FBI’s Andrew Bailey on AI-Driven Cyber and Physical Threats to Healthcare

If you felt like 2025 was the year cyber risk in healthcare went from serious to existential, you’re not imagining it. In a candid discussion hosted by the American Hospital Association (AHA), FBI Co-deputy Director Andrew Bailey put it bluntly: healthcare is the most-targeted critical infrastructure sector, ransomware is still surging, and adversaries are now weaponizing AI to scale their attacks. The threat isn’t just digital, either—Bailey warned about a hybrid risk landscape where cyber and physical violence increasingly intertwine.

So where does that leave hospitals, health systems, and clinics with legacy systems, constrained resources, and life-or-death operations? Let’s unpack the key insights from Bailey’s briefing—and turn them into a practical playbook you can act on today.

Source: Read AHA’s coverage of Bailey’s remarks here: FBI Co-deputy Director Andrew Bailey discusses current cyber and physical threats, rise of AI

Why Healthcare Has the Biggest Target on Its Back

According to Bailey, healthcare topped all critical infrastructure sectors for cybercrime in 2025, driven heavily by ransomware attacks. FBI data shows a 30% year-over-year increase in healthcare ransomware incidents—an alarming trend fueled by a lucrative criminal market and geopolitical tensions that embolden state-sponsored activity.

What makes healthcare such an attractive target?

High-stakes operations: Downtime can endanger lives and delay critical care, raising pressure to pay ransoms quickly.
Complex attack surface: Electronic health records, networked medical devices, and sprawling vendor ecosystems offer numerous entry points.
Legacy tech debt: Many providers still operate systems that are hard to patch, segment, or monitor effectively.
Data value: Protected health information (PHI) can be monetized for years via fraud and extortion schemes.

The Ransomware-As-A-Service Engine

Bailey pointed to Russian-speaking ransomware-as-a-service (RaaS) groups as the dominant force behind many healthcare intrusions. RaaS lowers the barrier to entry, letting affiliates “rent” payloads, infrastructure, and playbooks. That means: – Faster, more frequent attacks – Sophisticated tooling available to less-skilled operators – Rapid adoption of new exploitation techniques and AI-enabled workflows

When you combine those dynamics with healthcare’s urgency, the calculus is grim: adversaries know they can force critical decisions under extreme time pressure.

The Downtime Dilemma

If an emergency department loses EHR access, imaging systems lock up, or medication dispensing halts, it’s not “just IT.” It’s patient safety, clinical credibility, and community trust on the line. That’s precisely why attackers target healthcare: it’s disruption with leverage.

The AI Acceleration: How Adversaries Are Using Artificial Intelligence

Bailey’s most urgent warning? Malicious actors are integrating AI to automate core attack phases—reconnaissance, intrusion, social engineering, and exploitation.

Here’s how that shows up on the ground:

Automated Reconnaissance and Intrusion

Scaled scanning: AI-assisted tools crawl for exposed services, misconfigurations, and known vulnerabilities at machine speed.
Faster footholds: Generative AI helps adapt phishing lures and payload delivery in near real time, tailored to your org’s language and context.

Deepfakes and Social Engineering

Voice cloning of executives, clinicians, or vendors to approve wire transfers or request emergency access
Video deepfakes to “verify” urgent purchase orders or override normal controls
Convincing spoofed identities to trick help desks into resetting MFA or granting privileged access

These tactics exploit trust relationships in hospitals—where urgent requests and life-or-death decisions are routine.

Automated Vulnerability Exploitation

Attackers can chain known weaknesses across apps, VPNs, and medical device gateways faster than ever
AI helps them prioritize the “blast radius” for maximum uptime disruption or data theft

Bottom line: AI lets threat actors go wider and deeper, with less effort, higher realism, and fewer mistakes.

The Hybrid Threat: Where Cyber and Physical Risks Converge

Bailey also flagged an alarming trend: cyber incidents are colliding with physical risks, including violence against healthcare workers and threats to facilities. Consider: – A ransomware event that disrupts security cameras or access control systems – Fake bomb threats or swatting attempts amplified by social media deepfakes – Coordinated harassment campaigns exploiting leaked PHI to target staff

This hybrid landscape requires tighter coordination between CISOs, emergency management, clinical leadership, and security teams—before an incident occurs.

What the FBI and AHA Recommend Right Now

In conversation with AHA national advisor for cybersecurity and risk John Riggi, Bailey emphasized several immediate safeguards that blunt the most common attack paths.

1) Strengthen Identity and Access

Turn on multi-factor authentication (MFA) everywhere—especially for VPNs, email, EHR admin access, and remote management tools
Prefer phishing-resistant MFA (e.g., FIDO2 security keys) for privileged accounts
Enforce least privilege and just-in-time (JIT) access for admins
Audit stale, shared, or orphaned accounts monthly

Helpful resources: – CISA’s Stop Ransomware guidance: https://www.cisa.gov/stopransomware

2) Harden Endpoints and Your Network

Deploy endpoint detection and response (EDR/XDR) with 24/7 monitoring
Segment clinical networks from admin and guest traffic; isolate high-value assets (EHR, PACS, med device controllers)
Lock down remote management tools; disable unused protocols
Implement allow-listing for critical servers and med device networks

3) Build Incident Response Muscle

Create and test a ransomware playbook (tabletop every quarter)
Pre-stage offline contact info for the FBI, CISA, EHR vendors, MSPs, and cyber insurance
Decide in advance who can declare an incident and who speaks externally
Practice “EHR down” workflows clinically, not just on paper

Key contacts: – FBI field offices: https://www.fbi.gov/contact-us/field-offices – FBI Internet Crime Complaint Center (IC3): https://www.ic3.gov

4) Resilient Backup and Rapid Recovery

Maintain immutable, offline backups for EHR databases, imaging, and critical configs
Test bare-metal and application-level recovery monthly
Separate backup credentials and infrastructure from production
Document “minimum viable clinical operations” and recovery sequencing

5) Patch and Vulnerability Management that Matches Reality

Prioritize internet-facing assets and high-impact vulnerabilities
Use maintenance windows aligned to clinical downtimes
Track end-of-life systems; isolate or virtualize where immediate upgrades aren’t possible
Consider managed vulnerability services to keep pace

6) Email, Web, and Social Controls

Enable DMARC/DKIM/SPF to reduce spoofing
Use URL detonation and attachment sandboxing
Block lookalike domains; monitor brand abuse
Train help desk to authenticate voice requests—even “urgent” ones

Zero Trust for Healthcare: Practical, Not Perfect

Bailey called out zero-trust architecture (ZTA) as a strategic imperative. In healthcare, perfection is unrealistic—but targeted progress is not.

Here’s a pragmatic roadmap:

Phase 1 (0–6 months): Know and Control the Essentials

Identity: Centralize SSO, enforce MFA, and inventory privileged accounts
Devices: Gain visibility (including unmanaged med devices); tag risk levels
Data: Identify crown jewels (EHR, imaging archives, pharmacy, lab systems)
Network: Implement VLANs/microsegmentation for critical assets
Access: Enforce conditional access policies (device posture + user role)

Phase 2 (6–12 months): Reduce Implicit Trust

Move to role-based and attribute-based access controls for critical apps
Implement per-session risk scoring for remote access
Deploy segmentation gateways around EHR and med device networks
Start decrypting and inspecting east-west traffic where feasible

Phase 3 (12–24 months): Continuous Verification

Automate policy updates based on user behavior and device health
Expand data loss prevention (DLP) for PHI across email and cloud
Integrate SIEM/SOAR to orchestrate fast, consistent responses

Reference frameworks: – NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework – HHS 405(d) Health Industry Cybersecurity Practices (HICP): https://405d.hhs.gov/

Testing What Matters: Pen Tests, Red Teams, and Purple Teams

Bailey urged regular penetration testing tailored for healthcare. Focus on: – Realistic attack paths: Phishing to EHR admin, vendor portal to privilege escalation, or med device segment pivot – Incident response timing: How quickly can you detect, contain, and recover? – Gaps in identity verification: Can help desk be social-engineered? – Backup integrity: Can you restore known-good images fast?

Purple teaming—collaboration between offense and defense—helps translate findings into playbook updates and SIEM detections.

Helpful resources: – MITRE ATT&CK for adversary tactics and detections: https://attack.mitre.org/

AI Threats Meet Real-World Clinics: Scenarios to Prepare For

Deepfake CFO call authorizing an emergency wire for “ransom negotiation” with a spoofed invoice
Voice-cloned physician requests an urgent override of pharmacy dispensing controls
AI-crafted phishing lures “from the EHR vendor” with convincing maintenance notices
Automated scanning finds an unpatched VPN gateway, escalates to domain admin within hours

Defenses that help across scenarios: – Out-of-band verification for financial and access requests – Phishing-resistant MFA, especially for admins and remote access – Vendor change control: No blind trust in “emergency patches” – Segmentation and EDR to limit lateral movement – Human-in-the-loop approvals for high-risk actions

Public-Private Partnerships You Should Join

Bailey underscored the power of intelligence sharing and rapid escalation. Build these relationships before you need them:

Health-ISAC: Sector-specific threat intel and peer collaboration https://h-isac.org/
HHS HC3: Alerts, threat briefs, and best practices for healthcare https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html
CISA Shields Up/Stop Ransomware: Playbooks, advisories, and tools https://www.cisa.gov/stopransomware
FBI Field Offices and IC3: Rapid reporting and coordination https://www.fbi.gov/contact-us/field-offices, https://www.ic3.gov
FDA Med Device Cybersecurity: Guidance for manufacturers and providers https://www.fda.gov/medical-devices/cybersecurity

Also keep the AHA’s cyber guidance on your radar: https://www.aha.org/

A 30/60/90-Day Action Plan for Healthcare Leaders

You don’t need to do everything at once. You do need to start.

First 30 Days: Reduce the Biggest Risks Fast

Turn on MFA for remote access, email, and admin accounts
Identify and isolate high-value assets (EHR, PACS, domain controllers)
Lock down remote management tools and disable unused services
Validate backups are offline/immutable and test one critical restore
Conduct an “EHR down” tabletop and close obvious gaps
Train help desk to challenge any urgent voice requests; issue a callback policy
Subscribe to Health-ISAC and HC3 alerts; join weekly threat briefings

Days 31–60: Build Detection and Response Capability

Deploy or tune EDR across servers and endpoints
Establish SIEM use cases mapped to MITRE ATT&CK
Patch or isolate internet-facing systems with critical vulnerabilities
Catalogue third-party vendors with privileged access; enforce MFA and logging
Stand up a phishing-resistant MFA pilot for admins
Establish an incident war room protocol and on-call rotations

Days 61–90: Validate and Mature

Run a focused penetration test on your top three attack paths
Implement microsegmentation for the EHR and med device subnets
Expand backup coverage to include configs and IaC artifacts
Roll out role-based access for top clinical and admin apps
Prepare Board-level metrics and a one-page cyber resilience narrative

Metrics That Matter to Boards, Regulators, and Clinicians

Mean time to detect/contain ransomware simulations
MFA adoption rate (overall and for privileged accounts)
Percentage of internet-facing critical vulnerabilities remediated within SLA
Tested recovery time for EHR and imaging systems
Phishing resilience: Report-to-click ratio and dwell time
Third-party assurance: Percentage of critical vendors with MFA, logging, and incident notification clauses
Segmentation coverage for high-value assets

These are not vanity numbers; they tell a story about patient safety and operational resilience.

Policy, Compliance, and Framework Alignment

Frameworks don’t stop attackers—but they align teams and budgets:

NIST CSF 2.0 as your backbone: Identify, Protect, Detect, Respond, Recover https://www.nist.gov/cyberframework
HHS 405(d) HICP for healthcare-specific practices https://405d.hhs.gov/
Map controls to HIPAA Security Rule safeguards and your risk analysis
Use CISA’s ransomware guidance to validate your technical baselines

Compliance is the floor. Resilience is the goal.

Governance: Getting Leadership and Clinicians on the Same Page

Appoint a cross-functional cyber steering committee (CISO, CIO, CMIO/CNIO, COO, Legal, Comms, Security)
Tie cyber risks to clinical outcomes in Board updates; quantify downtime costs
Align change windows to clinical realities; co-design with frontline staff
Celebrate early wins: faster restore times, phishing-resistant MFA for admins, or segmented EHR zones

Leadership buy-in isn’t a “nice to have.” It’s the difference between plans and progress.

What Makes Healthcare Different—and What to Do About It

Life safety: Build clinical workarounds and paper-down procedures into IR
Legacy systems: Segment, monitor, and plan lifecycle upgrades; don’t wait for perfect patches
Med devices: Maintain an accurate inventory, track recalls and advisories, and collaborate with biomed/HTM
Vendor ecosystems: Tier vendors by risk, require MFA and logging, and standardize contracts with incident reporting timelines

When reality isn’t ideal, compensate with architecture, monitoring, and rehearsed playbooks.

Frequently Asked Questions

Q: Are deepfakes really a threat in hospitals? A: Yes. Attackers increasingly use voice and video impersonation to push urgent approvals, password resets, or wire transfers. Counter with phishing-resistant MFA, strict callback procedures to verified numbers, and staff training that “urgent” is not a reason to skip verification.

Q: We can’t patch everything. What should we prioritize? A: Start with internet-facing assets, remote access tools, identity providers, and systems with direct pathways to your EHR and domain controllers. If you can’t patch quickly, isolate, restrict, and monitor.

Q: Is zero trust realistic for a mid-sized hospital? A: Absolutely—if you approach it in phases. Focus first on visibility, MFA, segmenting crown jewels, and least-privilege access. Expand to continuous verification and automation over time.

Q: Should we ever pay a ransom? A: The FBI discourages payment because it fuels the ecosystem and doesn’t guarantee recovery. Your decision will depend on risk, life safety, legal, and insurance counsel. The best leverage is preparation: backups, segmentation, and rehearsed recovery.

Q: How do we get useful threat intelligence without drowning? A: Join Health-ISAC and HHS HC3, subscribe to CISA alerts, and designate someone to triage and translate intel into action items. Integrate IOC feeds into your SIEM/EDR and focus on detections tied to top attack paths.

Q: What tabletop exercises should we run first? A: Start with “EHR down due to ransomware,” “vendor portal compromise,” and “deepfake-executive wire request.” Include clinical leads, help desk, finance, comms, and physical security to reflect real decision flows.

Q: How do we involve the FBI without causing panic? A: Build the relationship now. Identify your local field office contacts, discuss preferred channels, and add them to your incident playbook. Reporting early helps protect your organization and the broader sector.

Clear Takeaway: Vigilance, Not Victimhood

Andrew Bailey’s message is unmistakable: healthcare is squarely in the crosshairs, and attackers are scaling with AI. But this is not a foregone conclusion. The organizations that will weather the storm aren’t the ones with the biggest budgets—they’re the ones that move decisively on the fundamentals, practice their response like a clinical drill, and plug into the public-private partnerships built to help them.

Turn on MFA. Segment your crown jewels. Test your restores. Train your people to challenge “urgent” requests. Align to NIST CSF and HICP. Build your FBI and AHA relationships now.

In healthcare, resilience is patient safety. Start today. And keep going tomorrow.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

FBI’s Andrew Bailey on AI-Driven Cyber and Physical Threats to Healthcare—and How to Respond Now