Trace Id is missing

US Healthcare at risk: Strengthening resiliency against ransomware attacks

A group of medical professionals looking at a tablet

The healthcare sector faces a rapidly increasing range of cybersecurity threats, with ransomware attacks emerging as one of the most significant. A combination of valuable patient data, interconnected medical devices, and small IT/cybersecurity operations staff, which spreads resources thin, can make healthcare organizations prime targets for threat actors. As healthcare operations become increasingly digitized—ranging from electronic health records (EHR) to telemedicine platforms and networked medical devices—the attack surface of hospitals grows more complex, further heightening their vulnerability to attacks.

The following sections provide an overview of the current cybersecurity landscape in healthcare, highlighting the industry’s status as a major target, the growing frequency of ransomware attacks, and the severe financial and patient care consequences these threats are imposing.

A video discussion led by Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft, further explores these critical issues, offering insights from experts on threat actors, recovery strategies, and healthcare vulnerabilities.

The Microsoft Threat Intelligence Briefing: Healthcare

Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft Threat Intelligence, leads a lively roundtable discussion with threat intelligence and healthcare security experts who examine what makes healthcare uniquely susceptible to ransomware attacks, what tactics threat actor groups are using, how to stay resilient, and more.
  • According to Microsoft Threat Intelligence, the healthcare/public health sector was one of the top 10 most impacted industries in the second quarter of 2024.1
  • Ransomware-as-a-service (RaaS) has lowered entry barriers for attackers lacking technical expertise, while Russia provides a safe harbor for ransomware groups. As a result, ransomware attacks have surged by 300% since 2015.2
  • This fiscal year, 389 U.S. healthcare institutions were hit by ransomware, causing network shutdowns, offline systems, delays in critical medical procedures, and rescheduled appointments3. The attacks are costly, with one industry report showing healthcare organizations lose up to USD$900,000 per day on downtime alone.4
  • Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was USD$1.5 million, and the average payment was USD$4.4 million.5

Grave impact on patient care

The disruption to healthcare operations caused by a ransomware attack can severely impact the ability to effectively treat patients—not only at affected hospitals, but also at those in nearby areas, which absorb displaced emergency department patient volume.6

Consider the findings from a recent study showing how a ransomware attack against four hospitals (two attacked and two unaffected) led to increased emergency department patient volume, longer wait times, and additional strain on resources, particularly in time-sensitive care like stroke treatment, in two unaffected neighboring hospitals.7
Rise in stroke cases: The ransomware attack put a significant strain on the overall healthcare ecosystem as the unaffected hospitals had to absorb patients from the affected hospitals. Stroke code activations at the nearby hospitals nearly doubled, from 59 to 103, while confirmed strokes rose by 113.6%, increasing from 22 to 47 cases.
Increase in cardiac arrests: The attack stressed the healthcare system as cardiac arrest cases at the unaffected hospital surged from 21 to 38, an 81% increase. This reflects the cascading impact of one facility’s compromise, forcing nearby hospitals to handle more critical cases.
Decline in survival with favorable neurological outcomes: The survival rate for out-of-hospital cardiac arrests with favorable neurological outcomes dropped drastically for the unaffected hospitals during the attack, falling from 40% pre-attack to 4.5% during the attack phase.
Ambulance arrival increases: There was a 35.2% increase in emergency medical services (EMS) arrivals at “unaffected” hospitals during the attack phase, suggesting a significant diversion of ambulance traffic due to the ransomware-induced disruption at the affected hospitals.
Patient volume surges: Because the attack compromised four area hospitals (two attacked and two unaffected), emergency departments (EDs) at unaffected hospitals experienced a significant influx of patients. The daily census at these unaffected hospitals increased by 15.1% during the attack phase compared with the pre-attack phase.
Additional disruptions in care: During the attacks, the unaffected hospitals had notable increases in patients leaving without being seen, waiting room times, and total length of stay for admitted patients. For instance, the median waiting room time increased from 21 minutes pre-attack to 31 minutes during the attack.

Ransomware case studies

Ransomware attacks in healthcare can have devastating consequences, not only for the targeted organizations but also for patient care and operational stability. The following case studies illustrate the far-reaching effects of ransomware on different types of healthcare organizations, from large hospital systems to small rural providers, highlighting the various ways attackers infiltrate networks and the resulting disruptions to essential healthcare services.
  • Attackers used compromised credentials to access the network via a vulnerable remote access gateway without multifactor authentication. They encrypted critical infrastructure and exfiltrated sensitive data in a double extortion scheme, threatening to release it unless a ransom was paid.

    Impact:
    The attack caused disruptions, preventing 80% of healthcare providers and pharmacies from verifying insurance or processing claims. 
  • Attackers exploited a vulnerability in the hospital’s unpatched legacy software, moving laterally to compromise patient scheduling and medical records. Using a double extortion tactic, they exfiltrated sensitive data and threatened to release it unless a ransom was paid.

    Impact: The attack disrupted operations, causing canceled appointments, delayed surgeries, and a shift to manual processes, straining staff and delaying care. 
  • Attackers used phishing emails to access the hospital network and exploited unpatched vulnerabilities to deploy ransomware, encrypting EHR and patient care systems. In a double extortion tactic, they exfiltrated sensitive patient and financial data, threatening to leak it if the ransom wasn’t paid. 

    Impact:
    The attack disrupted four hospitals and 30+ clinics, delaying treatments and diverting emergency patients, with data exposure concerns. 
  • In February 2021, a ransomware attack crippled a 44-bed rural hospital’s computer systems, forcing manual operations for three months and severely delaying insurance claims.

    Impact:
    The hospital's inability to collect timely payments led to financial distress, leaving the local rural community without critical healthcare services. 

The American healthcare sector presents an attractive target for financially motivated cybercriminals due to its broad attack surface, legacy systems, and inconsistent security protocols. The combination of healthcare's reliance on digital technologies, its sensitive data, and the resource constraints many organizations face—often due to razor-thin margins—can limit their ability to invest fully in cybersecurity, making them especially vulnerable. Additionally, healthcare organizations prioritize patient care at all costs, which can lead to a willingness to pay ransoms to avoid disruptions.

A reputation for paying ransoms

Part of the reason ransomware has become such a pronounced problem for healthcare is the sector's track record of making ransom payments. Healthcare organizations prioritize patient care above all else, and if they must pay millions of dollars to avoid disruptions, they are often willing to do so.

In fact, according to a recent report based on a survey of 402 healthcare organizations, 67% experienced a ransomware attack in the past year. Among these organizations, 53% admitted to paying ransoms in 2024, up from 42% in 2023. The report also highlights the financial impact, with the average admitted ransom payment amounting to USD$4.4 million.12

Limited security resources and investment

Another significant challenge is the limited budgets and resources for cybersecurity across the healthcare sector. According to the recent Healthcare Cybersecurity Needs a Check-Up report13 by CSC 2.0 (a group continuing the work of the congressionally mandated Cyberspace Solarium Commission), "because budgets are tight and providers must prioritize spending on core patient services, cybersecurity has often been underfunded, leaving healthcare organizations more vulnerable to attack."

Further, despite the severity of the problem, healthcare providers are not investing enough in cybersecurity. Due to a range of complex factors, including an indirect payment model that often leads to prioritizing immediate clinical needs over less visible investments like cybersecurity, healthcare has significantly underinvested in cybersecurity over the past two decades.10

Also, the Health Insurance Portability and Accountability Act (HIPAA) has led to prioritizing investments in data confidentiality, often leaving data integrity and availability as secondary concerns. This approach can result in reduced focus on organizational resilience, particularly in lowering Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Legacy systems and infrastructure vulnerabilities

One result of underinvesting in cybersecurity is a reliance on outdated, difficult-to-update legacy systems that have become prime targets for exploitation. Additionally, the use of disparate technologies creates a patchwork infrastructure with gaps in security, increasing the risk of attacks.

This vulnerable infrastructure is made even more complex by the healthcare industry’s recent trend toward consolidation. Hospital mergers, which are on the rise (up 23% over 2022 and at the highest levels since 202014), create organizations with complex infrastructures spread across multiple locations. Without sufficient investment in cybersecurity, these infrastructures become highly vulnerable to attack.

Expanding attack surface

While clinically integrated care networks of connected devices and medical technologies help improve patient outcomes and save lives, they have also broadened the digital attack surface—something threat actors are increasingly exploiting.

Hospitals are more online than ever, connecting critical medical devices such as CT scanners, patient monitoring systems, and infusion pumps to networks but not always having the level of visibility required to identify and mitigate vulnerabilities that can severely impact patient care.

Doctors Christian Dameff and Jeff Tully, Co-Directors and Co-Founders of the University of California San Diego Center for Healthcare Cybersecurity, note that, on average, 70% of a hospital’s endpoints are not computers but rather devices.   
A hospital room with medical equipment, a white drawer, and a blue curtain.

Healthcare organizations also transmit vast amounts of data. According to data from the Office of the National Coordinator for Health IT, more than 88% of hospitals report electronically sending and obtaining patient health information and more than 60% report integrating that information into their electronic health records (EHRs).15

Small, rural providers face unique challenges

Rural critical access hospitals are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for a community as these hospitals are often the only healthcare option for many miles in the communities they serve.

According to Dameff and Tully, rural hospitals typically lack the same level of cybersecurity infrastructure or expertise as their larger, urban counterparts. They also note that many of these hospitals' business continuity plans may be outdated or inadequate in addressing modern cyber threats like ransomware.

Many small or rural hospitals face significant financial constraints, operating on very slim profit margins. This financial reality makes it challenging for them to invest in robust cybersecurity measures. Often, these facilities rely on a single IT generalist—someone who is proficient in managing everyday technical issues but lacks specialized knowledge in cybersecurity.

A report from the Department of Health and Human Services Health Care Industry Cybersecurity Task Force, created as part of the Cybersecurity Act of 2015, highlights that a significant proportion of rural critical access hospitals lack a full-time hire focused on cybersecurity, underscoring the broader resource challenges faced by smaller healthcare providers.

“These IT generalists, often just someone proficient in network and computer management, are used to dealing with things like, ‘I can’t print, I can’t log in, what’s my password?’” Dameff explains. “They’re not cybersecurity experts. They don’t have the staff, they don’t have the budget, and they don’t even know where to start.”

A cybercriminal’s attack process typically follows a two-step approach: gaining initial access to the network, often through phishing or exploiting vulnerabilities, followed by the deployment of ransomware to encrypt critical systems and data. The evolution of these tactics, including the use of legitimate tools and the proliferation of RaaS, has made attacks more accessible and frequent.

The initial stage of a ransomware attack: Gaining access to the healthcare network

Jack Mott, who previously led a team focused on enterprise email threat intelligence and detection engineering at Microsoft, indicates that, "Email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks.”16

In a Microsoft Threat Intelligence analysis of 13 hospital systems representing multiple operations, including rural hospitals, 93% of the malicious cyber activity observed was related to phishing campaigns and ransomware, with most activity represented by email-based threats.17
"Email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks."
Jack Mott 
Microsoft Threat Intelligence

Campaigns directed at healthcare organizations frequently use highly specific lures. Mott highlights, for example, how threat actors craft emails with healthcare-specific jargon, such as references to autopsy reports, to increase their credibility and successfully deceive healthcare professionals. 

Social engineering tactics like these, especially in high-pressure environments such as healthcare, exploit the urgency often felt by healthcare workers, leading to potential security lapses. 

Mott also notes that attackers are becoming increasingly sophisticated in their methods, often using "real names, legitimate services, and tools commonly used in IT departments (e.g., remote management tools)" to evade detection. These tactics make it challenging for security systems to differentiate between malicious and legitimate activity. 

Microsoft Threat Intelligence data also shows that attackers are often exploiting known vulnerabilities in the organization’s software or systems that have been identified in the past. These Common Vulnerabilities and Exposures (CVEs), are well-documented, have patches or fixes available, and attackers often target these older vulnerabilities because they know that many organizations have not yet addressed these weaknesses.18 

After gaining initial access, attackers often conduct network reconnaissance, which can be identified by indicators such as unusual scanning activity. These actions help threat actors map out the network, identify critical systems, and prepare for the next phase of the attack: the deployment of ransomware.

The final stage of a ransomware attack: Deploying ransomware to encrypt critical systems

Once initial access is gained, typically through phishing or malware delivered via email, threat actors move to the second phase: the deployment of ransomware.

Jack Mott explains that the rise of RaaS models has significantly contributed to the increased frequency of ransomware attacks in the healthcare sector. "RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks," Mott notes. This model lowers the barrier to entry for attackers, making ransomware attacks more accessible and efficient.
"RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks.” 
Jack Mott 
Microsoft Threat Intelligence

Mott further elaborates on how RaaS operates, stating, "These platforms often include a comprehensive suite of tools, including encryption software, payment processing, and even customer service for negotiating ransom payments. This turnkey approach enables a wider range of threat actors to execute ransomware campaigns, leading to an uptick in the number and severity of attacks."

Additionally, Mott highlights the coordinated nature of these attacks, emphasizing that "Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours. They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom."

Ransomware attacks in healthcare: A profile of major threat actor groups

Ransomware attacks in the healthcare sector are often carried out by highly organized and specialized threat actor groups. These groups, which include both financially motivated cybercriminals and sophisticated nation-state threat actors, employ advanced tools and strategies to infiltrate networks, encrypt data, and demand ransoms from organizations.

Among these threat actors, government-sponsored hackers from authoritarian nations have reportedly used ransomware and even collaborated with ransomware groups for espionage purposes. For example, Chinese government threat actors are suspected of increasingly using ransomware as a cover for espionage activity.19

Iranian threat actors appear to be the most active in targeting healthcare organizations in 2024.20 In fact, in August 2024, the US Government issued a warning to the health sector about an Iran-based threat actor known as Lemon Sandstorm. This group was “leveraging unauthorized network access to US organizations, including health care organizations, to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs.”21

The following profiles provide insights into some of the most notorious financially motivated ransomware groups targeting healthcare, detailing their methods, motivations, and the impact of their activities on the industry.
  • Lace Tempest is a prolific ransomware group targeting healthcare. Using a RaaS model, they enable affiliates to easily deploy ransomware. The group is linked to high-impact attacks on hospital systems, encrypting critical patient data and demanding ransom. Known for double extortion, they not only encrypt data but also exfiltrate it, threatening to leak sensitive information if the ransom isn’t paid.
  • Sangria Tempest is notorious for advanced ransomware attacks on healthcare organizations. Using sophisticated encryption, they make data recovery nearly impossible without paying a ransom. They also use double extortion, exfiltrating patient data and threatening to leak it. Their attacks cause widespread operational disruptions, forcing healthcare systems to divert resources, which negatively impacts patient care.
  • Cadenza Tempest known for distributed denial-of-services (DDoS) attacks, has increasingly shifted to healthcare ransomware operations. Identified as a pro-Russian hacktivist group, they target healthcare systems in regions hostile to Russian interests. Their attacks overwhelm hospital systems, disrupting critical operations and creating chaos, especially when combined with ransomware campaigns.
  • Active since July 2022, the financially motivated group Vanilla Tempest has recently begun using INC ransomware procured through RaaS providers to target US healthcare. They exploit vulnerabilities, use custom scripts, and leverage standard Windows tools to steal credentials, move laterally, and deploy ransomware. The group also employs double extortion, demanding ransom to unlock systems and prevent the release of stolen data.

In the face of increasingly sophisticated ransomware attacks, healthcare organizations must adopt a multifaceted approach to cybersecurity. They must be prepared to withstand, respond to, and recover from cyber incidents while maintaining the continuity of patient care.

The following guidance provides a comprehensive framework to enhance resilience, ensure swift recovery, foster a security-first workforce, and promote collaboration across the healthcare sector.

Governance: Ensuring preparedness and resilience

A building with many windows under a blue sky with clouds

Effective governance in healthcare cybersecurity is essential for preparing for and responding to ransomware attacks. Dameff and Tully from the UC San Diego Center for Healthcare Cybersecurity recommend establishing a robust governance framework with clear roles, regular training, and cross-disciplinary collaboration. This helps healthcare organizations enhance their resilience against ransomware attacks and ensure the continuity of patient care, even in the face of significant disruptions.

A key aspect of this framework involves breaking down silos between clinical staff, IT security teams, and emergency management professionals to develop cohesive incident response plans. This cross-department collaboration is vital for maintaining patient safety and care quality when technology systems are compromised.

Dameff and Tully also highlight the necessity of having a dedicated governance body or council that regularly meets to review and update incident response plans. They recommend empowering these governance bodies to test response plans through realistic simulations and drills, ensuring all staff, including younger clinicians who may not be familiar with paper records, are prepared to operate effectively without digital tools.

Furthermore, Dameff and Tully stress the importance of external collaboration. They advocate for regional and national frameworks that allow hospitals to support one another during large-scale incidents, echoing the need for a "strategic national stockpile" of technology that can temporarily replace compromised systems.

Resilience and strategic responses

Resilience in healthcare cybersecurity goes beyond simply protecting data—it involves ensuring that entire systems can withstand and recover from attacks. A comprehensive approach to resilience is essential, focusing not only on safeguarding patient data but also on reinforcing the entire infrastructure that supports healthcare operations. This includes the whole system—network, supply chain, medical devices, and more.

Adopting a defense-in-depth strategy is critical in creating a layered security posture that can effectively thwart ransomware attacks.

Adopting a defense-in-depth strategy is critical in creating a layered security posture that can effectively thwart ransomware attacks. This strategy involves securing every layer of the healthcare infrastructure—from the network to the endpoints to the cloud. By ensuring that multiple layers of defense are in place, healthcare organizations can reduce the risk of a successful ransomware attack.

As part of this layered approach for Microsoft customers, Microsoft Threat Intelligence teams actively monitor for adversary behavior. When such activity is detected, a direct notification is provided.

This is not a paid or tiered service—businesses of all sizes receive the same attention. The aim is to promptly provide an alert when potential threats, including ransomware, are detected and assist in taking steps to protect the organization.

In addition to implementing these defense layers, it is crucial to have an effective incident response and detection plan. Having a plan is not enough; healthcare organizations must be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery.

Finally, continuous monitoring and real-time detection capabilities are essential components of a robust incident response framework, ensuring that potential threats can be identified and addressed promptly.

For further information on cyber resiliency in healthcare, the Department of Health and Human Services (HHS) published voluntary healthcare specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.

Created through a collaborative public/private partnership process, using common industry cybersecurity frameworks, guidelines, best practices, and strategies, the CPGs comprise a subset of cybersecurity practices healthcare organizations can use to strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.

Steps to quickly restore operations and strengthen security post-attack

Recovering from a ransomware attack requires a systematic approach to ensure a swift return to normal operations while preventing future incidents. Below are actionable steps to help assess the damage, restore affected systems, and reinforce security measures. By following these guidelines, healthcare organizations can help mitigate the impact of an attack and strengthen their defenses against future threats.
Assess the impact and contain the attack

Isolate affected systems immediately to prevent further spread.
Restore from known good backups

Ensure clean backups are available and verified before restoring operations. Maintain offline backups to avoid ransomware encryption.
Rebuild systems

Consider rebuilding compromised systems instead of patching, to eliminate any lingering malware. Utilize the Microsoft Incident Response team’s guidance on securely rebuilding systems. 
Reinforce security controls post-attack

Strengthen security posture post-attack by addressing vulnerabilities, patching systems, and enhancing endpoint detection tools.
Conduct a post-incident review

Working with an outside security vendor, analyze the attack to identify weak points and improve defenses for future incidents.

Building a security-first workforce

A man and woman looking at a woman's face.

Creating a security-first workforce requires ongoing collaboration across disciplines.

Creating a security-first workforce requires ongoing collaboration across disciplines. It's important to break down silos between IT security teams, emergency managers, and clinical staff to develop cohesive incident response plans. Without this collaboration, the rest of the hospital may not be adequately prepared to respond effectively during a cyber incident.

Education and awareness

Effective training and a strong reporting culture are essential components of a healthcare organization's defense against ransomware. Given that healthcare professionals often prioritize patient care, they may not always be as mindful of cybersecurity, which can make them more susceptible to cyber threats.

To address this, continuous training must include cybersecurity basics, such as how to spot phishing emails, avoid clicking suspicious links, and recognize common social engineering tactics.

Microsoft’s Cybersecurity Awareness resources can help with this.

"Encouraging staff to report security issues without fear of blame is key," explains Microsoft’s Mott. "The sooner you can report something, the better. If it's benign, that's the best-case scenario."

Regular drills and simulations should also mimic real-world attacks like phishing or ransomware, helping staff practice their response in a controlled environment.

Information sharing, collaboration, and collective defense

Because ransomware attacks are generally increasing in frequency (Microsoft observes a 2.75 increase year over increase among our customers16), a collective defense strategy becomes essential. Collaboration—between internal teams, regional partners, and broader national/global networks—is crucial for securing healthcare operations and patient safety.

Bringing these groups together to design and implement comprehensive incident response plans can prevent operational chaos during attacks.

Dameff and Tully underscore the importance of uniting internal teams, such as doctors, emergency managers, and IT security staff, who often work in isolation. Bringing these groups together to design and implement comprehensive incident response plans can prevent operational chaos during attacks.

At the regional level, healthcare organizations should forge partnerships that allow healthcare facilities to share capacity and resources, ensuring that patient care continues even when some hospitals are affected by ransomware. This form of collective defense can also help manage patient overflow and distribute the burden across healthcare providers.

Beyond regional collaboration, national and global information-sharing networks are pivotal. ISACs (Information Sharing and Analysis Centers), such as Health-ISAC, serve as platforms for healthcare organizations to exchange vital threat intelligence. Errol Weiss, Chief Security Officer at Health-ISAC, compares these organizations to "virtual neighborhood watch programs," where member organizations can quickly share details about attacks and proven mitigation techniques. This intelligence-sharing helps others prepare for or eliminate similar threats, strengthening collective defense on a larger scale.

  1. [1]
    Microsoft internal threat intelligence data, Q2, 2024
  2. [2]
    (Executive Summary for CISOs: Current and Emerging Healthcare Cyber Threat Landscape; Health-ISAC and the American Hospital Association (AHA))  
    (https://go.microsoft.com/fwlink/?linkid=2293307)
  3. [6]
    Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients; https://go.microsoft.com/fwlink/?linkid=2292916
  4. [9]
    Ascension Ransomware Attack Hurts Financial Recovery,” The HIPPA Journal, Sep 20, 2024
  5. [17]
    Microsoft Threat Intelligence telemetry, 2024
  6. [20]
    Microsoft Threat Intelligence data on Healthcare Sector cyber threats, 2024

More from Security

Cyber Resilience Hygiene Guide

Basic cyber hygiene remains the best way to defend an organization’s identities, devices, data, apps, infrastructure, and networks against 98% of all cyber threats. Discover practical tips in a comprehensive guide.

Inside the fight against hackers who disrupted hospitals and jeopardized lives

Learn about the latest emerging threats from Microsoft threat data and research. Get analysis on trends and actionable guidance to strengthen your first line of defense.

Feeding from the trust economy: social engineering fraud

Explore an evolving digital landscape where trust is both a currency and a vulnerability. Discover the social engineering fraud tactics cyber attackers use most, and review strategies that can help you identify and outmaneuver social engineering threats designed to manipulate human nature.

Follow Microsoft Security