Security specialists say urgent action is needed to strengthen defences
India’s healthcare sector is facing an escalating cybersecurity crisis, enduring more than 8,600 attacks per organisation each week – a rate more than four times the global average, and higher than any other industry in the country.
The scale of the threat is growing rapidly. All monitored healthcare websites in India have experienced bot-driven attacks, while small and medium-sized providers suffered 236 per cent more distributed denial-of-service attempts compared with larger counterparts. The Data Security Council of India estimates that the sector accounted for nearly 22 per cent of all cyberattacks in 2024, an increase of eight percentage points on the previous year.
Experts warn that hospital systems are uniquely vulnerable. Ransomware attacks can bring critical services offline, creating disruptions that in some cases may put lives at risk. The rapid spread of Medical Internet of Things devices, from infusion pumps to diagnostic monitors, has added further risks. Many lack basic security safeguards, leaving them exposed to data theft or failure at the point of care. The growth of telehealth services has also widened attack surfaces, exposing more sensitive patient data to criminals.
Underlying these problems are deeper structural weaknesses. Many Indian healthcare organisations operate with outdated systems and limited budgets for upgrades, leaving them exposed to repeated attacks. Cybersecurity maturity remains low, especially among smaller providers without access to dedicated security operations centres. At present, there is no unified regulation addressing healthcare-specific cyber risks, although broader data protection laws exist.
The real-world impact is already being felt. One Indian hospital was paralysed by an AI-enhanced ransomware attack after a phishing email, delaying surgeries and admissions while damaging patient trust. In another case, a breach at Star Health Insurance saw the data of 31 million patients offered for sale online. The attacker went further, sending live bullets to senior executives in an escalation of threats.
Security specialists say urgent action is needed to strengthen defences. Training staff to recognise phishing attempts, investing in behaviour-based detection systems, securing medical devices and building robust incident response plans are among the measures recommended. Analysts argue that unless India’s healthcare sector raises its level of cyber resilience, patients’ safety, trust and livelihoods will remain at risk.