On October 22, 2024, Microsoft issued a threat trend research report entitled “US Healthcare at risk: Strengthening resilience against ransomware attacks.” In it, Microsoft declares that ransomware attacks against the healthcare sector are “emerging as one of the most significant” cybersecurity threats to healthcare organizations. The attack surface of hospitals “grows more complex” with digital operations, which heightens “their vulnerability to attacks.”

According to the report, “the healthcare/public health sector was one of the top 10 most impacted industries in the second quarter of 2024.” Further, “ransomware attacks have surged” against health care organizations “by 300% since 2015.” In 2024, “389 U.S. healthcare institutions were hit by ransomware, causing network shutdowns, offline systems, delays in critical medical procedures, and rescheduled appointments,” with one estimate “showing healthcare organizations lose up to $900,000 per day on downtime alone.” The average ransom paid by organizations surveyed was $4.4 million.

The report declares that these attacks have a “grave impact on patient care,” as ransomware attacks can “severely impact the ability to effectively treat patients.” The effect of such attacks includes “increased emergency department patient volume, longer wait times, and additional strain on resources, particularly in time-sensitive care like stroke treatment.”

The report outlines four case studies that illustrate how ransomware attacks had “far-reaching effects” on different types of healthcare organizations.

The reason healthcare organizations are getting hit so hard by ransomware attacks include the fact that they have a reputation for paying ransoms, have limited budgets for implementing security measures, have outdated legacy systems in place, and there is an expanding attack surface to try to protect. According to Microsoft, “email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks.” The report urges the healthcare sector to adopt better cybersecurity strategies and defenses, investing in the ability to quickly restore operations following an attack, and “building a security-first workforce,” which includes robust education and training of users. Although the report outlines the same lessons we have advocated for years, the statistics this year on the rise of ransomware attacks against healthcare organizations, and that the number one way threat actors are successful in deploying ransomware is still phishing emails, should be proof enough that education and awareness should be a top priority in defending against these attacks. Spend the time and resources to develop and implement a robust cybersecurity training program and keep users apprised of the new tricks and trades of threat actors.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.