Netskope Threat Labs Report: Healthcare 2025

Jump to a section

Malware distribution via cloud apps Data policy violations in cloud apps

GenAI organizational adoption and usage trends Most used GenAI apps in healthcare Generative AI app usage and data policy violations Rising DLP adoption Most blocked genAI apps

Recommendations Netskope Threat Labs About This Report

8 min read

In this report

The healthcare sector faces evolving cybersecurity challenges as cloud application usage grows and generative AI (genAI) applications become more integrated into organizational workflows. This report examines the latest trends in malware distribution, data policy violations, and genAI application usage within the healthcare industry.

Malware distribution: Cloud applications are increasingly abused for malware distribution, with 13% of healthcare organizations experiencing malware downloads from GitHub. Threat actors leverage trusted platforms like GitHub to distribute malware, ultimately aiming to deploy infostealers and ransomware within healthcare networks.

Data policy violations: Mishandling regulated data is the top data security concern across the board in the healthcare sector, with regulated data being the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved destinations.

GenAI usage: 88% of healthcare organizations are using genAI apps directly, with 96% using apps that leverage user data for training and 98% using apps that incorporate genAI features. Organizations are responding to the resulting sensitive data (primarily regulated data) exposure risk by increasing their adoption of DLP.

Malware downloads

Malware distribution via cloud apps

Attackers aim to infiltrate healthcare networks to deploy infostealers and ransomware throughout their victims’ systems. A popular technique is to leverage malware together with social engineering to trick victims into compromising their own systems, enabling attackers to deploy their information-stealing and ransomware payloads. One technique growing in popularity within the healthcare industry is to leverage trusted cloud apps to distribute early stage malware payloads to facilitate the initial infection.

In 2025, GitHub emerged as the leading cloud application for malware downloads in the healthcare sector, with 13% of healthcare organizations seeing malware downloads per month. Attackers are abusing GitHub’s open platform to host and distribute malware, leveraging its widespread trust and use among developers. Following GitHub are Microsoft OneDrive, Amazon S3, and Google Drive, three of the most popular cloud storage apps in the enterprise (and therefore also common channels for attackers to host malicious files that their victims are more likely to download).

Netskope Threat Labs Report Healthcare 2025 - top apps for malware downloads in healthcare sector

Data policy violations in cloud apps

The most common type of data policy violation in healthcare is uploading regulated data to unapproved locations on the web and in the cloud. In total, 81% of all data policy violations were for regulated healthcare data, while the other 19% included intellectual property, secrets, and source code. This finding highlights the critical need for healthcare organizations to enforce robust data loss prevention (DLP) strategies and educate employees on the risks associated with uploading sensitive information to unapproved locations.

Netskope Threat Labs Report Healthcare 2025 - type of data policy violations in healthcare sector

Narrowing the scope to only personal apps, the distribution of data policy violations changes only slightly. While regulated data still dominates, there is a comparatively higher incidence of individuals uploading source code to their personal apps (especially their personal Microsoft OneDrive and Google Drive accounts).

Netskope Threat Labs Report Healthcare 2025 - data policy violations for personal apps in healthcare sector

GenAI usage

GenAI organizational adoption and usage trends

GenAI has become mainstream in the healthcare sector, with 88% of organizations now integrating cloud-based genAI apps into their operations, 96% using apps that leverage user data for training, 98% using apps that incorporate genAI features, and 43% experimenting with running some genAI infrastructure locally. These numbers lag behind the global averages of 94% of organizations using genAI apps in the cloud and 54% exploring running them locally.

At the same time, the use of personal genAI accounts has declined from 87% to 71% over the past year. This trend signals a strategic shift toward centralized, organization-approved genAI solutions designed to strengthen security and ensure compliance. Healthcare organizations should continue to adopt enterprise-grade genAI applications with robust security features to protect sensitive data while advancing in this direction.

Netskope Threat Labs Report Healthcare 2025 - GenAI usage personal vs organization account breakdown in healthcare sector

Most used GenAI apps in healthcare

The top ten genAI apps used in the healthcare industry mirror global trends, with the following highlights

ChatGPT is by far the most widely used genAI app in healthcare and other sectors.
Google Gemini is steadily gaining traction as a leading alternative to ChatGPT.

The remainder of the top ten is a range of domain-specific and embedded AI tools.

Netskope Threat Labs Report Healthcare 2025 - most popular GenAI apps based on percentage of orgs using those apps in healthcare sector

Generative AI app usage and data policy violations

Now that genAI apps have become mainstream in the healthcare sector, organizations have been rapidly adopting DLP as a mitigating control for the increased data security risk that comes with genAI use. Notably, a substantial portion of sensitive data shared with genAI apps includes regulated data (a problem previously highlighted in this report for unapproved and personal apps as well), source code, and intellectual property. This trend suggests that genAI applications offer innovative solutions, but also introduce new vectors for potential data breaches. Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks.

Netskope Threat Labs Report Healthcare 2025 - type of data policy violations for GenAI apps in healthcare sector

Rising DLP adoption

To manage the data risks associated with genAI apps, organizations in the healthcare sector are rapidly adopting DLP policies. Using DLP policies to monitor and control access to genAI applications has grown significantly, rising from 31% to 54% of healthcare organizations over the past year. This increase highlights a stronger commitment to safeguarding sensitive data, as more healthcare providers recognize the risks associated with unmonitored genAI usage. By implementing DLP controls, organizations are taking a proactive approach to reduce data risks during interactions with genAI tools. This shift marks an essential step toward the responsible and secure integration of AI in healthcare environments.

Netskope Threat Labs Report Healthcare 2025 - percentage of organizations using DLP to control GenAI app access in healthcare sector

Most blocked genAI apps

While the specific genAI apps blocked may differ by organization, apps with consistently high block rates, like those in the top 10 list below, should prompt all organizations to evaluate the presence of those apps in their own environments. It is also a good opportunity to reassess controls across entire categories of genAI tools. DeepAI is the most commonly blocked genAI app in healthcare organizations, often due to concerns around privacy practices and a lack of enterprise-grade controls. The remaining apps on the list, including Tactiq, Scite, and JasperAI, also appear frequently, with blocking decisions typically influenced by the presence of more secure or better-aligned alternatives. These patterns reflect how healthcare organizations are using block policies to redirect users to use approved tools that meet internal requirements.

Netskope Threat Labs Report Healthcare 2025 - most blocked AI apps by percentage of orgs enacting blanket ban on the app in healthcare sector

Recommendations

GenAI technology is significantly changing risk management approaches across businesses. The healthcare sector’s embrace of genAI applications necessitates a proactive approach, while these tools offer valuable efficiency gains and innovation opportunities, they also introduce notable security challenges. Organizations must remain vigilant by implementing comprehensive security measures, enforcing data protection policies, and promoting a cybersecurity awareness culture among employees. Netskope Threat Labs recommends organizations in the healthcare sector review their security posture to ensure that they are adequately protected against these trends:

Inspect all HTTP and HTTPS traffic (cloud and web) for phishing, Trojans, malware, and other malicious content to mitigate the risk of account compromise or device compromise, where ransomware and infostealers are common. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to all traffic.
Block access to apps that do not serve any legitimate business purpose or that pose a disproportionate risk to the organization. A good starting point is a policy to allow reputable apps currently in use while blocking all others.
Use DLP policies to detect potentially sensitive information, including source code, regulated data, passwords and keys, intellectual property, and encrypted data, being sent to personal app instances, genAI apps, or other unauthorized locations.
Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DefCon, BlackHat, and RSA.

About This Report

Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope One platform relating to a subset of Netskope customers with prior authorization.

The statistics in this report are based on the period from March 1, 2024, through March 31, 2025. Stats reflect attacker tactics, user behavior, and organization policy.

Threat Labs Report: Healthcare 2025