Ethics were once a deterrent for cyber criminals targeting healthcare institutions, but that is no longer the case. According to research from cyber security firm Check Point Software Technologies, healthcare organisations in South Africa face an average of 1 626 cyber attacks per week.
In observance of World Health Day on 7 April, Shayimamba Conco, cyber security expert at Check Point, confirms: “There was a time when cyber criminals refrained from attacking the world’s healthcare institutions for ethical reasons. But those days are over.”
Poor cyber hygiene
The root of the crisis, Conco explains, lies in inadequate cyber security practices. Many healthcare organisations rely on outdated, fragmented infrastructure – an unfortunate combination of legacy systems and modern technologies that are not designed to work securely together.
Most medical devices are not built with security in mind and often remain unmonitored by IT teams, expanding the attack surface faster than traditional defences can keep up.
In developing countries, the problem is exacerbated by limited resources. With reduced budgets, outdated systems, insufficient staff training and a lack of adequate protection for sensitive patient data, healthcare institutions in lower-income regions become prime targets for cyber criminals.
This creates a vicious cycle of attack and inadequate defence, threatening both the delivery of care and public trust.
A rising threat
Research from Check Point reveals that, in the first three months of 2025, the international healthcare and medical industry saw an average of 2 309 weekly cyber attack attempts per organisation. This represents a 39% increase compared to the same period last year.
An SA-specific Check Point Threat Intelligence Report from the past six months highlights the prevalence of FakeUpdates malware and the dominance of information disclosure exploits, which affected 78% of healthcare organisations. Other notable attack vectors included remote code execution, authentication bypass and denial of service.
Mobile malware had a particularly high impact in SA, averaging 1.5% weekly, significantly higher than the global average of 0.9%. Information disclosure impacted 4.7% of South African organisations, compared to 3.6% globally.
Major attacks in SA
Check Point also referenced a significant attack in July 2024, when the BlackSuit ransomware group targeted SA’s National Health Laboratory Service. The breach disrupted lab result dissemination during an Mpox outbreak, and attackers deleted system sections, including backups, forcing manual communication of test results.
SA's healthcare sector is at a critical juncture, with the need for rapid digitisation to address rising costs, improve efficiency and prepare for the implementation of the proposed National Health Insurance scheme.
Non-governmental healthcare organisations have also been impacted by the recent withdrawal of US funding.
“The healthcare industry is already a prime target for cyber attacks, and the USAID withdrawal will only increase the risks in this sector,” Conco says. “Many healthcare breaches stem from phishing, unpatched systems or misconfigured networks – not complex zero-day exploits. Prevention is possible but often not prioritised.”
Ransomware – a growing threat
International authorities such as the FBI and INTERPOL have long warned that threat actors view hospitals and healthcare providers as prime targets for extortion. “The critical nature of healthcare makes it a prime target – every second of downtime or breach can delay care, or worse, result in loss of life,” Conco adds.
Ransomware and phishing are the most prevalent threats, with ransomware increasingly focusing on data exfiltration and extortion tactics rather than encryption-based attacks. This shift makes it easier for cyber criminals to operate and maximise payouts.
“The urgency of healthcare services makes providers more likely to pay ransoms to restore access quickly,” Conco says. “This leads to potential data loss, operational downtime and significant financial strain.” Compromised patient data can also lead to breaches of privacy, identity theft and other forms of exploitation.
Beyond ransom payments, the costs of recovery, system upgrades, legal fees and fines can be substantial. “Perhaps the greatest cost is reputational damage,” Conco says. “Trust is critical in healthcare, and a successful ransomware attack can damage an organisation’s reputation, eroding patient trust and potentially causing a loss of business.”
Medical devices – an emerging vulnerability
A particularly concerning trend is the rise in attacks targeting connected medical devices such as pacemakers, insulin pumps and imaging machines.
According to the 2023 State of Cybersecurity for Medical Devices and Healthcare Systems Report by Health-ISAC, Finite State and Securin, over 1 000 vulnerabilities were discovered in medical devices in 2023. However, only 15% of manufacturers had vulnerability disclosure programmes in place.
“Attackers don’t need to breach a hospital’s network to cause chaos – they can now exploit IOMT (internet of medical things) devices that serve as unguarded entry points,” Conco adds. “Cyber criminals are becoming increasingly sophisticated, specifically targeting medical devices in addition to networks, servers, personal computers and databases.”
Ironically, the push for digital transformation in healthcare to improve efficiency and cost savings is expanding the sector’s attack surface, with a notable increase in attacks on routers, VPN hardware and other edge devices.
Share