Cyberattacks on healthcare provision: Observations from 2 years of monitoring

CyberPeace Institute

Two years ago, the CyberPeace Institute began to systematically document cyberattacks that have disrupted healthcare services globally. The scale and impact of these attacks have been made public via the Cyber Incident Tracer (CIT) #Health platform, which to date contains data collected on 447 disruptive cyberattacks against healthcare organizations affecting some 40 countries. While these cyberattacks are nowadays out of the media headlines, there is a persistent cost to people reliant on the healthcare sector’s vital services.

Analyzing the data collected by the Cyber Peace Institute enables key observations and insights into the type of cyber threats affecting the healthcare sector. Likewise, it is an important step in the process to raise awareness and to put an end to such attacks. With the endeavor to ensure that cyberattacks against the healthcare sector do not get forgotten, the following are key observations further to analysis of the 447 disruptive attacks:

Ransomware remains Dominant Threat

Human-operated ransomware attacks remain the dominant disruptive threat to healthcare services, constituting 86% of documented attacks. To put this into perspective, on average every two days over the past 24 months, a ransomware attack has impacted a healthcare organization, including patient care services of entire national healthcare networks or the production of vaccines at pharmaceutical companies. As these are just the cyberattacks that the Institute has collected that have been reported by media outlets, public bodies, victim organizations, or ransomware operators themselves, the real number is likely much higher.

Resurgence of Cyberattacks in May 2022 

Analysis of the data sources that the Institute has collected, highlights that there has been a significant resurgence of disruptive cyberattacks against the healthcare sector in May 2022 after a temporary lull in attacks since December 2021. From the data collected in the CIT #Health platform, the first four months of 2022 constitute the period with the lowest intensity of disruptive cyberattacks against the healthcare sector since mid 2020 when documentation began. The CyberPeace Institute has documented a 280% rise in disruptive cyberattacks against the healthcare sector in the months from April to May 2022, (10 cyberattacks in April, 28 in May 2022). This may be attributable to a decrease in reporting of cyberattacks.

Geographic Shift of Victims

Disruptive cyberattacks against the healthcare sector have also experienced a geographic shift since the beginning of the year, according to data collected by the CyberPeace Institute. Whereas the United States was disproportionately impacted by cyberattacks with 57.6% of all the documented pre-2022 healthcare cyberattacks, it has since accounted for 39.8% of the global total. In comparison, states in Europe accounted for 24% of healthcare cyberattacks pre-2022 and constituted 43.4% of attacks from January to May 2022. 

Attacks on National Healthcare Systems

The first months of 2022 have also exhibited a disproportionate number of cyberattacks against national healthcare systems. The Hive ransomware operator[1]Hive is among the most prevalent threat actors in the healthcare sector with 12 documented attacks. Security researchers from AdvIntel have identified alleged links between Hive and Conti. is said to have affected services at over 1,200 hospitals and clinics with its attack on Costa Rica’s national healthcare service on May 31. Earlier in the month, a Conti ransomware attack forced the Costa Rican government to declare a national emergency. Around the same time, the website of an Italian healthcare institution was hit as part of a broader DDoS campaign against Italian government organizations by the pro-Russian KillNet collective. 

What has Changed?

The fluctuation of healthcare cyberattacks, their geographic shift, as well as targeting of government healthcare institutions have coincided with several developments that could be having an affect on the cyber threat landscape, in particular:

  1. Pressure on Threat Actors: Early 2022 saw increased pressure on ransomware operators, including the arrest of alleged REvil members by Russian authorities and multi-country law enforcement efforts in late 2021. However, the prosecution of REvil members has reportedly stalled as of May due to “lack of U.S. cooperation.” 
  1. Geopolitical Shock: The period preceding and the Russian invasion of Ukraine in February 2022 has seemingly led to a disruption to the Russian-speaking cybercriminal ecosystem, with both threat actors and perhaps their individual members flocking to take sides. This includes Conti – a dominant threat actor in the healthcare sector. An explanatory variable for the shift in targeting from a geographic and national healthcare network perspective may be due to their increased significance in the context of the war. 
  1. Changing Tactics: Cyber threat actors constantly adapt their tactics, techniques, and procedures (TTPs) to suit their motivations, be it political or financial. Several cybercriminal threat actors have shifted from disruptive ransomware attacks to pure data theft extortion. Prominent examples include CoomingProject, Lapsus$ and Karakurt – a now identified side-operation of Conti

The Future of the Healthcare Threat Landscape

It is to be seen whether these observations reflect the developments of the healthcare cyber threat landscape. Nonetheless, the crucial role of the healthcare sector will continue to make it an important target for cyber threat actors – be it as a target of opportunity or deliberation. While the tactics, techniques, and procedures (TTPs) as well as intensity of attacks and their impacts will naturally adapt to technological and geopolitical realities, cyber threat actors can continue to attack the sector with impunity as long as sustainable mechanisms of accountability are not in place. 

The CyberPeace Institute continues to provide a first step in this chain of accountability, namely by documenting the scale, impact, and perpetrators of healthcare cyberattacks.


1 Hive is among the most prevalent threat actors in the healthcare sector with 12 documented attacks. Security researchers from AdvIntel have identified alleged links between Hive and Conti.

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.