Ransomware Resurgence: 5 Lessons from Healthcare’s Cyber Frontlines

Healthcare leaders are facing a mounting security crisis: More than two-thirds of healthcare organizations experienced ransomware attacks in 2024. Five of the top 10 ransomware attacks last year involved healthcare, and recovery costs averaged more than $2.5 million per incident.

This resurgence of ransomware attacks on the industry is partly thanks to the spread of ransomware-as-a-service (RaaS), eliminating the need for advanced technical expertise to carry out attacks. Healthcare continues to be an attractive target due to its critical nature: when patient lives are at stake, health systems are more likely to pay the ransom to restore operations as quickly as possible.

Cybercriminals value patient data, such as medical histories, Social Security numbers, insurance details, and financial records. Often sold on the dark web, this data is more valuable than standard credit card information because of its usefulness in a wide range of fraudulent activities, such as identity theft, insurance fraud, and even blackmail.

While the increasing digitization of healthcare supports obvious benefits like efficiency and improved care, it unfortunately also creates more opportunities for cybercriminals. Many organizations still use legacy systems with significant security risks. Connected devices such as MRI machines, ventilators, and heart monitors often lack standard security controls or have critical software vulnerabilities that make them attractive entry points. Third-party vendors offering services related to billing, data storage, or other operations may also have cybersecurity gaps that ransomware attackers can exploit to gain access to healthcare systems.

Beyond the cost and the threat to data, ransomware attacks severely compromise healthcare systems’ ability to treat patients. Downtime and loss of access to critical information have profound and far-reaching effects on patient care and safety. The impact of a ransomware attack can include:

Delayed or canceled treatments. When systems are unavailable, hospitals may struggle to access patient records, schedule procedures, or conduct diagnostic tests, leading to delays in urgent care. An attack on Lurie Children’s Hospital in Chicago affected a wide range of operations, from prescription refills to scheduling, causing significant backlogs.
Diverted emergency services. Manchester Memorial Hospital in Connecticut was forced to send emergency care patients to other hospitals for more than two weeks after an attack rendered its systems inoperable.
Ripple effects across the healthcare ecosystem. The impact of ransomware extends beyond the affected facility to nearby hospitals and providers, overwhelming resources and negatively affecting patient care. One study found stroke code activations doubled, cardiac arrests increased by 81%, and EMS arrivals increased by 35.2% at nearby hospitals after a ransomware attack.
Financial impacts. An outage caused by ransomware at Change Healthcare, which provides revenue and payment cycle management services, prevented healthcare organizations from receiving insurance reimbursements. Unable to pay for operational expenses, many smaller practices faced potential closure — affecting not only the healthcare professionals and staff, but their patients and communities as well.

Given these devastating outcomes, you would think healthcare systems would waste no time bolstering their defenses. Yet the industry still lags behind others when it comes to implementing robust cybersecurity measures that can proactively fend off attacks or mitigate damage from ransomware. More than half of healthcare organizations report allocating less than 10% of their IT budget to cybersecurity.

Bolstering healthcare cybersecurity for evolving threats

It’s time for healthcare leaders to start treating ransomware like what it is: a threat to patient safety and public health. Here are five strategic recommendations for proactively strengthening organizational resilience, securing data, and reducing disruptions caused by ransomware attacks.

Undertake regular risk assessments. Organizations should conduct comprehensive investigations at least annually to identify and address weaknesses in their technology infrastructure and procedures. These should include penetration testing and other real-world exercises to uncover opportunities that automated tools might miss.
Strengthen defenses. Advanced cybersecurity tools and services can identify ransomware attacks via real-time monitoring and AI-based intelligence, which can quickly recognize unusual activities or behaviors. They can also automatically take action to contain or address threats, preventing significant damage before IT teams can step in.
Train staff. Some of the most common entry points in security incidents are employees, who are targeted via phishing attempts or ploys to gain access to their credentials. In a fast-paced, high-pressure environment like a hospital, workers are even more vulnerable to phishing. Regular cybersecurity training helps them recognize up-to-date social engineering tactics and reinforces security awareness as a part of their job.
Ensure backups are secure. Your system could be hit with ransomware at any time, so take steps to back up systems and data. 95% of healthcare organizations hit by ransomware in 2023 said that the attackers also attempted to compromise their backups, so follow the 3-2-1 rule: keep at least three copies of data on two types of media, with one copy stored offsite or in a secure cloud environment. Offline or air-gapped backups ensure there is always a clean copy for recovery. It’s also essential to regularly test backups and restoration processes to ensure data hasn’t been compromised, minimize downtime, and facilitate rapid recovery in a crisis.
Implement access controls. Limiting remote access to systems, unless multi-factor authentication (MFA) is in place, helps prevent incursions from unauthorized users. Role-based access controls (RBAC) ensure users can only access systems and functions that are necessary for their job functions, so even if ransomware attackers gain access with employee credentials, the damage they can do is limited. Overall, healthcare organizations should implement a zero trust approach that continuously verifies all requests.

The ever-increasing sophistication of ransomware groups, and their relentless focus on exploiting vulnerabilities in healthcare systems, adds to the urgency of this issue. In the interconnected environment of modern healthcare, a single cyber incident can cascade to affect not just one healthcare system but organizations in an entire region.

Cybersecurity has become as critical to patient outcomes as medical equipment. Investing in solutions that proactively defend healthcare networks from intrusion, minimize potential damage, and ensure clean backups for operational continuity can help ensure healthcare organizations stay online and functional even in the face of accelerating cyber threats.

Tamra Durfee, vCISO, Fortified Health Security, is an experienced CISO with over 25 years in information security, compliance, regulatory risk, strategy, innovation, and technology transformation. For the past 8 years, she has specialized in healthcare cybersecurity and building risk-based medical device information security programs. She is a presenter at HIMSS, CHIME, CHA, and a healthcare security contributor to Healthcare IT News. Tamra holds certifications as a Certified Healthcare CIO (CHCIO), Certified Digital Healthcare Executive (CDH-E), GIAC Security Leadership Certification, Certified Professional in Healthcare Information Management Systems (CPHIMS), and IBM Certified Solutions Architect.