Healthcare organizations are becoming increasingly attractive targets for threat actors. In a new Microsoft Threat Intelligence report, “The U.S. Healthcare Crisis: Strengthening Resilience to Ransomware Attacks,” our researchers find that ransomware is one of the most common and impactful cyber threats targeting organizations. I have identified that it is. This report provides a complete picture of the healthcare threat landscape, with a particular focus on ransomware attacks observed in recent years. By reading this report, healthcare organizations can gain insights to help address these cyber threats and learn how collective defense strategies can strengthen protection and increase access to relevant threat intelligence. It can be helpful to understand.
Before 2020, there was an unspoken rule for threat actors not to launch attacks against schools, children, infrastructure, or healthcare facilities. However, that “rule” currently does not apply, and in the past four years the medical threat landscape has looked like this: A big change for the worse.
To put this change in context, consider the following trends from the Microsoft Threat Intelligence report that illustrate the challenges of healthcare cybersecurity.
Healthcare was one of the top 10 most targeted industries in the second quarter of 2024 and has remained so for the past four quarters. Ransomware attacks are costly, costing healthcare organizations an average of $900,000 per day in downtime alone3. In a recent study, of the 99 healthcare organizations that acknowledged paying ransoms and disclosed the ransoms they paid, the average amount paid was $4.4 million. 4
The serious impact of ransomware on healthcare
The potential financial risks for healthcare organizations are high, but lives are at stake as ransomware attacks impact patient outcomes. Treatment is disrupted when healthcare providers are unable to use diagnostic equipment or access patient medical records due to ransom demands.
Healthcare facilities located near ransomware-affected hospitals are also affected as they are unable to respond quickly to the surge in patients needing treatment. As a result, patients have to wait longer, which can lead to more severe strokes and heart attacks, research has shown. 5
These attacks don't just affect facilities in large cities. In fact, rural clinics are also targets of cyberattacks. They are especially vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for communities, as these hospitals are often the only health care option for miles of the communities they serve.
Why healthcare is an attractive target for threat actors
Healthcare organizations collect and store highly sensitive data, making them a potential target for attackers in ransomware attacks. But the more important reason these facilities are at risk is the potential for huge financial payouts. As mentioned previously, lives are at stake and healthcare facilities dedicated to patient care cannot risk worsening patient outcomes if their systems go down. There is also no risk of patient data being compromised unless a ransom is paid. Their reputation for paying ransoms makes them a target for obvious reasons.
Healthcare facilities are also targeted because, compared to other sectors, they have limited security resources and investments in cybersecurity to protect against these threats. Facilities often lack dedicated cybersecurity staff, and in fact, some don't even have a chief information security officer (CISO) or a dedicated security operations center at all. Instead, your IT department may be responsible for managing cybersecurity. Doctors, nurses, and medical staff may not have cybersecurity training or know the signs to look for to identify phishing emails.
How cybercriminals target medical institutions
Financially motivated cybercriminals are using an ever-evolving array of ransomware tactics against healthcare organizations. The general approach involves two steps. First, they use social engineering tactics through phishing emails and text messages to gain access to an organization's network. It then uses that access to deploy ransomware, encrypting and locking up medical systems and data, demanding a ransom for release.
“Once ransomware is deployed, attackers typically encrypt critical systems and data quickly, often within hours,” Microsoft Threat Intelligence's Jacques Mott wrote in the Microsoft Ransomware Report. It will be executed.” “They target critical infrastructure such as patient records, diagnostic systems, and even billing operations to maximize impact and pressure on healthcare providers to pay the ransom.”
Social engineering tactics often involve coaxing email recipients to take actions they would not normally take, such as clicking on unknown links or using tactics based on urgency, emotion, or habit. This includes: Social engineering fraud is a serious problem. According to the 2024 Microsoft Digital Defense Report, 389 healthcare organizations nationwide fell victim to ransomware attacks this year alone6. The fallout was severe, shutting down networks, taking systems offline, and delaying and rescheduling critical medical operations.
Another common approach is ransomware-as-a-service (RaaS), an increasingly popular cybercrime business model. The RaaS model is an agreement between an operator developing extortion tools and an affiliate company deploying ransomware. Mott said successful ransomware and extortion attacks both benefit from “democratized access to advanced ransomware tools.” This model allows cybercriminals to launch their nefarious operations without having the means to develop their own tools. In some cases, they may simply purchase network access from a cybercrime group that has already infiltrated the network. RaaS greatly expands the risk to healthcare organizations, making ransomware more accessible and more frequent.
Cybercriminal methods are becoming increasingly sophisticated. Microsoft continuously tracks the latest cybercrime threats to support our customers and increase knowledge across our global community. These threats include activity by Vanilla Tempest and Sangria Tempest, threat actor groups known for financially motivated criminal activity.
Adopt a collective defense approach to enhance cyber resiliency and visibility
We recognize that not every organization has a strong cybersecurity team or even the resources to implement a cybersecurity resiliency strategy. That's why it's important that we come together as a community and share best practices, tools, and guidance. We encourage your organization to collaborate with regional, national, and global health organizations such as Health-ISAC (Information Sharing and Analysis Center). Health-ISAC provides healthcare organizations with a platform to exchange threat intelligence. Errol Weiss, chief security officer at Health-ISAC, said these organizations are like “virtual neighborhood watch programs” that share threat experience and defense strategies.
It is also important to foster a security-first mindset among medical staff. Dr. Christian Dameff and Dr. Jeff Talley, co-directors of the UC San Diego Healthcare Cybersecurity Center, break down silos between IT security teams, emergency managers, and clinical staff to create a consistent incident response plan He emphasizes that this is the key. It also recommends running high-fidelity clinical simulations that expose doctors and nurses to real-world cyber attack scenarios.
For rural hospitals that provide critical services to communities across the United States, Microsoft created the Microsoft Cybersecurity for Rural Hospitals Program. It provides affordable access to Microsoft security solutions, builds cybersecurity capacity, and helps solve fundamental challenges through innovation.
For healthcare organizations with the resources, as part of this report we provide guidance on how to:
Establish a strong governance framework. Create an incident response and detection plan. Then, be prepared to execute the attack effectively during the actual attack to minimize damage and ensure quick recovery. Implement continuous monitoring and real-time detection capabilities. Cybersecurity Awareness and Education Educate your organization with #BeCyberSmart Kit. Take advantage of the resiliency strategies outlined in the report.
Given the serious cyber threats to healthcare organizations, it is important to protect your assets by understanding the situation and taking steps to prevent it. For more information on the current health care cyberthreat landscape and ransomware threats, as well as more detailed guidance on building resilience, see the “U.S. Health Care at Risk: Strengthening Resilience to Ransomware Attacks” report Read and watch the Medical Threat Intelligence briefing video. included in the report. To stay up to date with the latest threat intelligence insights and get practical guidance on your security journey, bookmark Microsoft Security Insider.
learn more
To learn more about Microsoft security solutions, please visit our website. Bookmark our security blog to stay up to date with experts on security issues. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest cybersecurity news and updates.
1 How to protect your network from ransomware, justice.gov.
2 Threat Landscape: Medical and Public Health Sector, April 2024. Microsoft Threat Intelligence.
3 On average, healthcare organizations lose $900,000 per day due to downtime due to ransomware attacks, according to Comparitech. March 6, 2024.
4The number and severity of healthcare ransomware attacks continues to increase, HIPAA Journal. September 2024.
5 Ransomware attack linked to disruption of adjacent emergency departments in the United States, JAMA Network. May 8, 2023.
6Microsoft Digital Defense Report 2024.