Indian Healthcare Hit by Sharp Ransomware Surge in 2026, CERT-In Flags Hospitals

Indian healthcare has moved from being collateral damage to a primary target. CERT-In’s latest quarterly snapshot suggests hospital chains, diagnostic networks and EHR vendors are absorbing a disproportionate share of ransomware activity in 2026, with attackers leveraging ABDM integration, thin operational margins and ICU criticality to force quicker payouts.

What the trend looks like

CERT-In reporting through the first half of 2026 indicates a multi-fold rise in healthcare-sector incidents over the prior year, with multi-city hospital chains, pathology and radiology networks, and shared EHR/HIS vendors featuring prominently. Indicative figures from the quarterly summary suggest that the majority of confirmed incidents now involve data exfiltration prior to encryption, and a meaningful share, trending toward roughly a third, report some operational technology (OT) impact, ranging from imaging modalities going offline to delayed ICU monitoring and scheduling outages. Diagnostic chains running centralised LIS platforms appear especially exposed because a single tenant compromise propagates across dozens of collection centres.

Why healthcare is being targeted now

• High PII and PHI density: ABHA IDs, insurance details, prescriptions and imaging form a high-value extortion bundle.
• OT criticality: ICU, OT scheduling, LIS/RIS-PACS and pharmacy systems create immediate clinical pressure that compresses negotiation windows.
• ABDM integration: Health Information Exchanges, HFR/HPR linkages and gateway APIs broaden the attack surface beyond the hospital perimeter.
• Under-investment: Tier-2 and tier-3 hospitals, ESI and CGHS-empanelled facilities, and diagnostic franchisees often run flat networks with shared admin credentials.
• Vendor concentration: A handful of HIS and PACS vendors serve a large slice of the market; one supply-chain compromise reaches many downstream entities.

Typical attack chain

1. Initial access via phished credentials, exposed RDP/VPN on the HIS vendor, or an unpatched edge appliance.
2. Lateral movement using stolen domain credentials, often pivoting from billing or radiology into the clinical core.
3. Privilege escalation and disabling of endpoint protection on file servers and HIS database hosts.
4. Data exfiltration of patient records, ABHA-linked identifiers, billing and HR data, typically over Mega, Rclone or attacker-controlled S3.
5. Encryption of HIS, PACS, LIS and shared file stores, with shadow copies wiped and backups targeted.
6. Leak-site posting on the affiliate’s onion site, sometimes with sample patient records to apply pressure.
7. Negotiation and disclosure, running in parallel with CERT-In, ABDM and DPDP notification timelines.

Compliance implications

What hospitals and diagnostic chains should do

1. Segment clinical OT (ICU monitors, PACS, anaesthesia workstations, lab analysers) from corporate IT and from internet-facing HIS portals.
2. Enforce phishing-resistant MFA on HIS, PACS, LIS, VPN, RDP and all admin consoles, including vendor support accounts.
3. Maintain immutable, offline backups of HIS, PACS, LIS and finance systems, and rehearse a clinical-mode downtime drill at least twice a year.
4. Tighten ABDM gateway integrations: scoped consent artefacts, short-lived tokens, logging at HIE-CM and HFR/HPR boundaries.
5. Run continuous external attack-surface monitoring for exposed RDP, Citrix, Fortinet, Ivanti and HIS vendor portals.
6. Pre-wire the breach runbook: CERT-In 6-hour template, ABDM disclosure note, DPDP intimation draft, patient communication and insurer notification.
7. For ESI and CGHS-empanelled hospitals, pre-align with the empanelling authority on continuity expectations during a ransomware event.

References

• ABDM and Health Data Management Policy guide
• CERT-In 6-hour reporting direction guide
• DPDP Act 2023 guide for data fiduciaries
• India cybersecurity compliance overview