Photo: John M Lund Photography Inc/Getty Images
This article was updated with additional resources and commentary on March 5, 2026.
Hospitals, health systems and other healthcare organizations nationwide face real risks in the form of retaliation for U.S. military strikes on Iran, according to the Health Information Sharing and Analysis Center, which notes that cyberattacks may come from loosely aligned hacktivist groups rather than directly from the nation-state itself.
"Health-ISAC is closely tracking the evolving Middle East crisis and the potential for cyber spillover affecting healthcare and public health organizations globally," said Errol Weiss, Health-ISAC's chief security officer.
Disruptions expected
Health-ISAC said it is not currently aware of specific, credible campaigns targeting the U.S. healthcare sector or hospitals, but clinical websites, internet of things (IoT) devices and other public-facing systems essential to operations are frequent targets of cyberattacks aiming for service disruption.
"History shows that major military escalations are often accompanied by an uptick in DDoS [distributed denial-of-service] activity and noisy hacktivist operations," said Weiss.
Last year, the Department of Homeland Security asked the healthcare sector to be vigilant against state-sponsored CyberAv3ngers and other pro-Iranian hacktivists.
"We are warning Health-ISAC members to be prepared for attempts to disrupt public-facing assets (websites, patient portals, VPNs) and, in some cases, internet-exposed OT/IoT that support clinical and facility operations," Weiss said. "In fact, we know of a hospital in Israel where an internet-facing IoT system was compromised [Monday] by hacktivists sympathetic to Iran."
Three key steps to take now
First, "at a high level, we recommend that health sector organizations validate and, if necessary, enhance distributed denial-of-service attack DDoS protections with ISPs, CDNs [content delivery networks] and cloud providers," Weiss told Healthcare IT News on Tuesday.
Increased geopolitical tensions, such as the war between the United States and Iran escalating, increase the risks of cyberattacks to critical infrastructure.
According to Reuters on Tuesday, U.S. banks are on high alert for cyberattacks stemming from the growing conflict. While the financial services sector was the top target of DDoS attacks in 2024, smaller-scale DDoS attacks and ransomware events caused operational disruptions.
The Cybersecurity and Infrastructure Security Agency, which tracked targeted exploits of known vulnerabilities in Microsoft Exchange and Fortinet by Iranian hacktivists and issued warnings to the healthcare sector before, updated best practices guidance for defending against "living off the land" cyber activity after more recent state-sponsored cyberattacks.
The guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, specifically addresses the challenges of defending against DDoS attacks with mitigations and visual aids.
Last year, Health-ISAC released a whitepaper that explores Ransom Denial-of-Service (RDoS) attacks, which are initiated through extortion letters that threaten to bombard networks and coincide with a sample attack to demonstrate severity. The RDoS paper, A New Era of Digital Warfare: Understanding and Mitigating Modern DDoS and RDoS Attacks, reviews risks and impacts to organizations, mitigation strategies and more.
Second, Weiss said he recommends healthcare organizations take an inventory and harden their internet-facing systems, focusing on VPNs, portals and remote access.
Identity security is critical because attackers are often logging in with stolen credentials.
"An identity-first approach shifts the focus from defending the perimeter to managing access," he wrote in a Healthcare IT News blog post in 2025.
Help could be on the way – if not necessarily soon. The Health Care Cybersecurity and Resiliency Act, first introduced in 2024, moved out of the Senate HELP Committee this week and will be considered by the full chamber. The bill calls for monetary grants to help hospitals and others improve their prevention and response capabilities to protect against increasingly sophisticated cyber threats.
The third recommended step health systems and hospitals should take now is to rehearse downtime and incident-response procedures for essential clinical services that must continue safely during a cybersecurity event, said Weiss.
A healthcare cybersecurity disruption, which could last months, weeks or days at best, can compromise the ability to deliver patient care.
Brian Lamberger, general manager of cybersecurity solutions at security firm CloudWave, also recommends validating DDoS mitigation controls and ISP-level protections along with rehearsing downtime procedures.
"The right posture right now is pragmatic vigilance," he said by email on Wednesday.
"DDoS threats are real and disruptive even when they fall short of a breach. A hospital that can't access its patient portal or EHR system for four hours faces genuine operational risk," Lamberger added.
Weiss said organizations must provide clinicians with clear guidance on downtime procedures in the event of a network outage – "what to stop, what to slow and what to continue."
"Don't just have a binder on a shelf." -Erol Weiss, Health-ISAC's chief security officer
Organizations should establish manual workflows for registration, patient check‑ins and scheduling, and ensure that staff know where to find current paper order sets, medication administration records, consent forms and downtime documentation.
These materials should be periodically tested and refreshed, Weiss noted, while short, scenario‑based exercises can be run during off‑peak hours.
They "force teams to execute downtime procedures for EHR, lab/radiology and patient access/registration," he said.
Existing incident response mechanisms can provide a blueprint for creating and practicing a cyber incident protocol that involves all employees.
"It's all about folding it into things that are already working," Nate Lesser, vice president and CISO at Children's National Hospital in Washington, D.C., said three years ago when he presented his organization's "code dark" cyber-response protocol.
Some healthcare informaticists have found success in gamifying downtown procedures with simulated escape rooms to train new nurses on how to perform during an electronic health record outage.
By working across teams, organizations can improve their readiness.
"Incident response, IT, nursing and medical leadership should be jointly involved in designing and testing downtime plans so that security, safety and clinical practicality are all balanced," said Weiss.
"The healthcare sector should take the current threat environment seriously without succumbing to alarm," Lamberger said. "While we're seeing a surge in claims from pro-Iranian hacktivist groups, the evidence of successful, impactful attacks remains thin.
"Don't let unverified social media claims drive panic, but don't mistake noise for safety either."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
