On October 22, 2024, Microsoft issued a threat trend research report entitled “US Healthcare at risk: Strengthening resilience against ransomware attacks.” In it, Microsoft declares that ransomware attacks against the healthcare sector are “emerging as one of the most significant” cybersecurity threats to healthcare organizations. The attack surface of hospitals “grows more complex” with digital operations, which heightens “their vulnerability to attacks.”

According to the report, “the healthcare/public health sector was one of the top 10 most impacted industries in the second quarter of 2024.” Further, “ransomware attacks have surged” against health care organizations “by 300% since 2015.” In 2024, “389 U.S. healthcare institutions were hit by ransomware, causing network shutdowns, offline systems, delays in critical medical procedures, and rescheduled appointments,” with one estimate “showing healthcare organizations lose up to $900,000 per day on downtime alone.” The average ransom paid by organizations surveyed was $4.4 million.

The report declares that these attacks have a “grave impact on patient care,” as ransomware attacks can “severely impact the ability to effectively treat patients.” The effect of such attacks includes “increased emergency department patient volume, longer wait times, and additional strain on resources, particularly in time-sensitive care like stroke treatment.”

The report outlines four case studies that illustrate how ransomware attacks had “far-reaching effects” on different types of healthcare organizations.

The reason healthcare organizations are getting hit so hard by ransomware attacks include the fact that they have a reputation for paying ransoms, have limited budgets for implementing security measures, have outdated legacy systems in place, and there is an expanding attack surface to try to protect. According to Microsoft, “email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks.” The report urges the healthcare sector to adopt better cybersecurity strategies and defenses, investing in the ability to quickly restore operations following an attack, and “building a security-first workforce,” which includes robust education and training of users. Although the report outlines the same lessons we have advocated for years, the statistics this year on the rise of ransomware attacks against healthcare organizations, and that the number one way threat actors are successful in deploying ransomware is still phishing emails, should be proof enough that education and awareness should be a top priority in defending against these attacks. Spend the time and resources to develop and implement a robust cybersecurity training program and keep users apprised of the new tricks and trades of threat actors.