Cybersecurity

Threat Landscape
in healthcare 2024
Dutch healthcare digitally secure
 Table of contents
Colophon 2
Table of contents 3
Foreword 4
Summary - Threat Landscape 2024 6
Colophon Threat radar 8
Incidents among respondents 10
The Z-CERT Foundation is the leading expertise centre in the field of cybersecurity We form a professional network with affiliated healthcare institutions, the Threat - Ransomware 12
in healthcare in the Netherlands. The annual Cybersecurity Threat Landscape for National Cyber Security Centre (NCSC), Health-ISAC (Information Sharing Threat - Credential Phishing 18
the Healthcare Sector 2023 outlines the main threats for the Dutch healthcare and Analysis Center), industry organisations, suppliers and other Computer Threat - Malware targeting users 24
sector. We use the information from participants’ reports, information from Emergency Response Teams (CERTs). Together, we tackle cyber challenges Threat - Digital financial fraud 30
(inter)national partners and research institutes, our own findings, expert such as ransomware, phishing, data breaches and hacking. Threat - Ransomware in the supply chain 32
interviews, literature research, research from open sources and a survey of Threat - DDoS 36
Dutch healthcare institutions. The content of this Cybersecurity Threat Landscape for Healthcare 2024 has Threat - DDoS at suppliers 42
been compiled with great care. However, errors or omissions may still occur. Threat - Cyber espionage by state actors 44
Z-CERT was founded in 2017 at the initiative of the Dutch Association of Z-CERT and any other involved parties cannot be held liable for this. Threat - Insider threats 48
Hospitals (NVZ), the Dutch Federation of University Medical Centres (NFU), Threat scenario Russia-Ukraine conflict 54
and Dutch Mental Healthcare (GGZ). As a non-profit foundation, Z-CERT has Explanation of the threat radar 56
no commercial objectives. Acknowledgements 59
Bibliography 60

Z-CERT Cybersecurity Threat Landscape 2024 - ©2025 Z-CERT Z-CERT Threat Landscape 2024 - 3
 “The idea of a major academic hospital
becoming inoperable during a crisis is
Foreword unthinkable...”

The protection of sensitive patient data and critical infrastructures is more similar to the rigorous cybersecurity exercises conducted in the banking sector. a crucial step toward protecting patient safety and the continuity of healthcare

important than ever. Healthcare organisations must proactively address Other industries, such as education and research, have seen institutions crippled processes, both of which are at serious risk due to cyberattacks.

cyber threats - not only to comply with stricter regulations but also to counter for days by cyber incidents. While this is already alarming, such a disruption

the increasing risks. These threats are growing as healthcare organisations in healthcare is simply unacceptable. The idea of a major academic hospital Z-CERT calls on healthcare institutions, governments and other stakeholders

increasingly adopt digital technologies such as remote patient monitoring and becoming inoperable during a crisis is unthinkable. to join forces and take collective action now. To reinforce this message, we have

smart home technology. decided to present the fifth annual Cybersecurity Threat Landscape for Healthcare

European collaboration is necessary in Brussels, the heart of European democracy.

The year 2024 presented a wide range of cybersecurity challenges and threats There is still much to learn from each other at the European level. Z-CERT

in healthcare. From the emergence of new ransomware groups to increasingly emphasises the urgent need for stronger collaboration across Europe to combat In this report, we provide insights into the current state of cybersecurity in

sophisticated phishing campaigns, these threats are evolving rapidly. the growing cyber threats. The geopolitical landscape brings new challenges. healthcare. We share lessons learned over the past year and offer tips and

While cyber criminals take advantage of weaknesses in digital infrastructure, recommendations to help create a more digitally secure healthcare sector.

Stronger regulations and industry standards require organisations to have their key players in healthcare remain hesitant to share sensitive information and Let’s work together to ensure that by 2025, we can better protect the

basic cybersecurity measures in order. However, in some areas, awareness of coordinate their defences effectively. healthcare sector against ever-evolving cyber threats.

the potential impact of cyber incidents remains insufficient.

It is encouraging that in January, the European Commission introduced an action Wim Hafkamp - Director Z-CERT

Z-CERT advocates for realistic testing and simulations within the healthcare sector, plan to strengthen the cybersecurity of European healthcare institutions. This is

Z-CERT Threat Landscape 2024 - 5

Summary of the Z-CERT Threat Landscape 2024
In 2024, Z-CERT has once again observed a rise in digital attacks targeting European and American healthcare suppliers have also been compromised.

healthcare organisations. Criminal hackers, digital spies and hacktivists Disruptions caused by ransomware and data breaches at these suppliers have

continue to see healthcare institutions as prime targets for extortion and directly impacted the healthcare institutions that depend on them. For example,

data theft - regardless of the consequences, such as disruptions to critical a ransomware attack on a pathology service provider in England disrupted

healthcare services. In 2024, multiple cyberattacks have impacted healthcare operations so severely that general practitioners were unable to conduct blood

institutions across the Netherlands and Europe, affecting their ability to tests, forcing thousands of outpatient appointments to be postponed.

operate effectively.

Besides extortion-based attacks, Z-CERT also considers DDoS attacks a growing steal sensitive personal data. Finally, digital incidents caused by employees and Trends: cloud attacks & AI-driven phishing
Digital extortion: your money or your life risk to the supply chain - particularly if an Electronic Health Record (EHR) digital financial fraud are also recurring phenomena. As healthcare organisations continue to store employee, patient, and research

Z-CERT has identified various forms of digital extortion in 2024, including provider is affected. However, unlike in 2023, Dutch healthcare institutions data in the cloud, cybercriminals are increasingly exploiting cloud security

ransomware attacks and data breaches. Both local IT systems and cloud experienced fewer DDoS attacks in 2024. Espionage: privacy and technology vulnerabilities.

environments have been targeted. Notably, every healthcare institution - In the Netherlands, cyber espionage in healthcare is primarily focused on stealing

regardless of size or type - remains a potential victim. Opportunity makes the digital thief scientific research, intellectual property, and large amounts of biomedical and Z-CERT expects AI to play a larger role in creating more sophisticated phishing

Ransomware extortion and data breaches are often opportunistic cyberattacks, personal data. Additionally, Z-CERT has observed growing risks associated with messages. Already, AI-generated phishing messages are as convincing as those

Cyberattacks on the supply chain where attackers exploit vulnerabilities in software and hardware. Meanwhile, hardware and software from countries with advanced cyber-attack capabilities, written by humans, and this capability will only improve over time.

Beyond direct attacks on healthcare organisations, a significant number of phishing campaigns continue to target healthcare institutions, attempting to including Russia, China, North Korea, and Iran.

6 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 7

 Medium

Threat radar
The threat radar indicates the timing, The further left a dot is positioned,

impact and thus the severity of cyber the lower its assessed threat level.

threats in healthcare. The position Finally, the colour of the dots

10
of the various dots in the inner ring, indicates the expected impact of
8 2
middle ring or outer ring indicates a threat - the darker the colour, 4
when something will pose a threat. the higher the expected impact. Low High
6
3
5
The chart is divided into three sections, A detailed explanation of the threat 9
each representing different levels of radar is provided in Appendix 1, 7

threat severity. The right section page 56. 1

contains the most severe threats.
>1 year 1 year Current 1 year >1 year

1 Ransomware (extortion and data breach) 6 Malware

Good to Know: In the Threat Landscape, we provide recommended actions for
each identified threat. These recommendations often reference CIS Controls - a set 2 Espionage (research) 7 Insider threats
of proven security best practices that organisations frequently use to implement

NEN 7510 or ISO 27001 security measures. In this Threat Landscape, we regularly 3 Ransomware at suppliers 8 DDoS
refer to CIS Controls to help healthcare organisations streamline the implementation

of critical security measures. Learn more at cissecurity.org/controls 4 DDoS at suppliers 9 Financial fraud

5 Credential phishing 10 Espionage (regular healthcare facilities)

Z-CERT Threat Landscape 2024 - 9

Incidents among respondents
For the threat landscape, Z-CERT inquired with dedicated to ‘threats’ and have been utilised, along digital media such as e-mail and WhatsApp. In the

participants about the security incidents they with other factors, to assess threat levels. malware category, the graph specifically represents

experienced. Nearly a quarter of the participants malware designed to deceive users into executing it.

completed the survey. The results are displayed in Clarification The ‘insider threats’ category is broad. In this threat

a graph alongside this text. This information can aid The percentage indicates how many per cent of the landscape, it refers to data breaches resulting from

in increasing awareness within your organisation total respondents had one or more incidents in each unintentional actions, negligence, curiosity or

and determining priority measures. The incidents category. In the financial fraud category shown in malicious intent by internal and external parties,

will be discussed in greater detail in the sections the graph, this pertains to fraud committed using including employees, suppliers and contractors.

Figure 1: Security incidents reported by Z-CERT participants who completed the survey

Insider threats

Credential phishing

DDoS suppliers

Malware

Digital financial fraud

DDoS

Ransomware

0 10 20 30 40 50

10 - Z-CERT Threat Landscape 2024

 Threat - Ransomware Threat assessment: High

Z-CERT assesses the threat posed by ransomware and/or extortion with data providers of all sizes (Figure 3) were affected. In 2024, the healthcare sector

breaches as “high”. In this chapter, data breaches refer specifically to the publication ranked as the third most targeted industry for ransomware and extortion attacks.

of stolen data on leak websites. The likelihood of such incidents has increased
Figure 2: Incidents per type of healthcare organisation in Europe in 2024
slightly compared to last year. This rise is partly due to the growing use of AiTM
Hospital 11
(Adversary-in-the-Middle) phishing in cybercrime and the increasing frequency of

attacks on cloud environments. Z-CERT expects several incidents to occur in 2025. Clinic 9

Health Authority 3

Incidents and impact Lab 3

In 2024, the number of ransomware-related incidents published on data leak

Youth Care 2

websites worldwide rose by 12% compared to 2023. The European healthcare

Alternative 2
sector experienced an even steeper increase of 25%. In the Netherlands, two
GGZ 2
healthcare organisations were affected: one youth care organisation and

one dental care-related organisation. This marks a decrease of two incidents Oral care 2

Threat
compared to the previous year. Additionally, a rehabilitation clinic narrowly Eldercare 1

avoided falling victim to a ransomware attack.

Home care 1

Ransomware
0 2 4 6 8 10 12
A striking trend is the broad range of healthcare institutions that were impacted

(Figure 2), demonstrating that any type of healthcare organisation can be a Incidents in which healthcare providers in Europe were extorted through data breaches,
ransomware or a combination of both in 2024. Data sourced from leak websites or open
target. Further analysis based on organisation size also shows that healthcare sources.

Z-CERT Threat Landscape 2024 - 13

Threat - Ransomware, follow-up
Figure 3: Incidents by size class of healthcare organisation globally in 2024 Ransomware or extortion with data breaches Impact
Employees In many cases, it is unclear whether an incident involved ransomware combined A study on ransomware incidents in the global healthcare sector [8] revealed

10.000+ with data breaches or if it was purely extortion through leaked data. In 2024, some key insights:

ransomware groups abandoned file encryption altogether and focused solely on • 22% of affected healthcare organisations recovered within a week,
5001-10.000
data breach extortion. [1] [2] [3] This method is highly effective, as 20-50% of while 37% took more than a month, and 7% needed over three months
1001-5000
affected organisations choose to pay the ransom. Additionally, these attacks to restore operations.
501-1000 require fewer resources and less time. For the healthcare sector, in particular, • In 95% of cases, ransomware also affected the organisation’s backups.
201-500 this distinction is crucial. [4] When files are encrypted, the continuity of care is Institutions whose backups were compromised paid ransom amounts

51-200 immediately at risk. three times higher than those with intact backups.

• The average recovery cost, excluding ransom payments, was €2.57 million.
11-50
However, even without encryption, healthcare organisations remain prime targets • On average, 57% of network-connected devices were impacted.
2-10
due to the sensitive personal data they store. This data is often housed in cloud-
Incidents 0 10 20 30 40 50 60 70 80
based SaaS applications, which have become frequent attack points. For example, For many incidents tracked by Z-CERT, the exact impact on healthcare

Incidents in which healthcare providers in Europe were extorted through data breaches, in France, a cybercriminal used a stolen password to gain access to a high-privilege operations was unclear. However, in a limited number of cases across Europe,
ransomware or a combination of both in 2024. Data sourced from cybercriminals leak
websites. account, exposing the personal data of more than 750,000 patients. [5] In Australia, the consequences were as follows:

an attacker used a leaked password to log into a radiology portal, gaining access to • At least four healthcare organisations experienced disruptions in
tens of thousands of patient records, including medical imaging results. Beyond health- emergency services.

care platforms, there were also several cases in 2024 where extortion incidents • At least seven had to postpone appointments.
involved stolen data from widely used cloud solutions, such as SharePoint. [6] [7] [1] • At least five were forced to revert to manual patient registration.

14 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - paginanum-

Threat - Ransomware, follow-up
Trends, methods, and techniques • Reports from the healthcare sector indicate that some vendors have authentication such as MFA, temporary access on demand (Just-in-Time

A study on ransomware in healthcare identified several common initial attack yet to implement modern authentication practices, such as Multi-Factor administration), and customized rights (least privileges).

vectors: [8] Authentication (MFA). Since these vendors often have access to multiple • For privileged access, consider alternatives to traditional VPN solutions,

• Exploiting software vulnerabilities healthcare organisations, this poses a significant security risk across such as Zero Trust Network Access (ZTNA) or Privileged Access

• Logging in with stolen or leaked credentials the sector. Management (PAM) solutions. These provide better control over privileged

• Malware delivered via email access and ensure it is only granted within a predefined timeframe. [13]

• Credential phishing Specific recommendations for 2025

Z-CERT has observed these same techniques in ransomware incidents affecting Given the evolving threat landscape, Z-CERT highlights the following key General recommendations
Dutch healthcare institutions. Strengthening defences against these attack recommendations: • Consult the latest NCSC publication on managing risks associated with

vectors should be a priority,as stopping an attack early can significantly • Ensure that attackers cannot move laterally between on-premises and edge devices, such as VPN solutions. [14]

reduce its impact. cloud environments. For example, local accounts with high privileges • Refer to the NCSC’s detailed guide on ransomware and incident response. [15]

should not be usable in the cloud. [12] • To systematically strengthen ransomware resilience, Z-CERT recommends

Several key trends emerged in 2024 • Consider deploying cloud security measures to detect and prevent data adopting the CIS Critical Security Controls in alignment with NEN 7510.

• There was a noticeable rise in ransomware and data exfiltration attacks exfiltration. These controls offer different maturity levels, making them applicable to

targeting cloud environments, as well as attacks that exploited both cloud • Assess whether your cloud environment is resilient against ransomware organisations of all sizes. [16]

and on-premises IT infrastructure. [9] [10] [11] attacks and capable of detecting ransomware activity. • For system hardening, consider using security baselines such as CIS

• Cybercriminals actively exploited vulnerabilities in edge devices such as • Maintain offline, encrypted backups of cloud data and update them Benchmarks or Microsoft Security Baselines. [17]

firewalls and VPN solutions. Z-CERT also observed frequent login regularly. • A comprehensive online guide is available for mitigating common hacking

attempts on VPN systems using guessed or stolen credentials. • Pay attention to suppliers who have not yet adopted principles of modern techniques. [18]

16 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 17

 Threat - Credential Phishing Threat assessment: Medium

This section focuses on phishing attacks aimed at stealing authentication AiTM phishing
credentials. Z-CERT assesses the threat level of this type of phishing in In late 2024, several highly effective Adversary-in-The-Middle (AiTM) phishing

the healthcare sector as medium. Phishing attempts are ongoing and campaigns targeted the healthcare sector. In this type of attack, the attacker

often successful. While phishing itself may not seem like a critical threat, intercepts the login process between the victim and the authentication platform

a compromised email account can serve as a gateway to serious security (often Microsoft 365). By doing so, the attacker leverages the entire login

incidents - especially if email access also grants entry to platforms like process of the user so that MFA does not pose a barrier to access. During this

OneDrive and SharePoint. Once attackers gain access, they can escalate period, Z-CERT received an unusually high number of reports of compromised

their attack to ransomware deployment or financial fraud. Z-CERT accounts. In October and November alone, Z-CERT recorded 11 confirmed cases.

anticipates that, in 2025, successful phishing attacks leading to online Additionally, login credentials for 50 accounts - compromised primarily through

workspace breaches will occur monthly. AiTM attacks - were leaked. Notably, some affected healthcare organisations

were unaware of the breach until further investigation revealed more

Incidents and impact compromised accounts than initially detected.

Phishing techniques are constantly evolving, with a steady stream of phishing

Threat
emails being sent every day. 16% of respondents to the survey conducted

for this threat assessment reported a successful phishing attack within their

organisation in the past year. 69% of these attacks involved credential phishing.

Credential Phishing
While phishing using QR codes was still observed, malicious links embedded

in emails remained the most common technique.

Z-CERT Threat Landscape 2024 - 19

Threat - Credential Phishing, follow-up
Trends in techniques and methods Generative AI: Z-CERT has observed that phishing emails are becoming • Restrict employees from disabling MFA on their accounts.

more linguistically sophisticated and increasingly written in flawless Dutch - • Require users to re-authenticate when updating security settings,

Social engineering appearing trustworthy: Cybercriminals increasingly design suggesting that attackers are leveraging AI tools. The extent to which AI is such as adding a new MFA method. Consider restricting users from

phishing campaigns to appear as legitimate and trustworthy by: Embedding deployed is assessed differently by parties [24] [25]. Z-CERT expects that changing these settings themselves.

phishing links in trusted platforms such as Dropbox and SharePoint. Sending generative AI will increasingly be used to generate more realistic and specific • Develop a dedicated incident response plan for AiTM phishing.

phishing emails from previously hacked email accounts of trusted partners. [19] phishing emails. Currently, it is already capable of generating spear-phishing • Improve detection and response capabilities for AiTM phishing. [31]

emails as effectively as human experts - a capability that will only improve • Ensure that any detection is followed up.

Teams-phishing: In March and April 2024, there was a surge in phishing attacks over time. [26] [27] In practice, such attacks are now also increasingly being • Consider implementing detection systems for cloned login pages to

via Microsoft Teams. This involves a malicious person sharing links via a Teams observed on members of senior management [28]. identify AiTM attacks early. [32] [33]

chat from a compromised account or a tenant set up for that purpose. [20]

Key recommendations for 2025 Recommendations pertaining to other forms of phishing:

Phishing kits: Phishing campaigns increasingly rely on ready-made phishing Given the latest developments in the threat landscape, we would like to highlight • Prevent Teams-phishing by restricting which external domains can

kits available through Phishing-as-a-Service (PaaS) platforms. These platforms the following recommendations: initiate chats with employees. [34]

allow attackers to launch highly automated phishing attacks without technical • Implement phishing-resistant MFA for accounts with access to sensitive • Ensure email security systems can detect and block malicious QR codes

expertise - often for a fixed monthly fee. Some free phishing kits also exist, data. See the NCSC factsheet: “Mature Authentication - Use Secure embedded in phishing emails. [35]

making it easier than ever for cybercriminals to launch large-scale phishing Authentication Methods”. [29]

campaigns. Given this trend, Z-CERT expects the volume of phishing emails • Implement context-based access policies (e.g., Microsoft Conditional

to increase significantly in the coming years. [21] [22] [23] Access),allowing access only from registered or compliant devices. [30]

20 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - paginanum-

Threat - Credential Phishing, follow-up
General recommendations

Recommendation CIS control

Implement a phishing awareness programme to help employees recognise phishing attempts. Refer to NEN7510-2 standard, human-centred
14
management measure 6.3 for guidance [36].

Enable a feature that allows employees to easily report phishing emails, helping cloud providers respond faster and improve detection.

Strengthen email and web browser security by implementing advanced protective measures. 9

Establish access control and account management per industry best practices. 5,6

Ensure comprehensive logging and monitoring to detect account misuse. Monitor suspicious changes, such as automatic email forwarding to
8
external accounts and the creation of unauthorised mailbox rules.

To prevent data breaches, implement measures to protect sensitive data in accounts and email inboxes. Data Loss Prevention (DLP) solutions

and file classification tools can help safeguard information. Additionally, some data management solutions offer default encryption, ensuring 3
that stolen files remain unreadable.

22 - Z-CERT Threat Landscape 2024

 Threat - Malware targeting users Threat assessment: Medium

This chapter focuses on malware (malicious software) that requires user • Infected USB drives introducing malware into systems.

interaction to be executed. Z-CERT assesses the threat level of malware incidents

in healthcare institutions as medium. In most cases, malware infections caused Often the infection is detected quickly and the damage is limited to having to

by users unknowingly executing malware have limited impact and are swiftly restore the systems. However, it is crucial to recognise that data, passwords,

contained. However, such infections can escalate, potentially leading to ransom- and web session cookies may also be stolen. These stolen credentials can be

ware attacks or data breaches. Z-CERT anticipates monthly malware infections exploited even after system recovery, allowing attackers to continue their

in 2025, with some cases escalating further. operations.

Incidents and impact Malware infections can also serve as precursors to ransomware attacks.

In 2024, 4% of respondents reported experiencing a malware incident. Additionally, Some healthcare institutions have encountered malware linked to ransom-

Threat
dozens of cases of stolen passwords - acquired through infostealer malware - ware groups. Traces of active malware infections associated with ransomware

were reported. Some of these stolen credentials were later sold on the dark web. actors were discovered, though timely intervention prevented escalation.

Malware
Z-CERT has identified the following common malware infection scenarios in

the Dutch healthcare sector:

• Phishing emails containing links to malware or malicious attachments.

targeting users
• Compromised legitimate websites, where unsuspecting visitors are tricked

into downloading malware - often disguised as a browser update. Malicious

advertisements on (legitimate) websites can also redirect users to malware.

Z-CERT Threat Landscape 2024 - 25

Threat - Malware targeting users, follow-up
Infostealers the dark web. In terms of malware, a constant battle exists between hackers and • Enhance incident response plans, logging and detection solutions

A particularly concerning type of malware is infostealer malware, designed to antivirus vendors, with attackers continuously developing malware that evades for web session cookie theft.

steal sensitive data, such as passwords, credit card details and web session detection. Generative AI accelerates this process, helping cybercriminals create • Keep password managers and web browsers updated to prevent

cookies, which allow attackers to hijack user sessions This can potentially undetectable malware more efficiently. vulnerabilities that infostealers can exploit.

lead to ransomware attacks or data breaches. If web session cookies are stolen, • Consider using an ad-blocker to prevent exposure to malicious

an attacker can temporarily gain access to the web application the user was Attackers are increasingly misusing legitimate ‘remote access software’ as a advertisements.

logged into. A high-profile case involved Dutch law enforcement [1], where an form of malware. Once installed, this allows cybercriminals to take full control

attacker stole contact details of numerous police officers. Investigators suspect of a system. If Single Sign-On (SSO) is enabled, the attacker can seamlessly

that a web session cookie was stolen via malware, granting the attacker access access all applications that the user is authorised to use.

to an application without requiring a password or MFA. Since the system trusted

the cookie, it assumed the login process had already been completed. Key recommendations for 2025
Given the current threat landscape, the following recommendations are

Trends, methods and techniques particularly relevant:

In 2024, infostealers remained one of the most prevalent types of malware. [37] • Limit web session duration, e.g., to one day, and enforce stricter session

[38] Many infostealers are sold as a ‘service’ at low prices, making cybercrime limits for admin accounts and logins from unmanaged devices.

more accessible. Many so-called ‘remote access trojans’ are also observed, • Use Microsoft cloud security policies to ensure that certain web session

giving an attacker access to the computer. This access is sometimes also sold on cookies are only valid on managed devices. [39]

26 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - paginanum-

Threat - Malware targeting users, follow-up
General recommendations

Recommendation CIS control

2, 9, 10 +
Prevent, detect and limit the impact of malware with security controls from CIS Controls.
13.7

Secure web browsers against malicious extensions and push notifications. 9.4

Provide security awareness training to reduce human error. 14

Develop an incident response plan for malware infections. 17

Ensure comprehensive logging to track and detect malware activity at both the network level and on infected systems. Where possible,
8
implement automated responses, such as blocking suspicious activity or isolating infected systems.

Limit the use of BYOD (Bring Your Own Device)due to the increased risk of malware and data breaches. If restricting BYOD is not feasible,

implement Mobile Device Management (MDM) or MAM to enforce security controls.

28 - Z-CERT Threat Landscape 2024

 Threat - Digital financial fraud Threat assessment: Medium

Financial fraud in the Dutch healthcare sector has frequently made headlines. attempts to alter bank account details. In one hospital and a primary care A notable case of financial fraud outside the healthcare sector occurred in 2024

Cases include fraud involving fake diplomas, billing for non-existent healthcare organisation, this led to salary payments being redirected to fraudulent bank when Bunq Bank fell victim to a deepfake scam. Fraudsters used AI-generated

Threat
services, and other forms of financial crime [40]. However, these examples accounts. Such fraud can have a significant financial impact - for instance, video and audio during a video call to convincingly impersonate the bank’s CEO

fall outside the scope of this assessment. This chapter focuses on financial a Dutch municipality unknowingly paid a fraudulent invoice of €100,000. [41] [42]. Similar cases are increasingly reported internationally,and Z-CERT expects

fraud facilitated through digital communication channels, such as email and this type of fraud to become more frequent, including in the Dutch healthcare

Digital
chat applications. Z-CERT assesses the threat level of digital financial fraud as Trends, methods and techniques sector.

medium. While the impact in 2024 remained limited, Z-CERT anticipates weekly Fraudsters use various communication methods, including email, WhatsApp,

attempts at digital financial fraud in 2025. [40] SMS, and phone calls. Z-CERT has observed a growing trend in which fraudsters General recommendations

financial
Dreiging
target new employees, often within their first week at work. These employees • The response strategy from last year’s threat assessment remains highly

Incidents and impact receive urgent requests, supposedly from senior executives, asking them to relevant. See Z-CERT’s factsheet for further details. [43]

Half of the respondents in Z-CERT’s survey reported attempts at financial fraud make immediate payments. It is suspected that fraudsters automatically • Z-CERT participants are increasingly using Z-CERT’s chat channels to

fraud
Financiële fraude
within their organisations. In some cases, these resulted in financial losses, extract this information from LinkedIn. Given this risk, new employees should share information about fraud campaigns. This peer-to-peer exchange

such as the unauthorised purchase of gift cards for fraudsters. One in five be explicitly warned about these scams on their first day. helps healthcare providers prevent fraud.

respondents stated they had received fake invoices or had encountered

Z-CERT Threat Landscape 2024 - 31

 Threat - Ransomware in the supply chain Threat assessment: High

Z-CERT assesses the threat level of ransomware incidents and/or extortion Figure 4: Incidents in Europe in sectors supplying healthcare

through data breaches targeting healthcare suppliers as high. These suppliers Medical
devices and
may include IT providers but can also be non-IT suppliers. The greater the
aids
dependency on a supplier, the greater the potential impact. Z-CERT anticipates
Pharma-
several incidents affecting the healthcare sector in 2025. ceutical
industry

Incidents and impact

IT-sector
Z-CERT identified two ransomware-related incidents involving healthcare

suppliers on leak websites operated by cybercriminals. In one case, data from 0 20 40 60 80 100 120 140

three participating organisations was leaked; in the other, data from 15 hospitals 2023 2024

Threat
was exposed. Additionally, three suppliers were affected, prompting multiple Incidents in European sectors in 2024 involving extortion via data breaches, ransomware or a
combination of both. Data sourced from cybercriminal leak websites.
healthcare institutions to proactively disable remote access to these companies.

In another incident, a healthcare provider’s password was leaked after one of its

Ransomware in
suppliers suffered a ransomware attack. Although no major ransomware incidents

directly impacted Dutch healthcare providers in 2024, Z-CERT maintains its high

threat assessment. Across Europe, IT service providers remain prime targets.

the supply chain

While the total number of such incidents decreased by 16%, the pharmaceutical

industry saw similar attack levels to last year, and the medical devices sector

experienced more than double the number of incidents.

Z-CERT Threat Landscape 2024 - 33

Threat - Ransomware in the supply chain, follow-up
Change Healthcare plays an important role in the US healthcare industry as an • Ensure access to alternative suppliers or procurement channels in case of

intermediary for financial transactions and insurance verification. The incident emergency.

had major consequences for hospitals, clinics, pharmacies and dental practices. • Regularly test and update business continuity and downtime procedures.

This year (2024), multiple incidents highlighted the healthcare sector’s reliance of an estimated 900,000 patients, was leaked onto the dark web. [49]

on suppliers - both for physical and digital products and services. • GP services: Dozens of GP practices in South East London were unable to Healthcare organisations struggled to process claims, verify insurance details, General recommendations
conduct blood tests or had to limit testing to urgent cases. [45] and receive payments, causing cash flow problems and operational disruptions. See also the guidance in the chapter “Ransomware in Healthcare Institutions”.

Ransomware in the blood supply chain • Logistical challenges: Blood test results had to be printed and physically Some providers were even forced to turn away new patients. Ultimately, The recommendations outlined there also apply to suppliers.

In 2024, three ransomware incidents worldwide targeted service providers in delivered, causing delays in treatment decisions. [45] Change Healthcare paid a ransom of $22 million (approximately €21 million).

the blood supply chain [44]. One case stands out as an example of the potential • National blood supply: A critical shortage of type O blood prompted an

impact of such attacks. urgent nationwide appeal for donors. The blood supply was under severe Specific recommendations for 2025
strain, with considerations to restrict availability to specific cases. [50] Given the current threat landscape, the following recommendations are

On 2 June 2024, Synnovis, a pathology service provider in England, was hit by particularly relevant:

a ransomware attack. The incident severely disrupted seven hospitals and GP Attack on an EHR supplier • Identify, classify and prioritise suppliers and third parties that are essential

services in South East London,with lesser effects on mental health services, On the night of 11-12 February 2024, a ransomware attack targeted an electronic for critical functions. Non-IT suppliers must also be considered! See the

neighbouring hospitals, and other local healthcare providers [45]. The attack health record (EHR) provider in Romania. The attack encrypted data at 26 hospitals, NCSC document: Hoe breng ik mijn rechtstreekse leveranciers in kaart?”

had significant consequences: [44] [45] while 79 other healthcare institutions had to proactively shut down systems to How to Map Direct Suppliers?”. [53]

• Patient safety: The ransomware attack led to 498 patient safety incidents. check for infections [52]. Most hospitals were able to restore backups from one • Develop business continuity procedures to ensure critical operations can

Of these, 114 were classified as ‘low harm’, and five as ‘moderate harm’. to three days prior, but in one case, the most recent backup available was twelve continue during ransomware incidents affecting suppliers. Consider realistic

Another 91 cases remain under investigation. [46] [47] days old. [51] [52] recovery times - while nearly two-thirds of affected suppliers recover within

• Healthcare services: The attack resulted in the postponement of 10,152 a month, others take significantly longer. [54]

outpatient appointments and 1,710 scheduled procedures. [48] Attack on a healthcare payment processor • Establish an incident response plan for supplier-related incidents. In some

• Data breach: Personal information, including sensitive medical records In February 2024, US-based Change Healthcare was hit by a ransomware incident. cases, blocking external access may be necessary.

34 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 35

 Threat - DDoS Threat assessment: Medium

Z-CERT assesses the threat level for DDoS attacks on healthcare institutions noting that this could change rapidly, as seen in 2023.

as medium. While DDoS attacks have increased globally, the healthcare

sector did not rank among the top 10 most targeted industries in 2024. Incidents and impact
In 2024, Dutch healthcare institutions experienced fewer DDoS attacks The Dutch healthcare sector suffered fewer DDoS incidents in 2024 than in 2023.

compared to 2023. Geopolitical developments did not lead to an increase Most observed DDoS attacks in 2024 occurred outside Europe. Only two Dutch

in incidents. However, Z-CERT expects a few minor DDoS incidents in 2025, healthcare institutions reported attacks on their own infrastructure.

Figure 5: Number of DDoS attacks targeting healthcare

1st quarter Total Netherlands 0 2nd quarter Total Netherlands 0

Total Europe* 2 Total Europe* 0
Total outside Europe 5 Total outside Europe 6
Total 7 Total 6

Threat 3rd quarter Total Netherlands

Total Europe*
1

0
4th quarter Total Netherlands

Total Europe*
1

DDoS
Total outside Europe 12 Total outside Europe 6
Total 13 Total 11

*Without Netherlands

Z-CERT Threat Landscape 2024 - 37

 Figure 6: Statistics on the source of traffic in DDoS attacks targeting the Netherlands. Measurement taken
on 1 January 2025 over the previous 12 months. [55]

China 13,16%

United States 12,89%

Brazil 6,68%

Japan 5,52%

Threat - DDoS, follow-up Singapore 4,94%

Germany 4,59%

Hong Kong 3,63%

In 2024, only one hospital reported a DDoS attack, compared to 15 hospitals by deploying a DDoS mitigation service. The following day, another DDoS attack
United Kingdom 3,00%
in 2023. In 2024, a hospital was targeted by a high-volume attack that occurred targeted an IP address of the institution but was successfully mitigated. The motives
Taiwan 2,78%
twice in quick succession. Both attacks were brief and were detected by the behind both attacks remain unknown.

hospital’s internet service provider, which identified that they originated Netherlands 2,72%

from outside the Netherlands. In coordination with the provider and Z-CERT, Geo-location of attacking servers 0 2 4 6 8 10 12 14
the hospital implemented the necessary countermeasures to successfully In 2024, DDoS attacks on the Netherlands originated from a wider range of

fend off the attack. countries. The figure below shows that, as of 1 January 2025, China ranked One reason Dutch servers were used in DDoS attacks last year was the global

first with 13.16%, closely followed by the United States at 12.89%. Dutch servers compromise of TP-Link and Netgear routers through known vulnerabilities [56].

At a large mental healthcare (GGZ) institution, there was an attack on the employee just made it into the top 10, accounting for 2.72% of the traffic. Z-CERT is unaware of any Dutch healthcare routers being used in DDoS attacks,

portal, resulting in login delays for 1.5 hours. The issue was ultimately resolved but we do not rule out the possibility. [56]

38 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - paginanum-

Threat - DDoS, follow-up
Trends, methods and techniques • Develop an incident response plan, establish continuity procedures, and

According to Cloudflare, the number of DDoS attacks worldwide increased by consider running attack simulations to identify vulnerabilities and ensure

approximately 50% in 2024 compared to 2023. However, the majority of high- an effective response. Inventory dependencies on external services,

volume attacks were short-lived, with only 3% lasting longer than an hour. determine the maximum allowable downtime for each service, and ensure

Most attacks originated from servers in Indonesia, followed by the Netherlands. this information remains up to date.

Works Microsoft reports a fourfold increase in DDoS attacks compared to 2023, • Patch known vulnerabilities: DDoS attacks are increasingly launched from

adding that these attacks are becoming harder to detect as they increasingly a globally distributed network of servers, including those in the Netherlands.

resemble legitimate web requests [58]. Prevent your routers and servers from becoming part of such a network by

patching known vulnerabilities as quickly as possible.

Specific recommendations for 2025

Given the current threat landscape, there are several key recommendations that General recommendations
are particularly relevant: [57] [58] • Factsheet on Continuity of Online Services. [59]

• Collaborate with cloud and internet providers to strengthen DDoS defence. • Factsheet on Technical Measures for Continuity of Online Services. [60]

These providers are better equipped to handle large-scale DDoS attacks

than individual healthcare institutions.

40 - Z-CERT Threat Landscape 2024

 Threat - DDoS at suppliers Threat assessment: Medium

Z-CERT assesses the threat level of DDoS attacks targeting healthcare providers’ • Finally, one healthcare institution reported being affected by a DDoS

suppliers as ‘medium’. Various sectors that supply the healthcare industry, such incident involving a major supplier of a system for exchanging data between

as telecom and service providers, and information technology & services, have general practitioners.

been targeted [57]. With the ongoing ‘SaaS’-ification of the healthcare sector,

Z-CERT anticipates multiple DDoS incidents affecting Dutch healthcare Specific Recommendations for 2025
institutions in 2025. In light of the current threat landscape, a few recommendations are particularly

relevant:

Incidents and impact • Collaborate for protection: Discuss with your supplier how they collaborate

In 2023, 17% of individuals reported experiencing DDoS attacks on their supplier’s with their cloud and internet providers to ensure better DDoS protection.

infrastructure, but this figure dropped to 10% in 2024. Despite the decline, there • Expect occasional disruptions: The SaaS solution you have purchased will

was still a notable impact on healthcare: [57] be briefly unavailable a few times a year. This may not always be due to

• In half of the incidents, access to the cloud environment was limited. the supplier, but could also the result from a DDoS attack on the supplier’s

• Several websites of healthcare institutions were inaccessible due to DDoS hosting provider. Ensure you have an alternative process available to

Threat
attacks on their hosting provider. maintain the continuity of care processes.

• One healthcare institution was unable to use its Electronic Patient Record

(EPR) system because the hosting provider for the EPR was targeted by a

DDoS at suppliers
DDoS attack.

• Microsoft’s Azure services, for instance, were unavailable for nine hours in

July due to a large-scale DDoS attack. This also impacted Dutch healthcare. [61]

Z-CERT Threat Landscape 2024 - 43

 Threat - Cyber espionage by state actors Threat assessment: High or Low*

Z-CERT assesses the threat level for cyber espionage by state actors differently group, likely acting without the Iranian government’s mandate and for personal

for various types of healthcare organisations. For state-sponsored cyber actors, financial gain, deployed ransomware against the victims,collaborating with two

the Dutch healthcare sector is particularly relevant due to the theft of scientific prominent Russian ransomware groups [62]. This cyber campaign illustrates how

research, intellectual property and large datasets containing medical and personal the advanced technological capabilities of state actors can combine with the

information. For healthcare organisations that hold such data, Z-CERT assesses expertise of ransomware groups. [62]

the threat of cyber espionage by state actors as ‘high’. For other types of health-

care organisations, Z-CERT classifies the threat of cyber espionage by state actors Countries with offensive cyber programmes
as ‘low’. Z-CERT expects that cyber espionage will remain a relevant threat in 2025. This year, Z-CERT has been repeatedly asked for advice on how healthcare

organisations should manage hardware and software from suppliers based

In addition to these motives, the high threat level is also attributed to the fact in countries with offensive cyber programmes. These are countries under

Threat
that state-sponsored attackers are well-organised and possess the technical investigation by Dutch intelligence services for engaging in covert cyber

skills necessary to carry out covert operations. operations aimed at Dutch interests. The level of espionage (and sabotage)

threat to the Dutch healthcare sector varies by country. The espionage threat

Cyber espionage by
Incidents and impact from China, in particular, is concerning because many innovative (healthcare)

No incidents of cyber espionage by state actors have been reported within the products are developed and produced in China. There is also the risk that

Dutch or European healthcare sectors, according to Z-CERT. However, in the stolen (health) data could be used for ‘data analysis’ purposes via a product

state actors
United States, a cyber campaign was revealed in which American healthcare developed and/or managed in China, rather than for typical product support and

organisations were attacked by an Iranian state actor. This Iranian actor gained development [63]. The AIVD’s annual report states: “China has now established

access to US victims for espionage purposes, after which hackers from the same a leading position in artificial intelligence (AI). To maintain and expand this position,

*Depending on the type of organisation

Z-CERT Threat Landscape 2024 - 45

Threat - Cyber espionage by state actors, follow-up
at water companies in the United States and Europe. This OT is also vary from one organisation to another. It is practically unfeasible to map

The country is hungry for more data. China seeks to acquire technology, • A Russian digital espionage group, likely part of the Russian intelligence used in medical devices [67] [68]. The likely goal of the Iranian group every component of all hardware and software, including medical

knowledge, and data through regular means, such as cooperation with Western services, has shifted part of its focus to gaining access to the cloud was to disrupt operations at the water companies. Hybrid warfare, devices and home automation systems. Developments such as a

technology companies, universities, and research institutions. However, it also environments of its targets. The group used brute force and password therefore, involves not only espionage but also the spread of disinformation Software Bill of Materials [72] may help with this in the future. [71] [72]

uses (cyber) espionage. China is trying to steal sensitive business information in spray attacks on service accounts. These accounts are often used to and, in some cases, limited sabotage. [67] [68] • For the best and most up-to-date advice on securing cloud service

the West to strengthen its own economic position” [64]. Additionally, Chinese automate the management of multiple applications and services and • State-sponsored cyber actors are increasingly using artificial intelligence accounts, organisations should consult the cloud provider’s website.

companies and individuals are legally required to share collected data, such as typically have broad access rights. Since these accounts operate without to collect information on targets, write simple scripts, and gather or [73][74][75]

data generated by medical IoT devices, with Chinese intelligence services [65]. human users, multi-factor authentication (MFA) is usually not enabled, generate content for phishing attacks. Hackers from China, Iran, Russia, • For specific techniques used in attacks on OT equipment, we refer to

[63] [64] [65] making them especially vulnerable. Additionally, service accounts are and North Korea have misused platforms like OpenAI for these purposes. advice from CISA. [76]

often exempt from policies such as periodic password changes. If the [69] [70]

“Z-CERT finds spy threat from China cyber spies manage to remain undetected, they can maintain long-term

network access with elevated privileges. This Russian espionage group Specific recommendations
worrisome. European cooperation has primarily targeted Western government entities, think tanks, health- The risks associated with state-sponsored cyber espionage can be mitigated by

care organisations, and energy companies, and it has recently expanded taking the following measures:
necessary.” its scope to include educational institutions and other sectors. [66] • Many of the tactics and techniques described in the chapters on ransom-

• Hybrid warfare has also been a significant theme in 2024. In addition ware, phishing and malware are also used by cyber spies. For further

Trends, methods and techniques to the conflict in Ukraine, the Israel-Hamas conflict has been a major recommendations, we refer to these chapters.

Digital espionage groups are technological frontrunners. While some of the catalyst for hybrid warfare. For example, the Iranian CyberAv3ngers • Z-CERT believes it is the responsibility of individual organisations to conduct

following examples did not directly affect the healthcare sector in 2024, group, linked to the Iranian Revolutionary Guard, successfully attacked a risk analysis and weigh the risks against the necessity of using specific

they could have indirect or long-term implications: operational technology (OT) used by Unitronics (an Israeli company) hardware and/or software [71]. The need to use particular products can

46 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 47

 Incidents and impact
The table below indicates the extent to which this type of threat has occurred among respondents.

Question Never Rarely Occasionally Frequently Very Frequently

How often did data breaches occur that fall into the category of ‘accidental’?

Misdelivered (email) 2 32 32 30 4

Unintentional
Patient or client mix-up when entering data into the EHR/ECD 26 36 20 14 4

Publication error (files placed in the wrong location, e.g. website, intranet, SharePoint) 50 32 14 4 0

Misconfiguration (e.g. in web applications) 58,3 35,4 6,3 0 0

How often did data breaches occur that fall into the category of ‘negligent’?

Incorrect permissions (e.g. retaining access unnecessarily, group access misconfiguration) 18 52 18 10 2

Threat - Insider threats

Unattended open screens 24,5 34,7 22,4 12,2 6,3

Negligent
Unauthorised use of cloud-based AI chatbots (such as ChatGPT) 44,9 26,5 20,4 6,1 2
Threat assessment: Medium

Threat
Loss or theft of devices (smartphone, laptop, etc.) 40,8 42,9 12,2 4,1 0

Unauthorised use of cloud-based storage and collaboration apps 49 34,7 12,2 4,1 0
The category of ‘insider threats’ is extensive. In this threat landscape, we focus How common were data breaches that fell into the ‘curious and malicious’ category?

Insider
on a selection of incidents reported to Z-CERT this year. These incidents involve

Curious or malicious
Unauthorised access to EHR/ECD or other diagnostic sources (out of curiosity) 29,2 58,3 10,4 2,1 0
data breaches caused by unintentional actions, negligence, curiosity, or malicious
Unauthorised access to EHR/ECD or other diagnostic sources (malicious intent) 85,4 14,6 0 0 0
behaviour by insiders. Insiders are defined as internal employees, former employees,
Data breach caused by a dissatisfied employee of a supplier/partner 91,7 8,3 0 0 0

threats
contracted staff, suppliers, or other third parties. Insiders are defined as internal
Data breach caused by a dissatisfied employee 93,8 6,3 0 0 0
employees, former employees, contracted staff, suppliers, or other third parties.
Data breach caused by a dissatisfied former employee 95,8 4,2 0 0 0
A similar trend is expected in 2025 as in 2024.

Z-CERT Threat Landscape 2024 - 49

Threat - Insider threats, follow-up
AI chatbots Recommendations a doctor without the required BIG registration and gained access to medical • Logging is a monitoring tool - prevent unauthorised access through additional

The table highlights that data breaches frequently arise from the use of AI • From 1 February 2025, the AI Act will require organisations to ensure records. Another involved an employee who accessed an unusually high number means such as restricting permissions and implementing emergency access

chatbots. In 2024, the Dutch Data Protection Authority (AP) received multiple ‘AI literacy’ among employees using AI solutions [80]. A knowledge resource of client records in a short period without a valid reason. Organisations struggle functionalities.

reports of breaches where employees entered sensitive patient or client on AI in healthcare will be published on the ‘Information Security Behaviour to fully assess the impact of this threat. They rely on healthcare staff voluntarily • Develop an authorisation matrix based on healthcare processes. This matrix

information into AI chatbots [77]. Healthcare organisations struggle to monitor in Healthcare’ website in February 2025, offering deeper insights into how reporting incidents, and the sheer volume of logging data makes comprehensive can serve as the framework for automating logging controls.

what data is shared with chatbots. However, chatbots have also been beneficial healthcare professionals can handle AI. [80] [81] monitoring difficult. However, new detection solutions are emerging,such as • Apply ‘business rules’ for automated logging control to detect unauthorised

in some healthcare applications [78]. It is crucial for organisations and • Consider implementing Data Loss Prevention (DLP) solutions to detect or alerts when an employee without a treatment relationship accesses the record access. Rules that flag anomalies in employee behaviour are particularly

employees to understand the risks of sharing data with AI systems. [77] [78] prevent the sharing of personal data with AI chatbots. of a nearby patient or client. Z-CERT has observed that electronic patient records effective. For example, an alert for a client whose records have been

• Provide an AI chatbot solution that has undergone a Data Protection Impact (EPRs) and electronic care records (ECRs) increasingly incorporate features to accessed 50% more times than usual today.

• Entering (special category) personal data into AI chatbots may grant chatbot Assessment (DPIA) and has been verified for compliance with GDPR and detect such unauthorised access. • Discuss any potential unauthorised access incidents with the

providers unauthorised access to this information. [77] organisational security and privacy standards. employee(s) involved.

• Even if internal policies permit it, sharing (special category) personal data with Recommendations
AI chatbots may violate the General Data Protection Regulation (GDPR). [77] Unauthorised access • Logging control is a sensitive issue. Involve employees, the Works Council,

• Cybercriminals can gain access to sensitive data if chatbot accounts are Unauthorised access was a recurring issue last year, typically driven by curiosity - management and other stakeholders when implementing logging controls.

compromised - often through malware - which is sold on the dark web. [79] often involving access to one’s own file or those of acquaintances. This usually • Prioritise awareness: educate employees that patient data should only be

• Patients and clients should be informed about the use of AI chatbots and happens out of personal interest rather than malicious intent. Malicious access used for work purposes, that logging is legally required and data is available

the purposes for which their data is processed. [80] was rare in 2024. One notable case involved a GGD employee who posed as on request by patients and clients.

50 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 51

Threat - Insider threats, follow-up
Data breaches by disgruntled (ex-)employees or (ex-)employees insider knowledge to attack the organisation’s IT infrastructure. In another Specific recommendations
of suppliers instance, an employee left an organisation and downloaded a large volume of
For suppliers CIS control
Z-CERT’s research indicates that among respondents, few incidents were linked data. These cases ultimately had minimal impact, but similar incidents could

to disgruntled (ex-)employees. However, a number of cases were reported to have far more severe consequences. In one case, the access of a supplier’s Monitor supplier activities, for example, through a privileged access management system. 15.6

Z-CERT this year. In one case, an employee with administrative privileges was former employee was not revoked from the system in time. [82]
Enforce modern authentication principles for supplier access. 5, 6
dismissed. Following a personal incident, they later threatened to use their
Before engaging with a supplier, assess their security measures to prevent insider incidents.
Ensure that access and account management policies are strictly enforced when supplier employees leave. 15.5

For (ex-)employees CIS control

Apply modern authentication principles to suppliers 5, 6

• Implement robust account management, access management, and audit log policies. Ensure processes for blocking accounts and revoking access
rights are executed in a timely manner when someone leaves the organisation. Such processes can be automated through integrations with HR
systems. 5, 6, 8, 4.11
• If an employee with administrative rights leaves, consider changing passwords for service accounts or API keys that grant access to healthcare
assets.

General recommendations
Refer to the new NCSC publication ‘Managing Insider Threats’ for guidance on handling insider threats. [83]

Paginanummer - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 53

 DDoS attacks on remote work and smart home environments Exploitation of vulnerabilities
Hacktivist-driven DDoS attacks on healthcare institutions have primarily Throughout the conflict, Ukrainian organisations have faced “hack and leak”

targeted websites,with limited impact. However, Z-CERT has also identified operations, as well as website defacements used to spread propaganda.

attacks on remote work environments and smart home technology. Many of Pro-Russian actors have focused on exploiting vulnerabilities in internet-

these attacks are not specifically targeted but instead affect cloud providers facing devices, such as firewalls and VPN solutions.

or internet service providers.

Wiperware

Threat scenario Disruption of GPS signals

During the war in Ukraine, GPS signals were frequently disrupted for military
Wiperware was widely deployed in Ukraine. This is malware designed to

destroy as much data as possible.

Russia-Ukraine conflict purposes, causing disturbances even outside the conflict zone [85]. In the

Conflict
healthcare sector, GPS is used for various applications, including wandering For further details and guidance on risk assessments, refer to the NCSC

The ongoing conflict between Ukraine and Russia remains a source of uncertainty. detection and personal alarm systems. Any disruption could significantly document “Four Cybersecurity Lessons from One Year of War in Ukraine” [86],

According to the Dutch General Intelligence and Security Service (AIVD), the threat impact the functionality of these essential services. [85] which also provides a deeper analysis of mitigation strategies. [86]

Russia and
to the Netherlands is significant [84]. This article outlines several cyber threat

scenarios that have been observed in Ukraine (and sometimes beyond). At the Loss of internet connectivity
time of writing, Z-CERT considers only the first scenario to be currently relevant. In Ukraine, internet service providers have been frequent targets of cyber-

Ukraine
While the other scenarios are unlikely at present, it is crucial to be aware of these attacks. However, the overall impact has been limited due to the country’s

threats for risk assessments, business continuity planning and improving large number of ISPs. Additionally, the availability of satellite internet has

resilience. [84] helped mitigate disruptions.

Z-CERT Threat Landscape 2024 - 55

 the radar section of current threats. If a particular type of threat can be expected

in the short term, within now and one year, then the threat in question will be

positioned in the second ring. Finally, we also look ahead by positioning threats

expected beyond one year in the outer ring.

The placement of the dots also indicates the severity of the threat. The most

severe threats are positioned in the right-hand segment of the radar. The further

to the left a circle is placed, the lower the associated threat level. The impact coding

Explanation of the threat radar associated with the threat is:

Color Impact
The threat radar is based on the Factor Analysis of Information Risk (FAIR)
High
framework (https://www.fairinstitute.org), which is used to prioritise threats.
Medium
This model was developed as part of the Shared Research Programme (SRP)
Low
Cyber Security, coordinated by TNO, with contributions from partners such as

ING, ABN AMRO, Rabobank, Volksbank and Achmea.

The radar is structured as a 3x3 matrix, representing both the timing and impact Tijd
Current Short term <1 Long term >1
of cyber threats in the healthcare sector. The impact of a threat can be low/

medium/high. The timeline is divided into the current situation, the situation The positioning of the various dots (with impact low/medium/high) in the radar The classification of impact levels and the positioning of threats are based on a

that can be expected in the short term (within 1 year) or threats that may graph is related to the threat assessment relative to time. If a particular threat is mathematical model developed by TNO. The estimated timeline is derived from

impact the future (more than 1 year from now). currently perceivable, the threat with its associated number will be positioned in expert knowledge.

56 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 57

Acknowledgements
We extend our gratitude to everyone who contributed to the production of this

Cybersecurity Threat Landscape for Healthcare, including several reviewers from

healthcare institutions, CISOs and security specialists from various healthcare

organisations.

In particular, we would like to thank:

Nationaal Cyber Security Centrum (NCSC)

Ewald Beekman (Amsterdam UMC)

Erick van Veghel (Catharina Ziekenhuis)

Joost Bakker (BovenIJ ziekenhuis)

Jelmer Modderman (Nij Smellinghe Ziekenhuis)

Jan Ebbes (RIBW K/AM)

Winrik Campo (Aafje)

Aico Hoekman (Siza)

Niels Fontein (Siza)

Richard Binnekamp (GGD GHOR Nederland)

Adrie Rolloos (Parnassia Groep)

Design: Z-CERT, February 2025

Z-CERT Threat Landscape 2024 - 59

Bibliography
[1] Google Cloud, “UNC3944 Targets SaaS Applications,” 13 Juni 2024. [Online]. ​[6] SecurityWeek, “Fortinet Data Breach Impacts Customer Information,” 13 September 2024. Financial Industries,” 2 Oktober 2024. [Online]. [15] NCSC, “ Incidentresponsplan Ransomware,” 3 Juni 2022. [Online].

Available: https://cloud.google.com/blog/topics/threats-intelligence/unc3944-targets-saas- [Online]. Available: https://www.securityweek.com/fortinet-data-breach-impacts-customer- Available: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting- Available: https://www.ncsc.nl/documenten/publicaties/2022/juni/3/incidentresponsplan-

applications/. information/. insurance-and-financial-industries. ransomware.

​[2] CISA, “#StopRansomware: BianLian Ransomware Group,” 2024 November 2024. [Online]. ​[7] ​Google Cloud, “UNC5537 Targets Snowflake Customer Instances for Data Theft and ​[12] CERT-EU, “Security Guidance 22-001 - Cybersecurity mitigation measures against critical ​[16] ​Center for Internet Security, “CIS Critical Security Controls®,” [Online]. Available:

Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. Extortion,” 10 Juni 2024. [Online]. Available: https://cloud.google.com/blog/topics/threats- threats,” 9 Maart 2022. [Online]. Available: https://cert.europa.eu/publications/security- https://www.cisecurity.org/controls. [Geopend November 2024].

intelligence/unc5537-snowflake-data-theft-extortion. guidance/security-guidance-22-001---cybersecurity-mitigation-measures-against-critical-

​[3] “Ransomware’s Evolving Threats: The Rise of RansomHub, Decline of Lockbit, and the threats/. ​[17] Microsoft, “Security baselines,” 2024. [Online]. Available: https://learn.microsoft.com/

New Era of Data Extortion,” 1 November 2024. [Online]. Available: https://blog.checkpoint. ​[8] Sophos, “The State of Ransomware in Healthcare 2024,” 2024. [Online]. en-us/windows/security/operating-system-security/device-management/windows-security-

com/research/ransomwares-evolving-threats-the-rise-of-ransomhub-decline-of-lockbit- Available: https://www.sophos.com/en-us/whitepaper/state-of-ransomware-in-healthcare. ​[13] U.S. Cybersecurity and Infrastructure Security Agency, U.S. Federal Bureau of configuration-framework/windows-security-baselines.

and-the-new-era-of-data-extortion/. Investigation, New Zealand’s Government Communications Security Bureau, New Zealand’s

​[9] ​A . Delamotte, “The State of Cloud Ransomware in 2024,” 14 November 2024. [Online]. Computer Emergency Response Team, Canadian Centre for Cyber Security, “MODERN ​[18] Google Cloud, “Ransomware Protection and Containment Strategies,” 30 April 2024.

​[4] Coveware, “Ransomware actors pivot away from major brands in Q2 2024,” 29 Juli 2024. Available: https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/. APPROACHES TO NETWORK ACCESS SECURITY,” 18 juni 2024. [Online]. Available: https:// [Online]. Available: https://services.google.com/fh/files/misc/ransomware-protection-and-

[Online]. Available: https://www.coveware.com/blog/2024/7/29/ransomware-actors-pivot- www.ic3.gov/CSA/2024/240618.pdf. containment-strategies-report-en.pdf.

away-from-major-brands-in-q2-2024. ​[10] ​Microsoft, “Storm-0501: Ransomware attacks expanding to hybrid cloud environments,”

[Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/09/26/storm- ​[14] ​NCSC, “ Factsheet Omgaan met edge devices,” 10 Juni 2024. [Online]. Available: ​[19] ​Microsoft, “File hosting services misused for identity phishing,” Microsoft, 8 October

​[5] ​B. Toulas, “Cyberattack at French hospital exposes health data of 750,000 patients,” 20 0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/. https://www.ncsc.nl/documenten/factsheets/2024/juni/10/kennisproduct-omgaan-met- 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-

November 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/ edge-devices. hosting-services-misused-for-identity-phishing/.

cyberattack-at-french-hospital-exposes-health-data-of-750-000-patients/. ​[11] A. Büyükkaya, “Ransomware in the Cloud: Scattered Spider Targeting Insurance and

60 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 61

Bibliography, follow-up
​[20] Microsoft, “Microsoft Digital Defense Report 2024,” Microsoft, 2024. ​[26] ​Nederland Digitaal, “AI-gegenereerd aas maakt phishing nog gevaarlijker,” 8 januari ​[31] Microsoft, “Detecting and mitigating a multi-stage AiTM phishing and BEC campaign,” 8 ​[36] NEN, “NEN Connect,” 1 december 2024. [Online]. Available: https://connect.nen.nl/

2025. [Online]. Available: https://www.nederlanddigitaal.nl/actueel/nieuws/2025/01/08/ai- Juni 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/06/08/ Standard/Detail/3716055.

​[21] ​Sekoia, “Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit,” gegenereerd-aas-maakt-phishing-nog-gevaarlijker. detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/.

Sekoia, 25 March 2024. [Online]. Available: https://blog.sekoia.io/tycoon-2fa-an-in-depth- ​[37] ​Recorded future, “H1 2024: Malware and Vulnerability Trends Report,” 10 September

analysis-of-the-latest-version-of-the-aitm-phishing-kit/. ​[27] ​S. L. A. K. B. S. A. V. Fred Heiding, “Evaluating Large Language Models’ Capability to ​[32] ​Zolder, “Using honeytokens to detect (AiTM) phishing attacks on your Microsoft 365 2024. [Online]. Available: https://www.recordedfuture.com/research/h1-2024-malware-and-

Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects,” 30 tenant,” Zolder, 9 January 2024. [Online]. Available: https://zolder.io/blog/using-honeytokens- vulnerability-trends-report.

​[22] Sekoia, “Mamba 2FA: A new contender in the AiTM phishing ecosystem,” Sekoia, 7 October november 2024. [Online]. Available: https://arxiv.org/abs/2412.00586. to-detect-aitm-phishing-attacks-on-your-microsoft-365-tenant/.

2024. [Online]. Available: https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm- ​[38] Blackberry, “Global Threats Intelligence Rapport,” 2024. [Online]. Available: https://www.

phishing-ecosystem/. [28] M. Greenfield, “The Diary of a CEO: A tale of how an AI deepfake spear phishing attack was ​[33] Zolder, Did somewone clone me, “Why DSCM?,” [Online]. Available: blackberry.com/us/en/pdfviewer?file=/content/dam/bbcomv4/blackberry-com/en/solutions/

thwarted,” 10 oktober 2024. [Online]. Available: https://www.quodorbis.com/the-diary-of-a- https://didsomeoneclone.me/find-website-copies-why-and-how/. threats-intelligence/threats-report/sept2024/Global-Threats-Intelligence-Report_Sept-

​[23] ​Unit42, “Business Email Compromise: Investigating Infrastructure and Tactics of Phishing- ceo-a-tale-of-how-an-ai-deep-fake-spear-phishing-attack-was-thwarted/. 2024.pdf.

as-a-Service Platform Sniper Dz,” Palo Alto, 24 September 2024. [Online]. Available: ​[34] Microsoft, “IT Admins - Manage external meetings and chat with people and organizations

https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/. ​[29] NCSC, “Factsheet ‘Volwassen authenticeren – gebruik veilige middelen voor using Microsoft identities,” 1 Juni 2023. [Online]. Available: https://learn.microsoft.com/en-us/ ​[39] Microsoft, “Conditional Access: Token protection,” 27 juni 2024. [Online]. Available:

authenticatie’,” 25 April 2022. [Online]. Available: https://www.ncsc.nl/documenten/ microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-

​[24] ​Zscaler, “Phishing Attacks Rise: ThreatsLabz 2024 Phishing Report,” Zscaler, 23 April factsheets/2022/april/24/factsheet-volwassen-authentiseren-gebruik-veilige-middelen- protection.

2024. [Online]. Available: https://www.zscaler.com/blogs/security-research/phishing-attacks- voor-authenticatie. ​[35] Microsoft, “How Microsoft Defender for Office 365 innovated to address QR code phishing

rise-58-year-ai-threatslabz-2024-phishing-report. attacks,” Microsoft, 4 November 2024. [Online]. Available: https://www.microsoft.com/en-us/ [40] RTL, https://www.rtl.nl/nieuws/binnenland/artikel/5478149/zware-criminelen-dringen-

​[30] Microsoft, “What is Conditional Access?,” Microsoft, 3 March 2024. [Online]. Available: security/blog/2024/11/04/how-microsoft-defender-for-office-365-innovated-to-address- de-zorg-binnen.

[25] Verizon, “Verizon 2024 Data Breach Investigations,” 2024. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview. qr-code-phishing-attacks/#MicrosoftDefender.

62 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 63

Bibliography, follow-up
​[41] Nu.nl, “Gemeente Helmond trapt in nepaanmaning en is bijna ton kwijt,” nu.nl, 25-11- [46] NHS, “Policy guidance on recording patient safety events and levels of harm,” 9 Oktober ​[50] A. Martin, “UK national blood stocks in ‘very fragile’ state following ransomware attack,” ​[55] ​Cloudflare, [Online]. Available: https://radar.cloudflare.com/security-and-attacks/

2024. Available: https://www.nu.nl/binnenland/6336745/gemeente-helmond-trapt-in- 2024. [Online]. Available: https://www.england.nhs.uk/long-read/policy-guidance-on- 18 Juli 2024. [Online]. Available: https://therecord.media/uk-blood-stocks-ransomware- nl?dateRange=52w.

nepaanmaning-en-is-bijna-ton-kwijt-menselijke-fout.html. recording-patient-safety-events-and-levels-of-harm/. attack-london-hospitals.

​[56] F5, ​[Online]. Available: https://www.f5.com/labs/articles/threats-intelligence/sensor-

[42] Computerweekly, ​https://www.computerweekly.com/news/366572934/Dutch- ​[47] DigitalHealth, “Synnovis attack led to at least five cases of ‘moderate’ patient harm,” 12 ​[51] ​DNSC, “ALERTĂ: Backmydata Ransomware,” 15 Februari 2024. [Online]. Available: intel-series-top-cves-april-2024.

organisations-vulnerable-to-deepfake-fraud. November 2024. [Online]. Available: https://www.digitalhealth.net/2024/11/synnovis-attack- https://www.dnsc.ro/citeste/alert-backmydata-ransomware-spitale-romania.

led-to-at-least-five-cases-of-moderate-patient-harm/. ​[57] Cloudflare, ​[Online]. Available: https://blog.cloudflare.com/ddos-threats-report-for-

​[43] Z-CERT, https://z-cert.nl/kennisbank/phishing-fraude/factsheet-financiele-fraude. ​[52] S. Gatlan, “Ransomware attack forces 100 Romanian hospitals to go offline,” 12 Februari 2024-q3/.

​[48] NHS England, “Update on cyber incident: Clinical impact in south east London – Thursday 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/ransomware-

​[44] American Hospital Association and Health-ISAC, “American Hospital Association and 26 September 2024,” 26 September 2024. [Online]. Available: https://www.england.nhs. attack-forces-100-romanian-hospitals-to-go-offline/. ​[58] Microsoft, ​[Online]. Available: https://www.microsoft.com/en-us/security/security-

Health-ISAC Joint Threats Bulletin - TLP White,” 1 Juli 2024. [Online]. Available: https://www. uk/london/2024/09/26/update-on-cyber-incident-clinical-impact-in-south-east-london- insider/intelligence-reports/microsoft-digital-defense-report-2024.

aha.org/advisory/2024-08-01-american-hospital-association-and-health-isac-joint-threats- thursday-26-september-2024/. ​[53] NCSC, “ Hoe breng ik mijn rechtstreekse leveranciers in kaart?,” [Online]. Available:

bulletin-tlp-white. https://www.ncsc.nl/wat-kun-je-zelf-doen/weerbaarheid/herkennen/hoe-breng-ik-mijn- ​[59] ​NCSC, “ Factsheet Continuïteit van online diensten,” 2 Maart 2023. [Online]. Available:

​[49] Alexander Martin, “Data on nearly 1 million NHS patients leaked online following rechtstreekse-leveranciers-in-kaart. https://www.ncsc.nl/documenten/factsheets/2019/juni/01/factsheet-continuiteit-van-

​[45] ​The Guardian, “London NHS hospitals revert to paper records after cyber-attack,” 5 Juni ransomware attack on London hospitals,” 16 September 2024. [Online]. Available: https:// onlinediensten.

2024. [Online]. Available: https://www.theguardian.com/society/article/2024/jun/05/london- therecord.media/data-on-nearly-1-million-nhs-patients-leaked-hospital-ransomware. ​[54] Sophos, “The state of ransomware 2024,” 2024. [Online]. Available: https://www.sophos.

nhs-hospitals-revert-to-paper-records-in-wake-of-russian-cyber-attack. com/en-us/whitepaper/state-of-ransomware. ​[60] NCSC, ​“Factsheet Technische maatregelen voor continuïteit voor online diensten,” 2

Maart 2023. [Online]. Available: https://www.ncsc.nl/documenten/factsheets/2019/juni/01/

​ factsheet-technische-maatregelen-voor-continuiteit-van-online-diensten.

64 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 65

Bibliography, follow-up
[61] Bleepingcomputer, ​[Online]. Available: https://www.bleepingcomputer.com/news/ ​[66] NCSC, ​“ SVR cyber actors adapt tactics for initial cloud access,” February 2024. [Online]. ​[71] Loket Kennisveiligheid, “​ Nationale leideraad kennisveiligheid - veilig internationaal ​[76] CISA, “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water

microsoft/microsoft-says-massive-azure-outage-was-caused-by-ddos-attack/. Available: https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud- samenwerken,” Januari 2022. [Online]. Available: https://www.loketkennisveiligheid.nl/ and Wastewater Systems Facilities,” 18 December 2024. [Online]. Available: https://www.cisa.

access. binaries/loketkennisveiligheid/documenten/rapporten/2022/01/14/nationale-leidraad- gov/news-events/cybersecurity-advisories/aa23-335a.

​[62] Aha, “​ Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations,” kennisveiligheid/Nationale-leidraad-kennisveiligheid.pdf.

August 2024. [Online]. Available: https://www.aha.org/advisory/2024-08-29-iran-based- ​[67] MITRE, ​“MITRE ATT&CK - Unitronics Defacement Campaign,” March 2024. [Online]. ​[77] ​AP, “Let op: gebruik AI-chatbot kan leiden tot datalekken,” 6 Augustus 2024. [Online].

cyber-actors-enabling-ransomware-attacks-us-organizations. Available: https://attack.mitre.org/campaigns/C0031/. ​[72] NCSC, ​“ Software Bill of Materials (SBOM) Wat, waarom en hoe?,” Juli 2023. [Online]. Available: https://www.autoriteitpersoonsgegevens.nl/actueel/let-op-gebruik-ai-chatbot-

Available: https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2023/juli/5/sbom- kan-leiden-tot-datalekken.

​[63] Reuters, ​“China’s WuXi AppTec shared US client’s data with Beijing, US intelligence officials ​[68] The Record, “Two-day water outage in remote Irish region caused by pro-Iran hackers,” startersgids/123TNOdv_SBOM_V3b.pdf.

told senators,” March 2024. [Online]. Available: https://www.reuters.com/technology/chinas- December 2023. [Online]. Available: https://therecord.media/water-outage-in-ireland-county- ​[78] Z-CERT, ​“AI in de zorg,” August 2024. [Online]. Available: https://z-cert.nl/actueel/nieuws/

wuxi-apptec-shared-us-clients-data-with-beijing-us-intelligence-officials-2024-03-28/. mayo. ​[73] Microsoft, ​“Microsoft - Securing cloud-based service accounts,” October 2023. [Online]. ai-in-de-zorg.

Available: https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts.

​[64] AIVD, “Jaarverslag 2023 AIVD,” 2024. [Online]. Available: https://www.aivd.nl/ ​[69] OpenAI, ​“Disrupting malicious uses of AI by state-affiliated threats actors,” February ​[79] ​Graham Cluley , “100,000 hacked ChatGPT accounts up for sale on the dark web,” 2023.

documenten/jaarverslagen/2024/04/22/jaarverslag-2023. 2024. [Online]. Available: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state- ​[74] AWS, ​“AWS - Securing your account,” December 2024. [Online]. Available: https://docs. [Online]. Available: https://www.bitdefender.com/en-us/blog/hotforsecurity/100-000-

affiliated-threats-actors/. aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/controls-acct. hacked-chatgpt-accounts-up-for-sale-on-the-dark-web.

​[65] DNI, “​ China’s Collection of Genomic and Other Healthcare Data,” February 2021. [Online]. html.

Available: https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_ ​[70] Rijksoverheid, ​“ Versterkte dreigingen in een wereld vol kunstmatige intelligentie,” ​[80] ​I. Khoe, “Verantwoord omgaan met AI-chatbots in de zorg,” 19 September 2024. [Online].

Genomics_Fact_Sheet_2021revision20210203.pdf. December 2024. [Online]. Available: https://www.rijksoverheid.nl/documenten/ ​[75] Google, ​“Google - Best practices for using service accounts,” December 2024. [Online]. Available: https://www.ictrecht.nl/blog/hoe-ga-je-verantwoord-om-met-ai-chatbots-in-de-

rapporten/2024/12/09/tk-bijlage-versterkte-dreigingen-in-een-wereld-vol-kunstmatige- Available: https://cloud.google.com/iam/docs/best-practices-service-accounts. zorg.

intelligentie.

66 - Z-CERT Threat Landscape 2024 Z-CERT Threat Landscape 2024 - 67

Bibliography, follow-up
​[81] Stichting ECP, “Veilig gedrag, sterke zorg,” [Online]. Available: https://www.

informatieveiliggedragzorg.nl/.

​[82] ​Geisinger, “Geisinger provides notice of Nuance’s data security incident,” 24 Juni 2024.

[Online]. Available: https://www.geisinger.org/about-geisinger/news-and-media/news-

releases/2024/06/24/18/17/geisinger-provides-notice-of-nuances-data-security-incident.

​[83] NCSC, “Omgaan met insider threats,” nr. https://www.ncsc.nl/documenten/

publicaties/2024/februari/29/omgaan-met-insider-threats.

​[84] ​AIVD, “AIVD: 2025 wordt een onrustig jaar,” 19 December 2024. [Online]. Available:

https://www.aivd.nl/actueel/nieuws/2024/12/19/aivd-2025-wordt-een-onrustig-jaar.

​[85] ​BBC, “Russia blamed for GPS interference affecting flights in Europe,” 2 Mei 2024. [Online].

Available: https://www.bbc.com/news/articles/cne900k4wvjo.

​[86] NCSC, “ Vier cybersecuritylessen uit één jaar oorlog in Oekraïne,” 21 Februari 2023.

[Online]. Available: https://www.ncsc.nl/documenten/publicaties/2023/februari/21/vier-

cybersecuritylessen-uit-een-jaar-oorlog-in-oekraine.

68 - Z-CERT Threat Landscape 2024

 Stichting Z-CERT - Stationsplein 121, 3818 LE Amersfoort

Dutch healthcare digitally secure 033 737 06 09 - info@Z-CERT.nl - Z.CERT.nl - LinkedIn.com/company/z-cert