The American healthcare sector has become a major target for financially motivated cybercriminals.
According to Microsoft’s report, ‘US Healthcare at Risk: Strengthening resiliency against ransomware attacks,’ the industry's "broad attack surface, legacy systems, and inconsistent security protocols " make it especially attractive for attackers looking to exploit vulnerabilities.
A reputation for paying ransoms
Healthcare organizations are particularly vulnerable to ransomware attacks due to their reliance on digital technologies, limited cybersecurity investment, and the high stakes of patient care.
As patient care takes priority, many healthcare organizations are "willing to pay millions of dollars to avoid disruptions." This willingness has fueled a surge in ransomware incidents, with a recent survey showing that "67% experienced a ransomware attack in the past year" and that "53% admitted to paying ransoms in 2024, up from 42% in 2023."
The report also states that the "average admitted ransom payment [amounted] to $4.4 million."
Read also: IBM reports healthcare data breach costs hit record high $9.77 million
Limited security resources
Underfunded security infrastructure is a major factor contributing to healthcare's cybersecurity weaknesses. The Healthcare Cybersecurity Needs a Check-Up report states, "Because budgets are tight and providers must prioritize spending on core patient services, cybersecurity has often been underfunded, leaving healthcare organizations more vulnerable to attack."
Furthermore, the first report suggests that the Health Insurance Portability and Accountability Act (HIPAA) focuses on "data confidentiality, often leaving data integrity and availability as secondary concerns," so hospitals aren’t well-prepared to recover from cyberattacks.
Legacy systems and infrastructure vulnerabilities
The chronic underinvestment in cybersecurity has led to outdated, hard-to-update legacy systems, making them "prime targets for exploitation."
The issue is further complicated by an increase in mergers, with a "23% rise over 2022 and at the highest levels since 2020," leading to complex IT infrastructures spread across multiple locations, making them even more difficult to secure.
Expanding attack surface
While “hospitals are more online than ever, connecting critical medical devices [like] CT scanners, patient monitoring systems, and infusion pumps to networks," these devices often cannot identify and mitigate security threats.
“On average, 70% of a hospital’s endpoints are not computers but rather devices," explains Doctors Christian Dameff and Jeff Tully, Co-Directors and Co-Founders of the University of California San Diego Center for Healthcare Cybersecurity,
So, the vast amounts of data being transmitted also create vulnerabilities, as "more than 88% of hospitals report electronically sending and obtaining patient health information, and more than 60% report integrating that information into their electronic health records (EHRs)."
Rural hospitals have higher risks
Small, rural healthcare providers face even greater cybersecurity risks with "limited means to prevent and remediate security [incidents]." These hospitals, typically "lack the same level of cybersecurity infrastructure or expertise as their larger, urban counterparts."
Moreover, many of these facilities rely on a single IT generalist who is "proficient in managing everyday technical issues but lacks specialized knowledge in cybersecurity." According to the Department of Health and Human Services Health Care Industry Cybersecurity Task Force, many rural critical access hospitals do not have full-time cybersecurity hires, making them even more vulnerable to attacks.
“These IT generalists, often just someone proficient in network and computer management, are used to dealing with things like, ‘I can’t print, I can’t log in, what’s my password?’” explains Dr. Dameff. “They’re not cybersecurity experts. They don’t have the staff, they don’t have the budget, and they don’t even know where to start.”
The way forward
The stakes are too high to ignore healthcare cybersecurity. Cyberattacks threaten patients' well-being and the financial viability of healthcare organizations.
Therefore, the healthcare industry must invest in advanced security tools and coordinated incident-response planning to protect their systems and, above all, protect patient outcomes.
Go deeper: How cyberattacks threaten patient outcomes
FAQs
What is a ransomware attack?
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates, who handle protected health information (PHI).
What type of data is usually compromised in breaches?
In healthcare, it often includes PHI, exposing patients to identity theft and financial fraud. Furthermore, HIPAA violations can lead to legal penalties and reputational damage for healthcare organizations.
Learn more: HIPAA Compliant Email: The Definitive Guide
