Hybrid Threats to Healthcare Systems: Challenges and the Path to Integrated Proactive Resilience

Until very recently, the healthcare sector regarded cybersecurity primarily as a technical concern. However, the European Union and other international institutions have long recognised that protecting the healthcare sector extends far beyond mere cybersecurity. This article focuses on hybrid threats, analysing their evolving nature and the cascading effects they can trigger across multiple domains.

Key Points

• Healthcare systems are recognised as critical infrastructure under EU Directive 2022/2557, requiring an all-hazards resilience approach.
• Hybrid threats are coordinated actions mixing conventional and unconventional tools for strategic aims.
• Ransomware attacks encrypt data and demand payment to restore access.
• Data breaches are incidents of unauthorised access, theft or disclosure of sensitive data.
• EU Directives set goals for member states, whereas EU Regulations apply directly in all states.

Framework

Until very recently, the healthcare sector regarded cybersecurity primarily as a technical concern – a matter of defending information systems from hackers seeking to disrupt operations or steal sensitive data, often for ransom. Such incidents were typically handled internally, with limited public disclosure to protect the institution's reputation. Most responses consisted of repairing the damage, strengthening digital protocols and improving data management practices. Consequently, the literature has often treated cybersecurity in healthcare as an isolated digital challenge, addressed through technical or procedural remedies.

As this article will explore, the European Union and other international institutions have long recognised that protecting the healthcare sector extends far beyond mere cybersecurity. The EU classified healthcare as a critical infrastructure as early as Communication 702/2004, issued in the context of the fight against terrorism. This recognition was reaffirmed in subsequent legislation, notably the NIS2 Directive (EU) 2022/2555, and further reinforced by the CER Directive (EU) 2022/2557 on the resilience of critical entities, adopted on 14 December 2022. The CER Directive, which repealed Directive 2008/114/EC, explicitly includes healthcare systems amongst the critical entities that must adopt an all-hazards approach to resilience (Baugh et al. 2021).

All these hazards include physical, cyber, natural and hybrid threats – an acknowledgement that contemporary risks often transcend traditional categories.

This article focuses on hybrid threats, analysing their evolving nature and the cascading effects they can trigger across multiple domains. The concept of cascading effects is central here: cyber incidents in healthcare rarely remain confined to the digital sphere but can rapidly propagate through institutional, economic and societal layers, producing hybrid, systemic disruptions.

The Hybrid Threat

The Comprehensive Definition

In their broadest sense, hybrid threats refer to coordinated and synchronised actions – often conducted by state or non-state actors – that deliberately combine military and non-military, conventional and unconventional instruments to achieve political or strategic objectives whilst remaining below the threshold of open armed conflict (European Centre of Excellence for Countering Hybrid Threats and European Commission Joint Research Centre 2020; NATO Emerging Security Challenges CoE 2014).

Such instruments may include cyberattacks, disinformation campaigns, economic coercion, political interference, sabotage or the exploitation of social and institutional vulnerabilities. The goal is not direct confrontation, but the gradual erosion of stability, legitimacy or trust within the targeted entity.

A defining feature of hybrid threats is their exploitation of interconnectedness and ambiguity (Wijnja 2022). Attackers use the openness of democratic systems and the reach of global communication networks to obscure attribution and hinder proportional responses. The use of proxy actors or plausible deniability further complicates accountability, allowing aggressors to act with reduced risk of retaliation.

This multi-domain approach challenges traditional security paradigms, demanding a holistic and adaptive response from targeted institutions (Olech 2025). In summary, hybrid threats are significant because they:

• Exploit interdependence across digital, economic and social domains, complicating attribution and response.
• Target critical infrastructures and democratic institutions, undermining trust, stability and societal resilience.
• Cross sectoral boundaries, creating compound effects that extend beyond the initial point of attack.

Addressing them, therefore, requires a whole-of-society resilience framework that integrates security, intelligence, economic and civil-protection policies within a coordinated, proactive approach (European Commission 2023).

Healthcare as a Prime Target

At first glance, it may seem surprising that the healthcare sector could hold such strategic importance in the context of hybrid threats. A deeper analysis, however, leads to the opposite conclusion. Healthcare systems have emerged as high-value and highly vulnerable targets, combining technical fragility, societal significance and psychological impact. Several interrelated factors explain this growing exposure:

Critical Infrastructure Status: As recognised by the European Union and international organisations, healthcare is an essential pillar of societal resilience. Any disruption to its operations can have disproportionate consequences for public safety and social stability, making it an attractive target for adversaries seeking to cause widespread disruption and chaos.

Advanced Digitalisation: Beyond physical infrastructure, modern healthcare depends increasingly on interconnected digital systems – from electronic health records (EHRs) and telemedicine platforms to the vast network of the Internet of Medical Things (IoMT). This deep digital interconnection, whilst enabling efficiency and innovation, simultaneously multiplies entry points for cyber intrusion and hybrid exploitation.

Attractive and Sensitive Data: Medical data possess exceptional value both economically and strategically. Healthcare organisations store large quantities of protected health information (PHI), personally identifiable information (PII), financial data and intellectual property from clinical research. Stolen health records can command prices up to ten times higher than stolen credit card details on the dark web, illustrating their appeal to both criminal and state-linked actors.

Inadequate Resources and Human Factors: Despite its critical importance, the healthcare sector often suffers from chronic underfunding in cybersecurity and related resilience measures. Limited financial and human resources constrain staff training, threat awareness and technological upgrades, leaving systems more vulnerable than those in other critical sectors.

Operational Interdependence: Healthcare systems depend on a wide network of suppliers, pharmaceutical companies, logistics chains and energy infrastructures. This interdependence creates additional points of exposure and amplifies the potential for cascading effects when a node in the network is attacked or compromised (Wolff 2015).

Strategic and Psychological Relevance: Beyond financial motivations, targeting healthcare infrastructures serves broader strategic aims. Disrupting hospitals or health services can erode public trust, provoke anxiety and weaken confidence in national governance – producing social destabilisation with limited physical force.

Taken together, this unique combination of technical vulnerability, data value, interdependence and societal centrality places healthcare at the heart of the evolving hybrid-threat landscape. It is therefore not only a sector at risk but a key battleground for the defence of societal resilience in the digital age.

Key Dimensions of Hybrid Threats in Healthcare

The multifaceted nature of hybrid threats confronting the healthcare sector can be grouped into three principal dimensions: cyber-physical attacks, information warfare and economic-geopolitical threats. These dimensions frequently overlap and reinforce one another, creating cascade effects that transform isolated cyber incidents into complex, hybrid crises.

Cyber-Physical Hybrid Threats: Disruption of the Digital System

Amongst the most pressing risks are coordinated cyber-physical attacks, particularly ransomware attacks, whose recurrence has escalated dramatically in recent years.

Impact: Since 2015, ransomware attacks on healthcare facilities have increased by more than 300% (Microsoft Corporation 2024), with the average cost of a data breach reaching nearly 10 million USD in 2024 (IBM Security and Ponemon Institute 2024). Such incidents directly endanger patient safety, leading to diverted emergency services, delayed or cancelled treatments and even loss of life – as illustrated by the WannaCry attack on the NHS and the reported 2020 fatality in an Alabama hospital.

Technical Vulnerabilities: Healthcare systems present a vast attack surface due to their fragmented digital ecosystem. Persistent weaknesses include continued reliance on outdated or "end-of-life" technologies that cannot be securely patched; rapid expansion of the Internet of Medical Things (IoMT), whose devices often lack adequate authentication or update mechanisms. These vulnerabilities make it easier for attackers to infiltrate clinical environments and disrupt essential operations.

Human and Organisational Vulnerabilities: Human error remains a dominant risk factor, contributing to more than 70% of data breaches (The Information Commissioner's Office). Attackers exploit this through phishing and social-engineering campaigns that target frontline staff with limited cybersecurity awareness. Consequently, technological defences must be complemented by continuous human-factor training and a culture of vigilance.

Supply-Chain Vulnerabilities: Adversaries increasingly adopt a "hub-and-spoke" strategy, compromising third-party vendors with weaker protections (eg billing or diagnostic platforms) to reach multiple healthcare providers simultaneously. The 2024 Change Healthcare ransomware attack, which crippled payment processing systems and disrupted nearly all U.S. hospitals, exemplifies this approach and its systemic impact.

These cases demonstrate how ransomware has evolved from an economic crime into a strategic hybrid instrument, capable of producing social, operational and geopolitical reverberations.

Information Warfare

In a globally connected information environment, disinformation has become a core component of hybrid warfare, complementing cyberattacks to achieve broader strategic goals (European Network of Political Foundations 2023). Disinformation refers to deliberately fabricated or manipulated information disseminated with the intent to create confusion, discord and mistrust in institutions such as governments, scientific bodies and healthcare authorities.

Unlike misinformation, which may spread unintentionally, disinformation is an intentional act of deception designed to inflict harm and erode public confidence.

The erosion of trust is both the mechanism and the objective of information warfare. The COVID-19 pandemic illustrated this dynamic vividly: an unprecedented combination of uncertainty, fear and online hyperconnectivity produced a global infodemic–an overwhelming volume of information, both accurate and false, spreading simultaneously. Studies showed that misinformation about COVID-19 vaccines correlated strongly with vaccine hesitancy and that falsehoods were 70% more likely to be shared than verified information (Vosoughi et al. 2018).

The Johns Hopkins Centre for Health Security's "trust-tank" model provides a useful visualisation: public trust serves as a reservoir that sustains the legitimacy of health institutions. Disinformation acts as a leak at the base of the tank, draining trust and weakening societal resilience. The process is cyclical: as trust declines, susceptibility to false narratives increases, further accelerating the drain.

In this way, information warfare serves both immediate objectives – such as spreading confusion during crises – and long-term strategic goals, notably the destabilisation of democratic institutions and the weakening of public compliance with future health measures.

Economic and Geopolitical Hybrid Threats and the Erosion of Societal Resilience

The economic and geopolitical dimensions of hybrid threats amplify the cascading impacts of cyber and information operations. Financial consequences can be devastating, as shown by the closure of St. Margaret's Health (Illinois) following a ransomware attack, and by the Change Healthcare incident, which had a "significant or serious" financial effect on 94% of the nearly 1,000 hospitals surveyed (American Hospitals Association 2024).

Operational disruptions compound these costs. Hospitals often revert to manual, paper-based procedures during crises, creating confusion, slowing patient care and degrading morale. The combined financial, technical and psychological burdens divert scarce resources away from modernisation and patient services, reinforcing a cycle of vulnerability.

When cyberattacks and disinformation campaigns are strategically aligned, their hybrid potential becomes evident. The cyberattack generates a tangible crisis, whilst disinformation provides a false explanatory narrative that blames authorities or external actors. This dual dynamic obscures reality, undermines institutional credibility and corrodes public trust, the cornerstone of societal resilience.

Ultimately, these combined effects confirm that cyber incidents in healthcare must be understood not as isolated technical disruptions, but as hybrid operations with economic, political and psychological dimensions capable of cascading across entire societies.

These threats manifested the coercion and the weaponisation of global supply chains. Specifically:

Supply Chain Fragility: The COVID-19 pandemic exposed the lack of transparency and fragility in the healthcare supply chain, a critical vulnerability that is largely exploitable.

Weaponisation of Resources: Geopolitical adversaries can impose trade restrictions on critical minerals essential for medical devices. A coordinated attack could combine a trade restriction with a cyberattack on software for those same devices, leading to catastrophic disruption.

Geopolitical Conflict: Wars create supply-and-demand uncertainties and massive delays by diverting transport ships.

Healthocide: The most extreme form is the deliberate destruction of healthcare services (hospitals, ambulances) as an act of war, which further obstructs supply lines and undermines the principle of medical neutrality.

Significant European Examples of Hybrid Threats

Real-world incidents across Europe have demonstrated that hybrid threats to healthcare are not theoretical constructs but lived realities with human, institutional and policy consequences. The following two emblematic cases – in Germany (2020) and Ireland (2021) – illustrate how cyber incidents in healthcare can trigger cascade effects that extend far beyond the digital domain, affecting operational continuity, public trust and national security frameworks.

The 2020 Ransomware Attack on the University Hospital of Düsseldorf (Germany)

The ransomware attack at Düsseldorf University Hospital is widely regarded as a turning point in Europe's understanding of healthcare cybersecurity. It was the first publicly known case in which a cyberattack was linked indirectly to a patient's death due to disruption of emergency care. This tragic event profoundly reshaped Germany's approach to healthcare within its civil protection and critical-infrastructure frameworks.

Overview and Technical Context: The attack exploited a vulnerability in a widely used Citrix Gateway (made by Citrix Systems, a secure remote access point to corporate networks and application, used also in hospitals to allow staff to log in remotely) enabling intruders to penetrate the hospital's IT systems. Once inside, the attackers deployed ransomware that encrypted more than 30 servers, crippling communication networks, email systems and access to medical records.

Operational and Human Impact

Immediate Disruption: The hospital's IT services progressively failed, forcing the facility to suspend emergency admissions and divert patients to other institutions. Hundreds of surgeries and medical appointments were postponed.

Fatal Consequence: A critically ill woman was redirected to a hospital nearly 30 kilometres away; the delay in treatment was later determined to have contributed to her death.

Resolution: Upon realising that their target was a hospital and that lives were endangered, the attackers withdrew their ransom demand and released a decryption key. Nevertheless, it took nearly two weeks to fully restore essential services.

Lessons and Policy Implications

The Düsseldorf incident illustrated the hybrid nature of contemporary ransomware: a cyber operation producing physical, psychological and societal consequences. It spurred German authorities to strengthen the integration of healthcare cybersecurity into national civil protection and to reinforce incident coordination between the Federal Office for Information Security (BSI) and healthcare institutions.

More broadly, it exposed the fragility of healthcare infrastructures operating at the intersection of medical care and digital dependence, prompting a re-evaluation of "digital health" as a vector of national security vulnerability.

The 2021 Ransomware Attack on Ireland's Health Service Executive (HSE)

In May 2021, the Irish Health Service Executive (HSE) – the body overseeing Ireland's public hospitals and health services – suffered one of the most severe ransomware attacks ever recorded against a national healthcare system (European Union Agency for Cybersecurity 2022). Within hours, the Conti-family ransomware had spread through the network, forcing the shutdown of nearly all IT systems.

Cascade Effects Across Multiple Dimensions

Although initially categorised as a criminal ransomware operation, the incident exhibited clear hybrid characteristics:

Digital disruption: Nationwide paralysis of hospital IT systems, including diagnostics, laboratory testing and administrative platforms.

Information and psychological impact: Rapid circulation of rumours and disinformation about stolen medical records, fuelling public anxiety and media sensationalism.

Geopolitical dimension: Attribution investigations linked the attack to a Russia-based criminal group, requiring cooperation between Europol, Interpol and national authorities – underscoring the transnational dimension of hybrid threats.

Crisis Management and Response

Containment: The HSE's Computer Security Incident Response Team (CSIRT) rapidly isolated networks and shut down central servers.

National coordination: The National Cyber Security Centre (NCSC), the Department of Health and the National Emergency Coordination Group jointly managed the response and recovery.

Public communication: Daily press briefings by the Irish government mitigated misinformation and maintained public trust.

International support: The European Union Agency for Cybersecurity (ENISA) made available its forensics experts from Europol, which, with private-sector partners assisted in recovery. Decryption tools were later developed collaboratively.

Continuity of care: Emergency and oncology services were prioritised, with hospitals reverting to manual systems and regional redistribution of patients.

Consequences and Strategic Outcomes

Operational: Thousands of appointments were cancelled; full IT recovery required several months.

Financial: Estimated direct costs exceeded €100 million.

Reputational: The attack exposed weaknesses in Ireland's digital-health infrastructure and highlighted the vulnerability of unsegmented national networks.

The policy impact was significant. The incident accelerated Ireland's transposition of the NIS2 and CER Directives and led to the establishment of a permanent health-sector CSIRT. The European Union Agency for Cybersecurity (ENISA) analysed the case in its report On the Watch for Incident Response Capabilities in the Health Sector (2022), identifying it as a benchmark example of cross-sectoral cooperation. It was later referenced by the European Commission (2023) in the NIS2 Implementation Guidance as a case study in systemic healthcare resilience.

Both the Düsseldorf and HSE incidents underscore that ransomware operations against healthcare systems cannot be viewed as isolated acts of cybercrime. Each event triggered multi-domain cascade effects – from digital paralysis to operational collapse, psychological distress and legislative reform. These cases also stress that healthcare has become a strategic target within the hybrid-threat landscape, where the boundaries between cyberattacks, public communication crises and geopolitical influence operations are increasingly blurred.

Key EU Legal and Policy Instruments

The EU "Resilience Triad"

Since 2022, the European Union has consolidated its approach to hybrid threats and the protection of critical infrastructures through a coordinated legal framework consisting of three core instruments: the NIS2 Directive (EU) 2022/2555, the CER Directive (EU) 2022/2557 and the DORA Regulation (EU) 2022/2554.

Although DORA was primarily designed for the financial sector, its logic – ensuring operational resilience against ICT-related incidents – complements NIS2 and CER, forming what experts have called the EU "Resilience Triad" (Wolff 2015). Together, these instruments create a cross-sectoral architecture that underpins the Union's hybrid-threat preparedness and reinforces the security of healthcare and other essential services.

Together, these instruments mark a paradigm shift from reactive cybersecurity to integrated resilience governance, aligning digital, physical and organisational protection mechanisms across sectors.

Member States' Duties

Under Article 3(4) of the CER Directive, healthcare institutions – including hospitals, clinics and laboratories – are formally designated as critical entities due to their essential role in maintaining public safety and societal stability.

Accordingly, Member States are required to:

• Conduct national risk assessments (Article 5) (Guihenneuc et al. 2022).
• Designate competent authorities and single points of contact (Article 10).
• Ensure that critical entities implement resilience measures (Articles 11–13), including redundancy of essential services (energy, water), staff security vetting and crisis communication capabilities.

These obligations operate in synergy with NIS2, which strengthens the cyber resilience dimension, notably through:

• mandatory incident notification (Article 23),
• supply-chain risk management (Article 21) and
• participation in the EU-CyCLONe, that is the network that connects National Authorities responsible for managing large-scale cyber incidents, that is, it has an important role in coordinating during major cyber crises in the EU.

Together, these directives create a multi-layered regulatory system linking digital defence, operational continuity and national emergency response.

Coordination with Civil Protection and Ministries

The CER Directive (Article 15) and the Union Civil Protection Mechanism (UCPM, Decision No. 1313/2013/EU) ensure interoperability between national resilience systems and EU-level emergency coordination (Ratsiborynska 2021). In practice, this coordination framework operates through:

• Hospitals and healthcare entities notifying national CSIRTs and competent ministries under NIS2 protocols.
• Parallel alert channels to civil protection authorities to maintain the continuity of essential services such as energy, water and transport.
• Cross-border information exchange via CECiS, the EU-CyCLONe and the CSIRTs Network, ensuring shared situational awareness.
• Integration of critical-entity resilience into local and municipal emergency plans.

This architecture promotes a "whole-of-government" and "whole-of-society" approach to resilience – essential principles when facing hybrid threats that transcend traditional sectoral boundaries (Clingendael Institute 2022).

Relevance of DORA Principles

Although the DORA Regulation targets the financial sector, its methodological framework has begun to influence resilience planning in healthcare and other public sectors (Wolff 2015). Its main contributions include:

Testing and Simulation Frameworks: adoption of threat-led penetration testing (TLPT) for critical systems.

Third-Party Provider Oversight: enhanced supervision of outsourced IT and cloud services – highly relevant for hospitals using external vendors.

Harmonised Incident Taxonomy: establishment of shared reporting standards that facilitate cross-sector comparison and interoperability between finance, energy and healthcare.

The European Commission and ENISA have explicitly encouraged the horizontal convergence of NIS2, CER and DORA mechanisms, recognising that hybrid threats frequently cross sectoral and national borders (European Commission 2023). For example, a cyberattack on a health-insurance database could paralyse hospital billing systems and disrupt pharmaceutical supply chains.

Taken together, the NIS2, CER and DORA frameworks reflect a new strategic paradigm in EU security governance – one that moves from fragmented crisis response to integrated, anticipatory resilience.

For the healthcare sector, this evolution signifies recognition of hospitals and medical networks not merely as service providers, but as critical pillars of societal security. The "Resilience Triad" thus embodies the EU's institutional response to the hybridisation of threats in an era of digital interdependence.

The Multi-Level Measures of International Entities

The hybrid-threat landscape extends well beyond the borders of the European Union. It is increasingly addressed through multi-level governance, where security, public health and information management converge. Both NATO and the World Health Organization (WHO) have developed frameworks that complement EU policy instruments by promoting whole-of-society and globally coordinated resilience.

NATO and the "Whole-of-Society" Defence

NATO's strategy for countering hybrid threats emphasises national resilience and civil preparedness as essential enablers of collective defence (NATO Emerging Security Challenges CoE 2014). The Alliance recognises that contemporary conflicts often target societies rather than armies and therefore require an integrated civilian-military response.

This approach is encapsulated in NATO's "Whole-of-Society" defence concept, which mobilises civil, military and political actors to anticipate, withstand and recover from hybrid attacks. Within this framework:

• Civil preparedness is treated as a strategic pillar of deterrence, complementing military capabilities.
• NATO assists Allies in assessing and enhancing resilience across seven baseline requirements, including energy supply, food and water systems, communications and the continuity of government and essential services.
• Centres of Excellence (CoEs) function as hubs of expertise in specific domains – including cyber defence (Tallinn), strategic communications (Riga) and military medicine (Budapest).
• The European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) in Helsinki serves as a joint EU-NATO platform supporting member states in developing cross-sectoral and civil-military resilience (European Centre of Excellence for Countering Hybrid Threats and European Commission Joint Research Centre 2020).
• Counter-Hybrid Support Teams provide tailored assistance to Allies facing complex hybrid campaigns, combining cyber forensics, information analysis and operational guidance.

NATO has also strengthened cooperation with the European Union on cyber defence, resilience and strategic communications. However, one persistent challenge remains: the exchange of classified intelligence between institutions, which can limit the creation of shared situational awareness and joint threat assessments. Addressing this constraint is vital to improving the coherence of transatlantic hybrid-threat management.

The World Health Organization's "Infodemic Management Framework"

The World Health Organization (WHO) has confronted a different but equally strategic dimension of hybrid threats – the weaponisation of information during health crises. In response, it developed the Infodemic Management Framework, a systematic approach to mitigating the spread of false or misleading information and strengthening societal resilience through trusted communication.

The framework is structured around four key pillars:

1. Listening to community concerns and questions -- employing social-listening and media-monitoring tools to detect emerging narratives and "information voids" that can be exploited by disinformation actors.
2. Promoting understanding of risk and expert guidance -- collaborating with technology platforms, governments and media outlets to amplify verified public-health information and ensure that credible sources dominate the information space.
3. Building resilience to misinformation -- advancing digital and health literacy programmes to empower individuals and communities to evaluate sources critically and share reliable content.
4. Engaging and empowering communities -- fostering partnerships with social-media providers, law-enforcement agencies and civil-society organisations to counter harmful narratives and rebuild long-term trust in institutions.

The WHO is also institutionalising the scientific discipline of infodemiology to study and quantify the dynamics of information flows during health emergencies. Through initiatives such as the EARS (Early AI-Supported Response) platform, the WHO detects misinformation in real time and coordinates with networks of fact-checking organisations across multiple languages and regions.

By integrating behavioural science, data analytics and community engagement, the WHO's framework transforms infodemic management from a reactive communication exercise into a strategic pillar of global health security – directly supporting resilience against hybrid threats in the digital information domain.

Together, NATO and the WHO embody two complementary dimensions of hybrid-threat governance:

1. NATO focuses on institutional and infrastructural resilience through whole-of-society defence and civil preparedness.
2. WHO advances informational and societal resilience through infodemic management and trust restoration.

Both approaches converge towards the same strategic goal: building integrated, proactive resilience across societies – where cybersecurity, public health and information integrity are no longer separate domains, but interdependent components of global hybrid-threat defence.

Hospitals and Healthcare Infrastructures: the Path Towards Integrated Proactive Resilience

The growing body of research on hybrid threats to healthcare systems highlights that traditional security approaches are no longer sufficient. Reactive, siloed defences fail against coordinated, multifaceted attacks that target the very foundations of society. To counter these threats, healthcare organisations must adopt a proactive, integrated and holistic strategy that combines intelligence, infrastructure, societal engagement and emerging technologies.

Enhancing Strategic Intelligence and Awareness

Effective defence begins with a comprehensive understanding of the threat landscape (Cyble 2025). Moving from reactive mitigation to proactive preparedness requires continuous monitoring, intelligence analysis and information sharing across public and private sectors. This includes not only aggregating data but also ensuring that key societal actors–civil, military and political–can absorb and act on intelligence effectively.

A "whole-of-society" approach is essential, bringing together diverse actors to identify vulnerabilities and anticipate their potential impact (European Commission 2023). Research plays a critical role in developing this cross-cutting understanding, ranging from epidemiological modelling to threat simulations, providing actionable insights that improve readiness (ResearchGate 2022). Establishing an integrated intelligence ecosystem is therefore a cornerstone of anticipating and countering hybrid threats.

Fortifying Critical Infrastructure

Resilient healthcare systems require robust digital and physical infrastructure. Studies indicate that outdated legacy systems and insufficient strategic investment create a broad and easily exploitable attack surface (Universidad de Navarra Global Affairs 2024). Key measures to fortify infrastructure include:

Investing in IT modernisation: Healthcare organisations must transition from vulnerable legacy systems to secure, interoperable technologies. Cybersecurity should be treated not merely as a technical issue but as a core patient safety, enterprise risk and strategic priority.

Securing the digital supply chain: Robust governance, contractual oversight and verifiable compliance mechanisms are essential to manage third-party vendor risks and move beyond self-attestation.

Strengthening the physical supply chain: Healthcare supply chains are often fragile, dependent on single sources for critical materials (XDI 2023; European Environment Agency 2024). Strategies to improve resilience include enhancing transparency across providers, manufacturers and distributors, diversifying supplier portfolios and establishing strategic stockpiles to ensure availability during geopolitical or economic disruptions.

Building Societal Resilience

Hybrid threats exploit social vulnerabilities, particularly public trust and information reliability (European Papers Forum 2024; GlobalPolicy 2025). Disinformation erodes confidence in healthcare systems, weakening societal response capabilities. Building societal resilience requires:

Empowering trusted messengers: Clinicians and healthcare workers are highly trusted sources of information. Organisations should train staff to proactively engage the public, provide accurate guidance via media platforms and collaborate with community groups to develop localised, evidence-based health messages.

Promoting digital and health literacy: Individuals must learn to critically evaluate information and pause before sharing content online. Educators, media organisations and journalists should reinforce evidence-based educational programmes that equip the public to resist misinformation (Hybrid CoE 2025; Robert Schuman Foundation 2024).

The Future of Resilience: AI and Emerging Threats

Artificial Intelligence (AI) will play an increasingly central role in hybrid threat landscapes, serving both offensive and defensive purposes. Adversaries leverage AI to automate reconnaissance, scale attacks and deploy sophisticated social engineering tools such as deepfakes or poisoned data feeds. The integration of AI with operational technology (OT) in healthcare creates new high-consequence risks that could destabilise critical systems.

Conversely, AI offers transformative opportunities for defence. AI-powered cybersecurity solutions can automate network mapping, vulnerability detection and real-time anomaly monitoring. Machine learning algorithms analyse vast volumes of threat data to identify both known and novel attack patterns that may elude human analysts. AI also enhances third-party risk management by continuously monitoring vendor security postures and compliance, reducing supply chain vulnerabilities.

Deploying AI-driven defence mechanisms, whilst maintaining ethical and regulatory safeguards, is critical to preparing healthcare systems for increasingly autonomous hybrid threats.

Integrating strategic intelligence, fortified infrastructure, societal engagement and AI-enabled defences allows healthcare systems to transition from reactive vulnerability to proactive resilience. Only through this comprehensive, forward-looking approach can hospitals and healthcare infrastructures withstand evolving hybrid threats and safeguard societal well-being.

Conclusion

Cyberattacks targeting healthcare systems cannot be confined to purely digital events. Their impacts unfold through cascading effects that simultaneously disrupt technological infrastructures, medical operations, institutional governance and public trust. This cascade effect transforms cyber incidents into genuinely hybrid threats, where the digital, informational and societal dimensions are interdependent and mutually reinforcing.

Understanding cyber incidents through this hybrid lens is essential for designing coherent prevention and response strategies. The lessons from recent European cases reveal that resilience cannot rely solely on cybersecurity measures, but must integrate strategic intelligence, cross-sectoral coordination and societal preparedness. Building such integrated and proactive resilience represents not only a technical necessity but a strategic imperative for safeguarding global health security in an era where hybrid threats have become the new normal.

Acknowledgement

Dr. Eng. Daniela Pedrini and Dr. Simone Anise Dany Agger assisted in advising on the article's structure and in its further development. Research assistance and bibliographic support were provided through OpenAI's ChatGPT (GPT-5 model, 2025). An AI large language model (Gemini by Google) was also used to assist with the research.

Conflict of Interest

None.