Hospitals urged to strengthen cybersecurity amid rising Iran-linked threats

Hospitals are among the organizations that should pay special attention to ensuring their cybersecurity is shored up amid the ongoing conflict in Iran, according to federal agencies.

Iran-linked cyber actors have targeted U.S. critical infrastructure at other times in recent years, and the recent attacks on the country by Israel and the United States may increase the likelihood of criminal action.

Federal agencies and the American Hospital Association (AHA) have said they do not know of specific credible threats targeting U.S. healthcare. As a precaution, the FBI and the Cybersecurity Infrastructure Security Agency (CISA) re-issued a 2025 alert that was published in June amid attacks by the United States on Iranian nuclear facilities.

The alert noted that the healthcare and public health sectors were among the targets of Iran-affiliated cyber actors during the early stages of the Israel-Hamas conflict in late 2023 and early 2024.

An attempted cyberattack by an Iran-aligned group could employ tactics ranging from phishing and credential theft to ransomware campaigns, network intrusions and data exfiltration, and distributed-denial-of-service (DDoS) attacks that overwhelm systems.

Such attacks may aim to disrupt service or steal sensitive data. Attacks may target not only clinical systems but also other components of hospital operations, such as patient portals or electronic health records (EHRs).

Why hospitals are targets for cyberattacks

Hospitals make an attractive target, even compared with other critical infrastructure, because of their vast array of interconnected systems, among them EHRs, portals and billing systems. The various clinical systems that interface with EHRs allow for numerous entry points, and legacy equipment such as MRIs often cannot be easily patched or replaced.

Given the need to avoid compromising patient care, hospitals also have a harder time shutting down large swaths of their system in response to a cyberattack.

“Over the last four to six months, we’ve identified increased activity of social engineering from threat actors,” Matthew Thomas, director of practice management at Emerson Health in Massachusetts, said during a recent HFMA sponsored roundtable on cybersecurity for healthcare organizations. “They are targeting our staff, frontline workers, medical assistants, medical receptionists and builders — impersonating human resources, insurance companies, other providers and practices. We’ve seen a huge increase in that kind of activity. We’re doing more training with staff in response.”

Hospital credit ratings could be impacted

The cyber threats also amount to a credit risk, according to Fitch Ratings, which issued a bulletin pertaining to the broader public finance sector (which includes not-for-profit hospitals).

“Iranian state-sponsored actors, hacktivist groups and lone-wolf attackers will likely target U.S. public entities and critical infrastructure more frequently,” the bulletin states. “Risks include distributed denial-of-service attacks, financially motivated campaigns, and attacks that seek to cause physical disruption or destruction.”

Utilities are another potential target, and successful attacks on power or water companies can create downstream risks for operations at hospitals and other organizations, notes the bulletin.

“Proactive risk management, including robust incident response planning, staff training, vendor oversight and, if available, insurance, can mitigate threats and help preserve credit quality,” Fitch wrote. “Severe breaches that weaken credit metrics or reveal deficiencies in cyber risk management can lead to negative rating actions.”

The company noted that, historically, most cyber incidents have not resulted in rating actions.

The financial impact of cyberattacks on healthcare organizations can amount to $1.9 million per day just in downtime, according to a December 2024 industry report.

Cybersecurity resources for hospitals

HHS recently updated its Risk Identification and Site Criticality Toolkit, a data-driven resource developed to inform emergency preparedness planning, risk management activities and resource investments.

CISA has various resources for healthcare organizations, including tools and tips about cyber hygiene, cybersecurity defenses, and overcoming resource constraints.

The AHA has various cybersecurity resources for hospitals, including assessment tools, recommendations, a list of trusted cybersecurity vendors, and tools specifically for rural hospitals.