A Threat That Is Happening Now

This is not a forward-looking advisory. Following coordinated U.S. and Israeli strikes on Iranian military targets on February 28, 2026, the Department of Homeland Security issued a law enforcement bulletin warning of imminent cyberattacks against U.S. networks. The bulletin, obtained by ABC News, stated that Iranian-aligned hacktivists are expected to conduct cyberattacks against U.S. networks in the near term and that cyber actors affiliated with the Iranian government may conduct broader attacks against U.S. networks.

Healthcare Is Explicitly Named
Federal agencies including HHS, NSA, CISA, and the FBI have all issued guidance warning that Iranian state-sponsored and proxy actors consider healthcare a high-value target — in part because of the sector's operational dependencies on connected systems and its historically inconsistent security posture.

For health system leaders and revenue cycle teams, the question is not whether Iranian cyber operations represent a real threat. The question is whether your organization is prepared to operate if systems go down because of one.

15+ years
Of documented Iranian offensive cyber operations against U.S. targets
4 agencies
NSA, CISA, FBI, and HHS ASPR all issued healthcare-specific threat warnings
38% staffing
CISA currently operating at reduced capacity due to DHS funding lapse

The Threat Is Decentralized and Unpredictable

One of the most important aspects of the current threat environment is how decentralized it has become. Former NSA operative Kathryn Raines, now a threat intelligence team lead at Flashpoint, described the current moment as one in which loosely coordinated proxy actors are taking the lead in escalation, filling the vacuum left by Iran's central command structure.

"The Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks. A mid-sized logistics company, a regional utility provider, or even a healthcare network could be chosen opportunistically — not as part of a grand strategy, but to make a statement." — Kathryn Raines, Flashpoint

In practical terms, this means the threat does not operate like a formal military campaign with defined targets and red lines. Smaller groups or individuals may begin selecting targets independently — making risk modeling far more difficult for security teams accustomed to tracking formal state actors.

Former CIA Special Activities Center director Brian Carbaugh put it plainly: cyber operations are appealing in moments like this precisely because they are low-cost, difficult to attribute, and capable of producing outsized disruption. Iran's cyber apparatus has over 15 years of documented operational experience and historically intensifies during periods of geopolitical pressure.

According to Flashpoint, groups operating under Iran's "Great Epic" campaign and "Cyber Islamic Resistance" are coordinating through Telegram channels and Reddit, posting claimed attacks publicly to amplify psychological impact even before technical verification is possible.

Why Healthcare Is Specifically at Risk

Iranian-linked threat groups have a documented history of targeting U.S. healthcare. In 2021, the FBI warned that Iranian actors had attempted a cyberattack on Boston Children's Hospital. The American Hospital Association warned in late 2025 that Iranian actors were actively compromising healthcare infrastructure and selling that access to secondary threat actors who then deploy ransomware.

Attack MethodHow It WorksHealthcare Entry Point
Password SprayingAutomated attempts across many accounts using common passwordsStaff email and EHR login portals
MFA Push BombingFlood user with authentication requests until they approveRemote access and VPN accounts
Spear PhishingTargeted emails impersonating trusted contactsBilling staff and revenue cycle teams
Unpatched CVEsExploit known software vulnerabilities before organizations patchInternet-facing devices and vendor portals
Supply Chain CompromiseBreach upstream vendor to gain access to downstream clientsClearinghouses and billing platform integrations

Once inside, access is often monetized by being sold to ransomware groups who then conduct the destructive phase. The interconnected nature of healthcare operations makes this particularly dangerous — revenue cycle teams work with clearinghouses, payer portals, billing platforms, and coding vendors, each with its own credential footprint and network access.

CISA Operating at Reduced Capacity
CISA, the primary civilian cybersecurity agency responsible for protecting U.S. critical infrastructure, is currently operating at approximately 38% staffing due to a DHS funding lapse. Some furloughed employees are on standby but not actively working. The federal safety net is strained at exactly the wrong moment.

What an Attack Actually Looks Like for a Health System

For revenue cycle teams, the operational impact of an Iranian-linked cyberattack follows a well-established pattern.

PhaseWhat HappensRevenue Cycle Impact
Initial AccessAttacker gains entry through phishing or unpatched systemNone visible yet — attacker moves quietly
PersistenceAttacker establishes foothold; may remain undetected for weeksNone visible — access being mapped and sold
DeploymentRansomware encrypts systems; data exfiltratedEHR goes offline; all digital workflows stop
DowntimeOrganization operates on manual proceduresCharges missed; documentation incomplete; billing halted
RecoverySystems restored; paper records reconciledWeeks of backlog; denial spikes; compliance gaps surface
The recovery phase is often more operationally disruptive than the attack itself. Billing is delayed, denials spike, and the downstream effects of documentation gaps surface for weeks after systems are restored.

Healthcare organizations that have invested in operational downtime preparedness — with tested workflows, trained staff, and technology that allows revenue cycle operations to continue independent of primary systems — absorb these events very differently than those that have not.

What Health System Leaders Should Do Right Now

The federal guidance issued in connection with the current threat environment is consistent and specific. Here is what CISA, HHS ASPR, and the FBI recommend healthcare organizations act on immediately.

  • Patch every internet-facing asset — Iranian actors exploit known vulnerabilities quickly after public disclosure
  • Implement MFA that resists push bombing across all remote access and administrative accounts
  • Audit vendor and third-party access — scope each integration to least privilege
  • Review clearinghouse and billing platform connections for unusual activity
  • Verify downtime procedures exist, are accessible to frontline staff, and have been tested under realistic conditions
  • Ensure revenue cycle workflows are operable without EHR access for multi-day scenarios

On the operational side, now is the time to verify that downtime procedures actually work. Most hospital downtime plans were written for brief, localized outages — not multi-day system-wide disruptions of the kind that ransomware deployments produce.

"If the answer is no — that you don't know whether you're at elevated risk or what you're doing about it — that's exactly where to start." — Brian Carbaugh, former CIA Special Activities Center Director

If your organization has not tested its revenue cycle workflows under full EHR unavailability, you do not know whether they will hold under pressure.

Preparedness Is the Answer to Unpredictability

The decentralized nature of the current Iranian cyber threat makes traditional risk modeling harder. When attacks can come from loosely coordinated actors selecting targets opportunistically through encrypted chat channels, the question of whether your specific organization is on a target list becomes less answerable than the question of whether your organization is prepared for disruption regardless of source.

$7,500
Average cost per minute of hospital IT downtime
46%
Of hospitals lack effective downtime procedures
Weeks
Typical revenue cycle recovery time after a major ransomware event

Whether the next downtime event comes from Iranian-affiliated hacktivists, a ransomware group, or a routine system failure, the operational impact on revenue cycle is the same. Registration stops. Charges are missed. Billing is delayed. Recovery takes longer than expected.

The organizations that fare best are those that have already answered the question of how they will operate when their systems are unavailable. That answer requires more than a policy document. It requires tested procedures, trained staff, and the operational infrastructure to keep revenue cycle running when primary systems cannot.

The threat environment right now is elevated. That is not a reason to panic. It is a reason to assess your preparedness honestly and close the gaps before the clock starts.