The healthcare sector under fire
In 2025, healthcare organisations worldwide experienced a record number of cyberattacks. From small clinics to major university hospitals, no institution was spared. The consequences extend far beyond IT disruptions — patient records are exposed, surgeries are postponed, and in the worst cases, lives are put at risk.
What makes healthcare such an attractive target for cybercriminals? And why is this sector so notoriously difficult to protect?
Why healthcare is uniquely vulnerable
1. High-value data, limited budgets
Medical records contain a treasure trove of personal information: national identification numbers, insurance details, diagnoses, medications, and contact information. On the dark web, a complete medical record is worth up to ten times more than a credit card number. Yet healthcare organisations typically spend just 4-6% of their IT budget on cybersecurity — significantly less than the financial sector.
2. Complex, legacy IT infrastructure
Hospitals operate on a patchwork of systems: electronic health records (EHRs), medical devices, laboratory systems, and administrative software. Many of these systems are decades old, running on operating systems that no longer receive security updates. Replacing them is expensive and risky — you cannot simply take a system offline that needs to operate around the clock.
3. The human factor
Healthcare workers are trained to save lives, not to spot phishing emails. Workloads are intense, time pressure is constant, and the focus is — rightly — on the patient. But that exact combination makes staff vulnerable to social engineering. An email that appears to be an urgent message from the pharmacy? In the chaos of a busy shift, someone clicks before thinking.
The threats: beyond ransomware
Ransomware remains the primary threat
The WannaCry attack of 2017 brought the UK's NHS to its knees. Since then, ransomware has only grown more sophisticated. In 2025, hundreds of healthcare institutions were hit worldwide. Attackers know that hospitals are more likely to pay ransom — because every minute of downtime can be literally life-threatening.
Supply chain attacks
Healthcare organisations work with dozens of suppliers: from software companies to cleaning services. Every supplier with network access is a potential entry point. An attack on a single IT service provider can compromise dozens of healthcare organisations simultaneously.
Insider threats
Not every threat comes from outside. Staff with access to sensitive systems can — intentionally or accidentally — leak data. A terminated employee who still has access, a doctor who puts patient files on an unsecured USB drive, an intern who shares a password: the examples are endless.
Why traditional training falls short
Most healthcare organisations invest in annual security awareness training. Staff attend a presentation, complete a quiz, and receive a certificate. Research consistently shows, however, that the effect of such training programmes fades almost entirely within three to six months.
The problem runs deeper than knowledge. People behave differently under stress than in a training setting. A nurse receiving a suspicious email after a twelve-hour night shift does not apply the same critical thinking as during an e-learning module at two in the afternoon.
The behaviour behind the risk
Every employee has a unique risk profile. Some people are naturally cautious and sceptical — they will rarely click a suspicious link. Others are helpful and trusting, precisely the qualities that make a good healthcare professional, but that also make them vulnerable to social engineering.
This is where traditional approaches fail: they treat everyone the same, whilst risk fundamentally differs from person to person.
Behavioural analysis: the missing link
Nexus-7's Q-Method behavioural analysis offers a fundamentally different approach. Rather than giving everyone the same training, we first map each employee's behavioural profile. How do they react under pressure? How do they respond to authority? Are they inclined to follow rules or to pragmatically deviate?
Based on this analysis, a nuanced picture emerges of where the real risk lies — not at the system level, but at the human level. This makes it possible to:
- Deploy targeted interventions for employees with higher risk profiles
- Personalise training to align with individual behavioural patterns
- Identify predictive indicators before an incident occurs
- Allocate limited budgets more effectively by focusing on the greatest risks
NIS2 and the healthcare sector
With the NIS2 directive now in effect, healthcare organisations are classified as 'essential entities.' This means stricter requirements for risk management, incident reporting, and supply chain security. Board members are personally liable for shortcomings.
NIS2 explicitly requires a risk-based approach. That means not just firewalls and antivirus software, but also insight into the human risk factors within the organisation. Behavioural analysis is no longer a luxury — it is a compliance requirement.
Practical steps for healthcare organisations
- Map your human risk — Invest in behavioural analysis alongside technical security assessments
- Segment your network — Ensure a compromised system cannot bring down the entire hospital
- Implement zero trust — Trust nothing and no one by default; verify everything
- Practise incident response — Tabletop exercises are inexpensive but incredibly valuable
- Engage the board — Cybersecurity is not an IT problem; it is a board-level responsibility
Conclusion
The healthcare sector faces a unique challenge: systems that can never go offline, data that is among the most sensitive in existence, and staff who work under extreme pressure. Technical measures alone are not enough. Only when organisations understand how their people behave — and why — can they become truly resilient against cyber threats.
The question is not whether your healthcare organisation will be attacked. The question is whether your people are ready for it.
