Healthcare Sector Edition — June 2026

1. Sector snapshot

Healthcare and pharma remain among India's most-targeted verticals. Per the India Cyber Threat Report 2026 (Seqrite), education, healthcare and manufacturing together accounted for nearly 47% of all malware detections over the reporting window of October 2024–September 2025 (itvoice.in, reporting the India Cyber Threat Report 2026, published Jan 2026). Globally, ransomware activity rose roughly 30% in H1 2026 versus H1 2025, with healthcare the single most-targeted industry — driven by the fact that patient records sell for up to 10x financial records on criminal markets (The Cyber Express, 3 Jun 2026).

2. Threats targeting the sector

Qilin (Agenda) ransomware accelerates against care providers. By June 2026, Qilin had accumulated 168 confirmed healthcare-sector victims, its third-largest vertical (behind manufacturing and business services), having posted 55 victims by early 2026 and continuing double-extortion (data theft + encryption). In early June 2026 it listed multiple healthcare and medical-device victims across five countries in a single posting window. - Exposed: Internet-facing remote access, unpatched edge appliances, weak/absent MFA on clinical and vendor accounts. - Action: Enforce phishing-resistant MFA on all remote and vendor access; verify offline, tested backups for HIS/EMR. - Source (with date): The Cyber Express, "Qilin and INC Ransom Drive 2026 Ransomware Surge," 3 Jun 2026.

INC Ransom sustains high-volume healthcare targeting. INC Ransom logged 47 attacks in January 2026 across healthcare, legal and public administration, continuing the data-theft pattern behind its prior multi-terabyte NHS Scotland breach. - Exposed: Flat networks allowing lateral movement from IT into clinical systems; large unsegmented file shares. - Action: Segment clinical VLANs from corporate IT; restrict and log SMB/file-share access. - Source (with date): The Cyber Express, 3 Jun 2026.

Third-party / billing-vendor compromise as the dominant entry vector. Billing, lab and radiology vendors with privileged network access and weak MFA were identified as a leading source of supply-chain ransomware into healthcare across 2025–2026; over 80% of stolen protected health information was taken from third-party vendors rather than from hospitals directly. - Exposed: Standing vendor VPN tunnels, shared service accounts, unscoped integration credentials. - Action: Scope vendor access just-in-time; rotate integration credentials; require breach-notification clauses. - Source (with date): Swif, "Healthcare Cybersecurity Statistics for 2026," 2026.

3. Sector tech & exposures

Connected medical devices are a structural weak point. Background research (Forescout Vedere Labs, Oct 2024) found 162 IoMT vulnerabilities, with DICOM workstations/PACS showing ~32% critical unpatched flaws, and named device families including BD Pyxis, Philips PageWriter, Baxter Sigma Spectrum and Siemens Biograph. Many devices run end-of-life Windows and cannot be patched once deployed. For Indian hospitals this maps directly onto PACS/DICOM imaging, infusion pumps, patient monitors and HIS/EMR estates, often reachable from clinical networks with default or absent authentication.

4. Regulatory & compliance watch

- DPDP Rules, 2025 — notified 14 Nov 2025. Phased rollout: Data Protection Board live since 13 Nov 2025; Consent Manager framework registration provisions effective 13 Nov 2026; substantive obligations — security safeguards, 72-hour breach notification, retention/erasure, data-principal rights — at hard enforcement 13 May 2027. Health data is sensitive personal data; the maximum penalty reaches ₹250 crore for failure to maintain reasonable security safeguards. (PIB / EY / India Briefing, Nov 2025–2026.) - CERT-In retains its 6-hour incident reporting mandate and expanded SBOM v2.0 guidance (9 Jul 2025) covering software supply-chain transparency — directly relevant to procuring secure medical-device and HIS software. - ABDM compliance is becoming mandatory for AB-PMJAY hospitals in 2026, raising the bar on ABHA-linked data handling and consent. (EHR.Network, 2026; Tatvacare, 2026.)

5. Actor in focus — Qilin (Agenda), RaaS

- Attribution confidence: Moderate-to-high that Qilin operates as a Russia-linked ransomware-as-a-service crew using double extortion; the affiliate model means TTPs vary by operator. - Why it matters to Indian healthcare: Qilin's healthcare victim count (168 by Jun 2026) and indiscriminate, opportunistic targeting make Indian hospitals with exposed remote access and weak MFA viable targets, even absent India-specific claims to date. - Hallmarks: initial access via exposed services/valid accounts, data exfiltration before encryption, leak-site pressure. (The Cyber Express, 3 Jun 2026; CybelAngel, 2026.)

6. IOC & detection pack

No verified India-specific Qilin/INC IOCs against named Indian hospitals were publicly attributed in this window, so we do not transcribe uncertain indicators. Instead, work from the primary advisories: - Qilin/INC Ransom TTP and indicator references: The Cyber Express (3 Jun 2026), CybelAngel Qilin profile (2026). - IoMT/PACS/DICOM device-class exposure: Forescout Vedere Labs (Oct 2024) — note this is background, not a May–June 2026 event. - Detection focus (behavioural, not host-specific): anomalous SMB enumeration, mass file reads from imaging/EMR shares, new admin account creation, volume-shadow-copy deletion, and large outbound transfers to file-sharing infrastructure. Map alerting to ATT&CK T1486 (data encrypted for impact), T1567 (exfiltration over web services), T1078 (valid accounts). (Defanged: no live host IOCs reproduced; reference advisories above.)

7. Recommended actions

Board: Treat ransomware as a patient-safety and business-continuity risk; fund segmentation and tested DR; confirm DPDP readiness ahead of the 13 May 2027 hard date and 72-hour breach reporting. CISO: Inventory IoMT/PACS/HIS assets; enforce phishing-resistant MFA on all remote and vendor access; require SBOMs in procurement per CERT-In v2.0; align consent/data flows to ABDM and DPDP. SOC: Hunt for the behavioural patterns above; isolate clinical VLANs; validate immutable backups; rehearse a hospital-specific ransomware runbook including CERT-In 6-hour reporting.

8. Source index

1. The Cyber Express — "Qilin and INC Ransom Drive 2026 Ransomware Surge," 3 Jun 2026. 2. Swif — "Healthcare Cybersecurity Statistics for 2026," 2026. 3. itvoice.in — India Cyber Threat Report 2026 (Seqrite) coverage (Education/Healthcare/Manufacturing ~47% of detections, Oct 2024–Sep 2025), Jan 2026. 4. PIB / EY / India Briefing — DPDP Rules, 2025 notification and phased timeline, Nov 2025–2026. 5. OPSWAT / KPMG India — CERT-In SBOM v2.0 guidance, 9 Jul 2025. 6. EHR.Network; Tatvacare — ABDM compliance mandates for 2026. 7. Forescout Vedere Labs — 162 IoMT vulnerabilities (background context), Oct 2024. 8. CybelAngel — Qilin ransomware profile, 2026.

9. Byline

Compiled by the Nirad Threat Research team. Indicators referenced from public advisories only; no leaked or stolen data is reproduced.