Health Care Cybersecurity Considerations for 2026: This Year’s Top 3 Cyber Risks

May 15, 2026 - 09:25 AM by
John Riggi, National Advisor for Cybersecurity and Risk, AHA
2025-cyber-blog-feb-900x400.jpg

Cyberattacks against hospitals, health systems and mission-critical health care third-party providers have surged in recent years. While these attacks often involve theft of patient data and medical research, the most concerning are high-impact ransomware attacks that continue to shut down critical medical systems, resulting in disruption and delays to health care delivery. There is no doubt that these types of disruptive attacks create a direct risk to patient and community safety. To be clear, these are not data-theft crimes, they are in fact “threat to life” crimes.

The perpetrators of these foreign-based ransomware attacks are primarily, but not exclusively, Russian-speaking or based in Russia. Other adversarial nations that provide shelter for dangerous international criminals to launch cyberattacks against the U.S. are the usual suspects — Iran, China and North Korea.

There have been thousands of ransomware and data theft attacks targeting U.S. health care over the last several years. In fact, the FBI reported that in 2025 alone, the health care sector suffered 460 ransomware attacks, far more than any other critical infrastructure sector. Since 2020, over 3,200 hacking incidents have been reported to the Department of Health and Human Services Office for Civil Rights, impacting 574 million individuals. Many incidents were actually encryption ransomware attacks accompanied by data theft — “the double extortion,” in which the perpetrators demand an additional ransom for both a decryption key to unlock systems and in exchange for not publishing stolen patient health records.

The silver lining? We have a great deal of “battle experience” and tough lessons learned, which has helped us collaborate to harden systems and prepare for impact and recovery. We at the AHA, working with victims, the field and the federal government, have also been able to reliably identify strategic cyber risk related to third parties, patient safety and supply chain.

Based on our collective experience and work, let’s explore what health care leaders need to consider now to reduce cyber risk today and in the future. We will review the top three actual and anticipated cyber risks of 2026 — and how hospitals have been building the defensive measures and resilience needed to prevent and recover from cyberattacks.

Top 3 Cyber Risks

1. Geopolitical Tensions

Current geopolitical tensions with Russia, Iran, China and North Korea may incentivize these countries to attack the U.S. via cyber means — but not directly. They may direct or facilitate unattributable criminal cyber proxies or “hacktivists” to conduct ransomware attacks or other types of disruptive cyberattacks against health care organizations, mission critical third-party providers and the supply chain. They may also conduct attacks against critical infrastructure sectors, such as energy, water and telecommunications, which may have a regional or national cascading disruptive effect on health care. Using a viable criminal “proxy” hacking group may provide the sponsoring nation-state a measure of plausible deniability and may delay or hinder attribution of the attack to them. These nations know that if they are identified as being culpable for a highly disruptive national-level cyberattack, a swift and strong U.S. response would be certain. On one hand, this may encourage the use of proxies. On the other hand, we hope this may serve as a deterrent to these types of attacks.

The recent attack on Stryker is a perfect example of a proxy attack. The pro-Iranian group Handala Hack Team has claimed responsibility for the destructive malware attack on the company’s systems, which has impacted a critically important node in the health care sector’s technology and supply chain.

Although Handala claims to be an independent supporter of the Iranian regime, the Department of Justice reports that Handala is actually controlled by the Iranian Ministry of Intelligence and Security.

2. Cyberattacks Against Third Parties

Criminal ransomware groups, particularly Russian-speaking groups, will continue to target health care third-party mission-critical technology, service and supply chain providers to steal large aggregations of health care data and target them for ransomware attacks to cause maximum disruption across the entire health care sector. When these mission- and life-critical third parties get attacked, the disruption may extend to their health care organization customers and their patients. It is what I call the “ransomware blast radius” effect. Cyberattacks against Change Healthcare and the blood/plasma sector in 2024, as well as Stryker in 2026, are recent examples.

Additionally, hostile nation-states, particularly China, have been successful at penetrating critical U.S. infrastructure — such as energy, water and telecommunications — to embed destructive malware for activation during a future triggering event, like a potential Chinese invasion of Taiwan. In our digitally dependent health care delivery world, we must be prepared for disruptions to care caused by a loss of network- and internet-connected third-party technology, services and supply chain.

3. Autonomous Artificial Intelligence-generated and -facilitated Cyberattacks

According to Microsoft, “Autonomous AI is AI that can make decisions and take actions on its own, without human input. Unlike traditional AI, which requires people to guide it, autonomous AI learns from data, adapts to new situations, and operates independently.”

In 2026, we will see expanded instances of AI-generated audio and video deep fakes, as well as AI-assisted vulnerability detection and malware development. We may see AI being used by sophisticated cyber adversaries to launch cyberattacks throughout the entire attack cycle — Anthropic documented the first such “autonomous” attack last year.

I believe we will also see an increase in cyberattacks tied directly to the exploitation of vulnerabilities embedded within AI software and systems, along with the risk of “data poisoning” and AI manipulation by cyber adversaries.

Related News Articles

Headline
Microsoft warns of sophisticated phishing campaign heavily targeting health care organizations
Microsoft Threat Intelligence is warning of a large scale, multistage phishing campaign that disproportionately targeted the health care sector, sending “code…
Headline
CISA announces initiative to bolster critical infrastructure against nation-state cyberattacks
The Cybersecurity and Infrastructure Security Agency has launched a new initiative for critical infrastructure to defend against cyberattacks through proactive…
Headline
Webinar to explore AI use in cybersecurity, health care technology 
John Riggi, AHA national advisor for cybersecurity and risk, will moderate a webinar May 5 at 1 p.m. ET that will explore how bad actors are leveraging…
Headline
AHA, Joint Commission announce cybersecurity readiness effort 
The AHA and Joint Commission May 4 announced the launch of the Cyber Resilience Readiness program, an initiative to help hospitals and health systems assess…
Headline
Agencies issue guidance on adopting agentic AI systems
The Cybersecurity and Infrastructure Security Agency, National Security Agency and international partners have released guidance on adopting agentic artificial…
Headline
Advisory details shifting tactics of Chinese cyber actors using covert networks for malicious activity
A joint advisory released April 23 from U.S. and international cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency, FBI,…