Healthcare organizations are facing a surge in ransomware attacks, with a string of high-profile incidents highlighting the vulnerabilities in the sector. From the attack on Ireland’s Health Service Executive in 2021 to the recent breach of Prospect Medical Holdings in the United States, cybercriminals continue to target healthcare providers, often disrupting patient care and risking sensitive data. These hacks have spurred a closer look into the sector’s cybersecurity preparedness, and a new survey by Sophos focuses on the rising prevalence of ransomware in healthcare. Their 2024 State of Ransomware in Healthcare report reveals that two-thirds of healthcare organizations have been hit by ransomware attacks in the past year, marking a four-year high and exposing serious concerns about recovery times, financial costs, and the role of insurance in ransom payments.
According to the report, 67% of healthcare organizations were targeted by ransomware in the past year, up from 60% in 2023. This trend starkly contrasts with the decline in ransomware attacks across other industries, where the overall rate dropped to 59% in 2024. The healthcare sector now ranks among the hardest hit globally, second only to central and federal government bodies.
Sophos conducted this independent survey among 402 healthcare organizations across 14 countries, part of a broader study that included 5,000 cybersecurity and IT leaders across various industries. Our takeaway follows: you can get the whole report here.
Insurance and Ransom Payments
The role of cyber insurance in healthcare ransomware incidents is significant. In 77% of cases, insurance providers contributed to ransom payments, with 19% of total ransom funding coming directly from insurers. Insurance companies were also instrumental in facilitating payments, either directly or through appointed incident response specialists. This reliance on insurance underscores the financial strain ransomware attacks place on healthcare organizations, many of which lack the resources to handle the full cost of recovery on their own.
Prolonged Recovery Times
Alongside the increase in attack rates, healthcare organizations are struggling with prolonged recovery times. Only 22% of organizations managed to fully recover within a week, a dramatic decrease from 47% in 2023 and 54% in 2022. Even more concerning, 37% of healthcare organizations took over a month to recover from a ransomware attack. John Shier, Sophos’ field CTO, noted that “cybercriminals have learned that few healthcare organizations are prepared to respond,” which explains the longer recovery times and the growing impact of these attacks on operations and patient care.
Financial Toll and Ransom Payments
The financial impact of these attacks continues to rise. The average cost of recovering from a ransomware attack in the healthcare sector has jumped to $2.57 million in 2024, up from $2.2 million in 2023 and double the cost in 2021. This figure excludes the ransom payments themselves, which have also increased in size. Sixty-five percent of healthcare organizations reported that ransom demands exceeded $1 million, and 35% faced demands of over $5 million.
Despite widespread recommendations against paying ransoms, 53% of healthcare organizations paid in 2024, an increase from 42% in 2023. In some cases, organizations paid even more than the attackers originally demanded—57% of those who paid ended up exceeding the original ransom request. Healthcare organizations are paying an average of 111% of the initial sum demanded by cybercriminals. This willingness to pay more is second only to the higher education sector, which topped the list for overpayments.
Root Causes and Entry Points
The report identifies the key vulnerabilities exploited in these attacks, with compromised credentials and unpatched vulnerabilities each responsible for 34% of ransomware incidents. Malicious emails were the root cause in 19% of cases. These findings align with global trends across sectors, where credential abuse and outdated software remain the most frequent attack vectors.
Healthcare organizations must implement strong security protocols, such as multi-factor authentication (MFA) and timely patching of software vulnerabilities, to mitigate these risks. Ongoing user training to spot phishing and other malicious emails is also critical, as healthcare remains a top target for cybercriminals.
Compromised Backups: A Devastating Trend
A major challenge for healthcare organizations hit by ransomware is the targeting of backups. Ninety-five percent of organizations reported that attackers attempted to compromise their backups, and in two-thirds of cases, those attempts were successful. This has severe consequences for organizations’ ability to recover data. When backups are compromised, organizations are more than twice as likely to pay the ransom to retrieve encrypted data (63% vs. 27%).
Data Encryption and Theft
In 74% of ransomware incidents in healthcare, data was encrypted by attackers, a rate consistent with 2023 (73%). While fewer incidents involved data theft this year—22% compared to 37% in 2023—the risk remains high. Data theft provides attackers with additional leverage to extort money and sell sensitive healthcare information on the dark web.
Involvement of Law Enforcement
Reflecting the severity of ransomware as a national security issue, almost all healthcare organizations hit by ransomware engaged with law enforcement or official government bodies. Sixty-one percent received advice on handling the attack, 59% got help investigating the incident, and 41% sought assistance in recovering encrypted data. The involvement of law enforcement underscores the growing complexity of these attacks and the need for greater cooperation between public and private sectors to mitigate the threat.
A Call for Proactive Defenses
The State of Ransomware in Healthcare 2024 report concludes with a call for healthcare organizations to adopt more proactive, human-led defenses. Sophos recommends continuous monitoring, advanced threat detection, and the use of strong foundational security measures, such as endpoint protection, email filtering, and firewalls. Furthermore, organizations should regularly test their incident response plans and practice restoring data from backups to ensure they can act swiftly in the event of an attack.
As ransomware threats continue to evolve, the healthcare sector must prioritize adaptive, forward-thinking cybersecurity strategies to safeguard sensitive patient data and maintain critical operations. With attacks increasing in frequency, severity, and financial impact, proactive defenses are no longer optional—they are essential for the survival of healthcare organizations in today’s digital landscape.
Other News: Healthcare Industry Cybersecurity Earns ‘B+’ in SecurityScorecard Report.(Opens in a new browser tab).
Other News: iPhones, Mac and Apple Watch users at risk of DoS attacks, security bypassing: CERT-In.