed, in addition to other perimeter-based defenses, to bring this increasing menace under control."

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, said:

• "The cybersecurity of any connected medical device obviously includes how well the software on the device was designed, tested, and configured for deployment. Devices should be stable when faced with a targeted attack. There should be no anomalies in the software or unmatched vulnerabilities in third-party code." 

• "But what about the supporting systems? Connected software often communicates with cloud services and does so over telecommunication networks. If that connection is compromised, what does that mean for patient data? Similarly, if the factory manufacturing the device, or the production equipment, isn't properly secured, can the quality and security of the device be trusted?"

• "Being able to assert that a medical device is secure means that everything from design to deployment must be looked at from a risk perspective and identified risks mitigated."

James Maude, Field CTO at BeyondTrust, said:

• "Healthcare has been historically less prepared for cyber risks than other industries, and attackers are increasingly taking advantage of this, with HIPAA recording 677 major healthcare breaches in 2024, hacking being the dominant cause. The security challenges extend beyond the healthcare providers themselves, with almost a third of breaches (32.2%) involving the compromise of third parties. Ransomware, once a rare occurrence in healthcare, is now on the top of most providers' agenda, as legacy remote access solutions provide a quick entry point to land and expand with severe consequences."

• "In order for healthcare organizations to effectively deal with ransomware and other threats, they need to invest in shifting left. They need to think more about securing identities and access to reduce the attack surface and blast radius in the event of compromise, rather than just thinking post breach. Ransomware and other threats are only as effective as the privileges and access they manage to acquire, so if we all can implement better hygiene and focus on least privilege, then the threat actors are far less likely to ransomware us in the first place."

• "Modern healthcare organizations are also incorporating real-time session monitoring with their security tooling to perform behavioral analytics and generate automated alerts. Any anomalous vendor behaviors, such as unusual file exports or unexpected command-line launches, are detected and halted before they can escalate into breaches. By combining least-privilege access controls, granular session recording, and proactive monitoring, healthcare organizations can maintain the critical third-party support they depend on while safeguarding patient data and fortifying their regulatory posture."

Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, said:

"To combat increasingly sophisticated and elusive ransomware threats, healthcare organizations can no longer afford to be reactive. The future of cybersecurity demands a proactive and adaptive stance. This means prioritizing robust behavioral detection and response tools—the kind that can spot anomalous activity no matter how cunningly disguised. It also necessitates ironclad patch management, multi-factor authentication, meticulous network segmentation, and rigorously tested incident response plans. Ultimately, defense must not just keep pace with offense; it must leap ahead, harnessing AI-driven insights to anticipate and neutralize threats before they can even fully materialize."

The next generation of healthcare security will belong to those who balance vigilance with collaboration—and who act before the next quarter's threat report becomes a case study in hindsight.