February 2024; In the middle of the night, medical teams at thousands of hospitals across the United States discover they cannot access the Change Healthcare payment system. This is not a minor technical glitch. It is the largest cyberattack in the history of the American healthcare system, carried out by the Russian ransomware group BlackCat/ALPHV.

The Russian group seized sensitive patient medical data. Some of it was published online in a blatant privacy violation. For others, physicians were locked out of medical records and found themselves standing before critically ill patients unable to view their medical history, the medications they were taking, or even authorize life-saving treatments. The disruption lasted weeks. The economic damage from the operational shutdown alone reached $2.4 billion, and the harm to patients is immeasurable.

This is not just another horror story from the press. This is the new reality of healthcare infrastructure in the cyber age.

Why Hospitals? Why Now? 

In recent decades, hospitals have undergone a massive digital transformation translated into connected monitors, smart infusion pumps, sophisticated imaging devices, surgical systems, building management systems, HVAC, elevators, energy systems, cooling systems, and more. Everything is connected to the network. Everything is remotely accessible. Everything is “smart.” And everything is vulnerable.

According to FBI data, in 2024 alone, 444 significant cyber incidents were reported in the U.S. healthcare sector, including 238 ransomware events. In Europe, the ENISA report shows that hospitals account for 42% of reported cyber incidents in the healthcare sector, and the NIS360 report classifies the sector as being in the “risk zone” with a significant gap between its cybersecurity maturity and its criticality level.

The reason is simple: hospitals are the perfect target. They cannot afford to be disconnected even for an hour. Human lives are at stake. So they pay. And the hackers know it. The Trellix 2025 report shows that the average cost of a breach has reached $10.22 million per incident, with the cost of a full shutdown reaching $9,000 per minute. And worst of all: research has shown that hospitals affected by cyberattacks experienced a 29% increase in mortality rates.

The Real Problem: It’s Not Just IT, It’s OT

When we talk about cybersecurity in hospitals, most people think of computers and servers. But the real threat runs much deeper.

A modern hospital is a complex OT (Operational Technology) system, comprising critical operational layers: legacy and modern medical devices, from monitors and infusion pumps to MRI and CT machines; Building Management Systems (BMS) responsible for HVAC, electricity, backup power, and elevators; physical security systems such as cameras and access control; and additional connected assets. Shutting down an oxygen system in a single ward can kill patients within minutes. A remote change to ventilator settings can be lethal.

And the biggest problem? IT cybersecurity solutions do not protect these OT systems. A significant portion of the industrial equipment operating today was designed and deployed before cybersecurity became a regulatory requirement; without built-in defense mechanisms. These systems were originally designed for isolated environments, but today many are connected to corporate networks and the internet, exposed to threats. Common vulnerabilities include outdated operating systems that are no longer supported, industrial protocols without encryption, and a lack of effective segmentation from IT networks.

The Trellix report describes the “Cascading Effect” phenomenon: attackers exploit unpatched HVAC controllers or electrical controllers as an initial entry point, and then move laterally into medical imaging networks, and paralyze entire departments.

The Case That Raised Another Red Flag

January 2025; CISA and the FDA issue an urgent advisory: patient monitors model Contec CMS8000, manufactured by the Chinese company Contec Medical Systems, contain a built-in backdoor. This was not an ordinary software bug but rather an intentional hidden functionality that no party had reported.

These devices measure heart rate, blood oxygen, blood pressure, parameters that physicians rely on to save lives. Firmware analysis revealed three critical vulnerabilities: a backdoor (CVE-2025-0626) enabling remote file downloads and software replacement on the device; patient data leakage to a hardcoded IP address without encryption (CVE-2025-0683); and an out-of-bounds write vulnerability (CVE-2024-12248, CVSS score 9.8) enabling remote arbitrary code execution.

These devices are in use at hospitals in the United States and the European Union. And the frightening part? CISA has no patch. The official recommendation: disconnect the devices from the network. But how do you disconnect devices that need to operate 24/7?

Regulation Is Waking Up - But Is It Fast Enough?

The regulatory world is beginning to grasp the severity of the situation. In Europe, the NIS2 Directive designates the healthcare sector as critical and imposes cybersecurity obligations directly on hospitals and medical institutions, including responsibility for OT and IoMT systems. In January 2025, the European Commission launched a dedicated cybersecurity action plan for healthcare, proposing the establishment of a European support center led by ENISA. The Cyber Resilience Act and the Medical Device Regulation (MDR) complete the picture by requiring manufacturers to integrate security throughout the entire product lifecycle.

In the United States, the FDA began in 2023 requiring cybersecurity plans for every new medical device approval, including a Software Bill of Materials (SBOM) and an update management plan. The HHS developed dedicated Cybersecurity Performance Goals (CPGs) for the sector.

But regulation arrives too late for existing equipment. The new requirements do not apply retroactively. And on the ground, an ENISA survey found that 80% of healthcare organizations identify software or hardware vulnerabilities as the cause of more than 61% of their security incidents.

Why Is This So Hard to Fix?

Three words: continuity, budget, expertise.

Continuity: A hospital cannot stop. You cannot take a system offline for an update. Patients whose lives are at risk cannot wait. This is the only environment where downtime is simply not an option.

Budget: 56% of healthcare organizations allocate less than 10% of their IT budget to cybersecurity. And when the choice is between another physician and a cybersecurity expert, the decision is clear.

Expertise: 53% of healthcare organizations report a lack of in-house cybersecurity expertise. And medical OT security requires dual expertise: understanding both cybersecurity and the medical-operational environment.

Conclusion

The Change Healthcare attack was only the beginning. Monitors with built-in backdoors? This was just the tip of the iceberg. The real threat is what we have not yet discovered.

Every hospital, every clinic, every medical center is a front line in the global cyber war. And the stakes? Not money. Not data. Human lives.

To protect our patients, we must protect our hospitals.

About RubyComm:

RubyComm delivers tailored operational technology cybersecurity solutions designed specifically for the unique challenges of industrial and critical infrastructure environments faced by organizations of all sizes. Unlike one-size-fits-all security products, RubyComm addresses the specific operational constraints, legacy system challenges, and complex integration requirements that conventional off-the-shelf solutions usually do not address. Our approach maintains operational efficiency and business continuity while providing comprehensive protection against sophisticated OT-specific threats without the need for an inhouse team of cyber security specialists.

Sources

 FBI/CISA, Internet Crime Report 2024; AHA Cyber Intel Reports 2024–2025

CISA/FDA, Contec CMS8000 Advisory (ICSMA-25-030-01), January 2025

ENISA, Health Threat Landscape 2023; NIS360 Report; NIS Investments Survey

RubyComm: Healthcare 2025

Trellix, Healthcare Cybersecurity Threat Intelligence Report 2025

Netwrix, 2025 Cybersecurity Trends Report

FDA, Cybersecurity in Medical Devices: Refuse to Accept Policy, March 2023

EU Commission, Action Plan for Cybersecurity of Hospitals, January 2025