By: Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft.
Healthcare organizations are an increasingly attractive target for threat actors. In a new Microsoft Threat Intelligence report, US healthcare at risk: strengthening resilience against ransomware attacks, our researchers identified that ransomware remains one of the most common and impactful cyber threats targeting organizations. The report offers a holistic view of the threat landscape to the healthcare sector, with special attention to ransomware attacks observed in recent years. By reading the report, healthcare organizations will gain insights that will help navigate these cyber threats and understand how collective defense strategies can help improve protection and increase access to relevant threat intelligence.
Read Microsoft’s new report on security trends in the healthcare sector
Before 2020, there was an unspoken rule for threat actors not to launch attacks against schools and children, infrastructure, and healthcare organizations.1 However, that “rule” no longer applies, and over the past four years the healthcare threat landscape has seen huge changes for the worse.
To put this shift in context, consider these trends from Microsoft’s threat intelligence report showing cybersecurity challenges in the healthcare sector:
- Healthcare is one of the 10 most attacked industries in Q2 20242and has been for the last four quarters.
- Ransomware attacks are costly, with healthcare organizations losing an average of $900,000 a day in downtime alone.3
- In a recent study, of the 99 healthcare organizations that admitted to paying a ransom and disclosed the ransom paid, the average payment was $4.4 million.4
The serious impact of ransomware on the health sector
While the potential financial risk to healthcare organizations is high, lives are at stake as ransomware attacks impact patient outcomes. If healthcare providers cannot use diagnostic equipment or access patients’ medical records because they are under bailout, care will be disrupted.
Healthcare facilities located near hospitals that are affected by ransomware are also affected because they experience an increase in patients needing care and cannot urgently care for them. As a result, patients may experience longer wait times, which studies show could lead to more severe cases of stroke and heart attack.5
These attacks not only affect facilities in large cities; In fact, rural health clinics are also targets of cyberattacks. They are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating to a community, as these hospitals are often the only healthcare option for many miles in the communities they serve.
Why healthcare is an attractive target for threat actors
Healthcare organizations collect and store extremely sensitive data, which may contribute to threat actors targeting them for ransomware attacks. However, a more important reason these facilities are at risk is the possibility of huge financial payouts. As mentioned before, lives are at stake and healthcare facilities committed to patient care cannot risk poor patient outcomes if their systems are dismantled. They also cannot risk having their patients’ data exposed if they do not pay the ransom. That reputation for paying ransoms, for understandable reasons, makes them a target.
Healthcare facilities are also in the spotlight due to their limited security resources and investments in cybersecurity to defend against these threats compared to other sectors. Facilities often lack dedicated cybersecurity staff, and in fact, some facilities do not have a chief information security officer (CISO) or a dedicated security operations center. Instead, your IT department may be tasked with managing cybersecurity. Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.
Explore security trends in the healthcare sector in new Microsoft report
How cybercriminals attack healthcare organizations
Financially motivated cybercriminals are using an increasingly powerful set of ransomware tactics against healthcare organizations. A common approach involves two steps. First, they gain access to an organization’s network, often using social engineering tactics through a phishing email or text message. They then use that access to deploy ransomware to encrypt and lock healthcare systems and data so they can demand a ransom for its release.
“Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within hours,” said Jack Mott of Microsoft Threat Intelligence in Microsoft’s ransomware report. “They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom.”
Social engineering tactics often involve convincing the email recipient to act in ways they usually would not, such as clicking on an unknown link and using urgency, emotion, and habit tactics. Social engineering fraud is a serious problem. This fiscal year alone, a staggering 389 healthcare institutions in the United States were victims of ransomware attacks, according to Microsoft’s 2024 Digital Defense Report.6 The aftermath was severe, resulting in network shutdowns, offline systems, delays in critical medical operations, and rescheduled appointments.
Another common approach is ransomware as a service (RaaS), a cybercrime business model that has begun to gain popularity. The RaaS model is an agreement between an operator, who develops extortion tools, and an affiliate, who deploys ransomware. Both sides benefit from a successful ransomware and extortion attack, and it has “democratized access to sophisticated ransomware tools,” Mott said. This model allows cybercriminals without the means to develop their own tools to launch their nefarious activities. Sometimes they can only buy network access from a cybercriminal group that has already breached a network. RaaS significantly expands the risk for healthcare organizations, making ransomware more accessible and prevalent.
Cybercrime tactics continue to grow in sophistication. Microsoft continually monitors the latest cybercrime threats to support our customers and increase awareness across the global community. These threats include actions by the Vanilla Tempest and Sangria Tempest threat actor groups, which are known for their financially motivated criminal activities.
US healthcare is at risk: read the report
Take a collective defense approach to increase your cyber resilience and visibility
We recognize that not all organizations have a robust cybersecurity team or even the resources to enable a cybersecurity resilience strategy. That’s why it’s important that we, as a community, come together and share best practices, tools and guidance. We encourage your organization to collaborate with regional, national and global healthcare organizations, such as Health-ISAC (Information Sharing and Analysis Centers). Health-ISAC provides healthcare organizations with platforms to exchange threat information. Health-ISAC Chief Security Officer Errol Weiss says these organizations are like “virtual neighborhood watch programs,” sharing threat experiences and defense strategies.
It is also important to foster a safety-first mindset among healthcare personnel. Dr. Christian Dameff and Dr. Jeff Tully, co-directors of the Center for Healthcare Cybersecurity at the University of California, San Diego, emphasize that it is key to break down silos between IT security teams, emergency managers and clinical staff to develop cohesive incident response plans. They also recommend running high-fidelity clinical simulations that expose doctors and nurses to real-world cyberattack scenarios.
For rural hospitals providing critical services to the communities they serve in the US, Microsoft created the Microsoft Cybersecurity Program for Rural Hospitals, which provides affordable access to Microsoft security solutions, builds cybersecurity capacity and helps solve fundamental challenges through innovation.
For healthcare organizations that have the resources, as part of this report, we provide guidance on how to:
- Establish a solid governance framework.
- Create an incident detection and response plan. Then, be prepared to execute it efficiently during a real attack to minimize damage and ensure quick recovery.
- Implement continuous monitoring and real-time detection capabilities.
- Educate your organization through our #BeCyberSmart cybersecurity education and awareness kit.
- Leverage resilience strategies found in the report.
Given the serious cyber threats against healthcare organizations, it is critical to protect your assets by understanding the situation and taking steps to prevent it. For more details on the current landscape of cyber healthcare threats and ransomware threats, and for more detailed guidance on how to increase resilience, read the report “US Healthcare at Risk: Strengthening Resilience against ransomware attacks” and watch our health threat intelligence briefing video, included in the report. To stay up to date on the latest threat intelligence information and get actionable guidance for your security efforts, bookmark Microsoft Security Insider.
Learn more
To learn more about Microsoft security solutions, visit our website. Bookmark the Security blog to stay up to date with our expert coverage of security issues. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest cybersecurity news and updates.
1How to protect your networks from ransomware, justice.gov.
2Threat Landscape: Healthcare and Public Health, April 2024. Microsoft Threat Intelligence.
3On average, healthcare organizations lose $900,000 per day due to downtime from ransomware attacks, Comparitech. March 6, 2024.
4Ransomware attacks in the healthcare sector continue to increase in number and severity, according to The HIPAA Journal. September 2024.
5Ransomware attack associated with disruptions to adjacent emergency departments in the US, JAMA Network. May 8, 2023.
6Microsoft Digital Defense Report 2024.