Why Are Ransomware Attacks Targeting Health Care Providers?

Hospitals and other health providers are under threat from criminal gangs, and finding a fix is difficult

This article was originally published on Econofacta non-partisan publication designed to bring key facts and incisive analysis to the national debate on economic and social policies. EconoFact is overseen by Michael Klein, a professor of international economics at The Fletcher School.

The Issue

Data breaches and cyberattacks on hospitals and other health care facilities are on the rise. Hospitals and other health care organizations are highly susceptible to cyberattacks, including ransomware and data breaches, due to their vast collections of sensitive and valuable patient information, limited resources, legacy software, and need to interface with specialized medical technologies. 

Additionally, hospitals’ need to resume operations as quickly as possible following attacks to continue caring for patients has meant that they often pay ransom demands, causing more criminals to target them with similar such attacks. The resulting attacks on health care systems have caused major disruptions to patient care as well as massive financial losses for health care institutions.

The Facts

Reports of costly and disruptive cyberattacks on health care facilities have been rising over the past few years. During a ransomware attack, malicious software encrypts data on a computer system making it unusable. The criminals will often steal the data from the system and hold the data hostage until a ransom amount is paid. 

Of the 16 critical infrastructure sectors tracked by the FBI’s 2023 Internet Crime report, health care had the highest number of organizations fall victim to ransomware attacks in 2023. The number of reported ransomware attacks directed at U.S. hospital systems nearly doubled from 2022 to 2023, indicating that cybercriminals are increasingly targeting health care institutions. 

A chart with bar graphs showing sectors impacted by ransomware attacks.

Reported ransomware attacks aimed at hospital systems nearly doubled from 2022 to 2023.

While it is difficult to know exactly how many hospitals paid the ransoms demanded in these cases, or how much those ransoms were for, charges filed by the US Department of Justice in 2023 against Russian cybercriminals indicate that hospitals paid more than $100 million in ransoms to just one group of cybercriminals. 

This suggests that hospitals are perhaps more prone to making ransom payments than other types of institutions and may therefore be more likely to be targeted by criminals.

There are several significant security challenges posed by hospital computer systems. One is that hospitals often have limited resources and expertise to devote to cybersecurity, but this is true at many other types of organizations as well. Another critical challenge for health care institutions is that they are often forced to run software that is compatible with older equipment and systems that they rely on for patient care. 

Trying to update operating systems or other software may cause problems in their systems’ ability to interoperate with older equipment, forcing hospitals to stick with older versions of software to enable compatibility with legacy systems. This makes it harder to install updates or upgrade hospital computer systems, creating major security vulnerabilities.

Ransomware attacks can cause significant disruptions to patient care. For instance, a 2021 ransomware attack on Scripps Health in San Diego resulted in a loss of electronic health records, imaging systems and telemedicine that impacted hospital operations for four weeks. Clinicians had to revert to manual processes including the use of paper medical records and ambulance traffic had to be diverted to other facilities. 

Adjacent hospitals that were not directly targeted by the attack were also impacted: They experienced increased emergency department and ambulance arrivals with a concomitant increase in waiting room time for patients and an almost doubling of the number of patients who left without being seen. 

Hospitals also face more dire consequences in the face of cyberattacks than many other institutions. In some cases, hospitals may have to shut down, or stop admitting new patients, forcing patients to travel further to another facility. 

In 2020, a hospital in Dusseldorf, Germany, suffered a ransomware attack and was unable to treat patients, so it sent a woman to another city for treatment and she died while being transported to the other hospital. 

In 2019, a baby born at the Springhill Medical Center in Alabama during a ransomware attack died nine months later. The mother later filed a lawsuit alleging that her child’s death was due to medical complications that resulted from the delivering doctor’s inability to access timely patient data because of an ongoing ransomware attack. 

These types of stories indicate the very high stakes that hospitals face when deciding whether or not to pay ransoms, and the reasons that they may often decide to make such payments in spite of the risk of inviting more such attacks in the future.

Health care cyberattacks can also have massive financial impacts, even when they do not directly impact patient care. For instance, in 2024 a ransomware attack on the company Change Health care that provides billing software to health care providers, cost hospitals billions of dollars because they were unable to use the software they needed to file claims with health insurers. 

These financial losses can further strain health care providers’ IT budgets and make it even more difficult for them to find resources for upgrading and updating their computer systems. Moreover, insurance coverage for cyberattacks can be difficult for hospitals to claim in cases like the Change Health care incident where they are not the direct victims of the attack, but are instead suffering the consequences of their vendors’, or in some cases even their vendors’ vendors’, vulnerabilities.

There are still relatively few regulations and rules that govern health care data security, leaving cybersecurity decisions largely at the discretion of individual health care providers and organizations. The Biden administration has shown some indications of wanting the Health and Human Services Department to set baseline cybersecurity requirements for health care providers, but those efforts are still in their early stages. The administration has also requested $800 million in funding in its proposed budget for 2025 to help provide resources to hospitals that need to improve their cybersecurity.

What this Means

Health care institutions remain extremely vulnerable to cyberattacks due to the combination of storing lots of valuable information, supporting many insecure, legacy systems, and needing to get their systems back up and running as quickly as possible, making them especially susceptible to offering large ransom payments in response to extortion demands. 

While regulators have proposed some funding and cybersecurity requirements to help hospitals improve their security postures, these efforts are still in development, and for now, criminals continue to target health care institutions with increasing frequency. 

These attacks can have massive consequences on both hospitals’ finances and patient outcomes, highlighting the need for more stringent requirements and oversight of hospital computer systems and security controls. 

Josephine Wolff is an associate professor of cybersecurity policy at The Fletcher School, associate professor of computer science in the School of Engineering, and director of the  Hitachi Center for Technology and International Affairs. 

Back to Top