Sick Leave for Hackers: How Russian Medicine Gets Infected Through Email

Imagine a typical day for a doctor in a state or large private clinic. A queue in the corridor, endless reports and information systems that don't always work perfectly. In this chaos, an email from an insurance company or a request from a neighboring hospital seems routine, demanding immediate attention. It is precisely on this psychological vulnerability—the rush and trust in official correspondence—that a new wave of attacks on Russia's healthcare sector is built. Hackers have stopped striking broadly and have switched to intricate social engineering, where the cost of a mistake is complete control over the internal network perimeter.

The scheme's essence is simple and effective. Dozens of medical organizations receive emails that look maximally legitimate. The topics are always "hot": document verification with insurers, new treatment protocols, or requests about specific patients. Inside—an archive or document that supposedly needs to be reviewed. As soon as an employee opens the attachment, a Trojan for remote administration is silently installed on the computer. These tools allow cybercriminals to see the victim's screen, copy files, record keystrokes, and most dangerously, use the compromised node as a launching point for an attack on the entire internal hospital network.

Why is this happening now? Healthcare digitization in Russia over the past few years has made a giant leap, but cybersecurity often lagged behind the implementation of new services. Unified state healthcare systems (EGISZ) and local medical information systems (MIS) have become critically important. If previously stealing a paper patient card was a local problem, today hacking a single terminal in the registration office could paralyze an entire clinic or leak data on hundreds of thousands of people to dark forums.

It must be understood that medicine is an industry with an extremely low barrier to entry for hackers through the "human factor." Doctors are trained to save lives, not recognize fake email server headers. Moreover, the consequences of a successful attack here can be far more serious than in retail or even in banks. A compromised computer in an operating room or MRI department is no longer a matter of theft, but a direct threat to patient safety. If cybercriminals decide to encrypt data and demand ransom (ransomware), hospital operations will stop literally.

Previously, such attacks were often attributed to the activities of lone troublemakers, but the current campaign looks like the work of professional groups. The use of specific context related to insurance companies suggests that attackers have studied the business processes of Russian medical institutions in advance. They know which emails won't raise suspicion and exactly who will open them. This turns ordinary phishing into a targeted operation to gather data or prepare for large-scale sabotage.

What does this mean for the industry? The period of "childhood" digitization, when the main goal was simply to implement software, has ended. Now medical institutions will have to spend as much on IT security as banks do, or trust in digital medicine will be undermined by the first major disaster. The problem is that cybersecurity budgets in healthcare are traditionally distributed on a residual basis. Hackers know this and are taking advantage of the moment while the doors to digital wards remain essentially open.

Bottom line: Information security in medicine has ceased to be the concern of system administrators alone. Now it is a question of organizational survival, where the weakest link remains an ordinary click on an "official" email.