Healthcare organizations are the most targeted sector for ransomware attacks in the United States, and New York City's dense concentration of major health systems makes it a particularly active threat environment. The 2024 Change Healthcare ransomware attack — attributed to the ALPHV/BlackCat group and affecting UnitedHealth Group's payment processing subsidiary — disrupted claims processing for thousands of providers nationwide, caused cash flow crises at hospitals dependent on rapid reimbursement, and reduced UnitedHealth's first-quarter 2024 earnings from operations by $872 million, including $593 million in direct cyberattack response costs (UnitedHealth Group Q1 2024 results), with the full-year cost ultimately reaching roughly $3.09 billion. The attack demonstrated that healthcare's interconnected infrastructure creates systemic risk that extends far beyond individual organizations.
New York City's major health systems — NYC Health+Hospitals (the largest municipal health system in the United States), NYU Langone Health, Mount Sinai Health System, and NewYork-Presbyterian — have invested significantly in cybersecurity. But the broader NYC healthcare ecosystem includes hundreds of smaller providers, specialty practices, imaging centers, laboratories, and home health agencies that operate with far less security maturity and face the same threat actors.
Healthcare-Specific Attack Vectors
VPN and Remote Access Exploitation
Unpatched VPN appliances remain the leading initial access vector in healthcare ransomware attacks. Vulnerabilities in Citrix NetScaler (CVE-2023-4966, the "Citrix Bleed" vulnerability), Ivanti Connect Secure (CVE-2024-21887), and Fortinet FortiGate (CVE-2024-21762) were all actively exploited against healthcare organizations within weeks of public disclosure. Healthcare's notoriously slow patch cycles — driven by change management processes designed to protect clinical system stability — create windows of exposure that threat actors actively exploit. CISA's Known Exploited Vulnerabilities catalog should be treated as a mandatory patch list with aggressive timelines for healthcare organizations, particularly for network edge devices.
Legacy Medical Devices
FDA-cleared medical devices — infusion pumps, patient monitors, imaging systems, laboratory analyzers — often run outdated operating systems that cannot be patched without FDA re-clearance of the device. A network-connected infusion pump running Windows XP Embedded is an endpoint that cannot be patched and cannot run a modern EDR agent, but is connected to the same network as clinical workstations and EHR systems. The FDA's 2023 cybersecurity guidance for medical devices (section 524B of the FD&C Act) now requires manufacturers to include a software bill of materials (SBOM) and demonstrate cybersecurity capabilities for new device submissions, but the installed base of legacy devices remains a long-term problem.
The appropriate mitigation for legacy medical devices is network isolation: VLAN segmentation that places medical devices on a dedicated network segment with restrictive firewall rules that permit only the specific communication required for device operation (DICOM traffic to PACS, HL7 interfaces to the EHR, device management traffic to authorized management stations). Anomaly-based network monitoring using tools like Claroty or Medigate can provide visibility into medical device network behavior without requiring agents on the devices themselves.
PACS and Radiology Systems
Picture Archiving and Communication Systems (PACS) for radiology represent a combination of legacy software, large data stores of sensitive patient imaging, and often-poor network isolation. DICOM, the standard protocol for medical imaging data, was designed for interoperability rather than security. DICOM servers are frequently accessible without authentication on healthcare networks, and DICOM files contain embedded patient demographic data in addition to imaging data. A 2019 study by Greenbone Networks found roughly 24 million patient records exposed across 590 unprotected PACS servers — running the DICOM medical-imaging standard with no authentication — on the public internet (Greenbone Networks, "Unprotected Patient Data in the Internet," September 2019; figures revised upward to 35 million studies in a November 2019 review) — a persistent problem driven by misconfiguration rather than software vulnerability.
EHR Security Configuration
Epic and Oracle Health (formerly Cerner) are the dominant EHR platforms in major NYC health systems. Both platforms offer substantial security configuration options that are frequently not fully utilized. Epic's audit logging capabilities allow tracking of every record access by every user — but only if audit log review processes are in place to detect inappropriate access. Role-based access control within Epic should implement least privilege: clinical staff should access only the patient records relevant to their care responsibilities, not the entire patient population. The "Break the Glass" override for accessing restricted records should generate an immediate alert to privacy officers for review.
HIPAA Enforcement Patterns
The HHS Office for Civil Rights (OCR) enforces HIPAA's Security Rule and Breach Notification Rule. OCR settlement patterns over the past three years show consistent enforcement focus on three areas: failure to conduct a thorough and accurate risk analysis (required under 45 CFR 164.308(a)(1)), failure to implement appropriate technical safeguards for electronic PHI, and failure to have and exercise a breach notification process meeting the 60-day notification deadline. Recent OCR settlements have included Banner Health ($1.25 million, 2023) for failures arising from a 2016 breach. The largest recent settlements over tracking pixels, by contrast, have come through private class-action litigation rather than regulators — for example, Advocate Aurora Health's $12.225 million class-action settlement (2023) resolving claims that patient data was disclosed to third parties via website tracking pixels (In Re Advocate Aurora Health Pixel Litigation); OCR has issued tracking-technology guidance but has entered no pixel enforcement settlement. New York's Attorney General has also brought independent enforcement actions under New York's SHIELD Act for healthcare breaches affecting NY residents. Fortress MSSP provides HIPAA security program assessments and penetration testing designed to address the technical safeguard requirements of the HIPAA Security Rule. Contact us to schedule an assessment.