CyberLeveling Logo
When Hospitals Go Dark

When Hospitals Go Dark: Likely Entry Points and Why Healthcare Is Under Siege

January 15, 2026

In mid-January, two Belgian hospitals suddenly lost access to their digital nervous system. Servers were shut down. Surgeries were postponed. Critical patients were transferred elsewhere. The trigger was a cyber incident.

While investigators will determine the actual cause, the event raises a more important question for everyone in healthcare, cybersecurity, and public policy:

Why does this keep happening, and how do attackers usually get in?

This article explores likely entry points based on observed patterns and the structural reasons healthcare is increasingly targeted.

Part 1: Possible Entry Points (Assumptions Based on Patterns)

No two incidents are identical, but healthcare cyberattacks tend to follow a small number of recurring paths.

1. Phishing Still Works, Especially in Hospitals

The most common entry point globally remains phishing.

Why hospitals are vulnerable:

  • Staff work under time pressure
  • Emails frequently include attachments, lab results, and referrals
  • Many users share similar access privileges
  • Security training competes with patient care priorities

A single compromised mailbox can:

  • Harvest credentials
  • Enable lateral movement
  • Grant access to internal systems via VPN or email synchronization

In many healthcare breaches, the attack starts with one click.

2. Stolen Credentials from Earlier Breaches

Hospitals do not exist in isolation.

Doctors, nurses, and administrators often:

  • Reuse passwords across systems
  • Access third-party platforms such as labs, insurers, and vendors
  • Log in remotely from personal devices

Attackers frequently use:

  • Credentials from old breaches
  • Dark web credential dumps
  • Password spraying against exposed portals

This means the real entry point may have occurred months or years earlier, somewhere else.

3. Exposed Remote Access (VPN, RDP, Citrix)

Healthcare relies heavily on remote access:

  • On-call doctors
  • External specialists
  • IT maintenance vendors

Common weaknesses include:

  • Outdated VPN appliances
  • Missing multi-factor authentication
  • Legacy Citrix or RDP systems
  • Shared administrative accounts

Many major hospital ransomware cases began with an internet-facing system that was never meant to be exposed publicly.

4. Third-Party and Supply Chain Risk

Hospitals depend on dozens, sometimes hundreds, of vendors:

  • Radiology systems
  • Electronic health records
  • Billing and insurance platforms
  • Medical device management software

Attackers increasingly compromise:

  • IT service providers
  • Software update mechanisms
  • Vendor credentials

In these cases, the hospital is not the first victim, only the most visible one.

5. Legacy Systems That Cannot Be Patched Easily

Healthcare runs on technology that:

  • Is old
  • Is certified and difficult to change
  • Cannot be easily patched without disrupting care

Examples include:

  • Imaging systems
  • Laboratory machines
  • Embedded Windows environments
  • Custom hospital software

Attackers deliberately look for environments where systems cannot simply be taken offline and updated.

Part 2: Why Healthcare Is Being Targeted More Than Ever

This trend is not random. It is structural.

1. Maximum Pressure Creates Maximum Leverage

Hospitals:

  • Cannot tolerate downtime
  • Operate life-critical services
  • Face immediate ethical and legal pressure

From an attacker’s perspective:

  • Downtime creates urgency
  • Urgency increases the chance of payment

Healthcare is not targeted because it is careless. It is targeted because it must respond quickly.

2. Digital Dependency Has Outpaced Security Maturity

Over the last decade, hospitals rapidly digitized:

  • Patient records
  • Scheduling
  • Diagnostics
  • Medication systems

Security investment often lagged due to:

  • Fragmented budgets
  • Complex governance
  • Shortage of healthcare-focused security talent

The result is high digital reliance combined with uneven protection.

3. Attackers Have Professionalized

Modern cybercrime is organized and specialized.

Groups now operate with:

  • Initial access brokers
  • Dedicated ransomware teams
  • Negotiators
  • Public leak platforms

Hospitals are no longer facing lone hackers. They are facing structured criminal enterprises.

4. Healthcare Data Is Exceptionally Valuable

Medical data:

  • Cannot be changed like a credit card
  • Contains identity, insurance, and history
  • Enables fraud, identity theft, and long-term abuse

Even without ransomware, data theft alone is profitable.

Part 3: The Real Risk Is Not Just Ransomware

The most serious consequence is not financial.

It includes:

  • Delayed care
  • Cancelled surgeries
  • Diverted ambulances
  • Increased human error under manual workflows

When systems go offline:

  • Paper processes return
  • Coordination slows
  • Cognitive load increases
  • The risk of mistakes rises

Cybersecurity in healthcare is no longer only an IT concern. It is a patient safety issue.

Final Thought: A Warning, Not an Exception

Incidents like this are often described as unfortunate cyberattacks.

In reality, they are signals:

  • Of growing systemic risk
  • Of misaligned incentives
  • Of strained digital infrastructure

The uncomfortable truth is this: The question is no longer whether hospitals will be targeted, but how prepared they are when it happens.