In the United States, healthcare continues to sit at the bullseye of cybercrime. The FBI’s 2024 Internet Crime Report and the American Hospital Association’s analysis of that report show that the health sector suffered more reported cyberthreats than any other critical infrastructure vertical that year, totaling 444 incidents that combined ransomware with data theft[1]. At the same time, ransomware attacks against U.S. critical infrastructure rose around 9% year‑over‑year, and total cybercrime losses climbed to $16.6 billion[2].
Zooming out, the 2025 Verizon Data Breach Investigations Report explains why attackers keep helping themselves to initial access. Third‑party involvement in breaches doubled to 30% year over year[3]. Exploitation of vulnerabilities as an initial access vector jumped 34% to account for 20% of breaches, nearly overtaking credential abuse. Additionally, ransomware appeared in 44% of breaches (a 37% increase)[4]. Attackers are targeting the healthcare ecosystem at its softest points: vendors, perimeter devices, and time‑pressed staff.
Two incidents from 2024 turned these statistics into national headlines. First, the Change Healthcare ransomware attack disrupted claims, eligibility, and prescription processing on an unprecedented scale[5]. Every hospital in the country felt downstream impact as revenue cycles faltered and pharmacies fell back to manual workarounds. Public disclosures and testimony highlighted the absence of multi‑factor authentication (MFA) on a remote portal that attackers abused. Second, Ascension’s ransomware event forced Emergency Medical Services diversions and downtime protocols across a 140‑hospital system. In the months following the incident, the organization confirmed that approximately 5.6 million individuals were affected[6]. Together, these crises revealed just how concentrated and interconnected risk has become in U.S. healthcare.
Why Hospitals Remain Top Targets for Ransomware
- Operational urgency and downtime sensitivity. Few sectors tie system availability so directly to human outcomes. Diversion minutes, canceled procedures, and delayed prescriptions translate into care risk, and adversaries know it. During the Change Healthcare crisis, hospital surveys reported widespread care delays and significant financial stress.
- Valuable, aggregated data. Healthcare data is longitudinal and monetizable. Identity, insurance, clinical, and sometimes payment data is all in one place.
- Complex, legacy‑heavy estates. From multi‑vendor Electronic Health Records (EHR) to imaging and lab systems, plus thousands of connected medical devices, health IT has accumulated massive technical debt[7].
- Third‑party fragility. When 30% of breaches involve third parties, vendor due diligence and contractual controls become patient‑safety issues, not procurement checkboxes.
Ransomware Tactics in 2026: What’s Changed
- Exploited vulnerabilities on the perimeter. Attackers rapidly weaponize flaws in edge and virtual private network (VPN) devices. Organizations remediated only about half (54%) of perimeter device vulnerabilities last year, with a median remediation time of roughly a month (32 days), an exposure window adversaries actively exploit[8].
- “Extortion‑only” attacks. Healthcare providers report a growing share of incidents where data theft and leak threats occur without encrypting systems, an adaptation to stronger endpoint defenses and backups[9].
- The supply‑chain multiplier. A single vendor incident (clearinghouse, EHR module, billing cloud) can disrupt thousands of providers and pharmacies.
Compliance is Necessary for Ransomware
The National Institute of Standard and Technology Cybersecurity Framework (CSF) 2.0 introduced the new Govern function and strengthened guidance for supply‑chain risk management. These are two areas that hospital boards and executives must own. Implementing practices commensurate with CSF 2.0 is a pragmatic way to align strategy, budget, and daily controls to the threats actually hitting healthcare.
In addition, federal regulators are preparing the first major upgrade to the HIPAA Security Rule since 2013, driven by the sharp rise in cyberattacks, large‑scale breaches, and operational disruptions across healthcare. The proposal, released by the United States Department of Health & Human Services and Office for Civil Rights (OCR) in late 2024 and published as a formal rulemaking notice in January 2025, seeks to raise the cybersecurity floor for all HIPAA‑regulated organizations. At a high level, the proposed rule would require hospitals and business associates to:
- Complete a formal compliance audit every 12 months to validate adherence to all Security Rule requirements.
- Maintain complete technology asset inventories and network maps, giving leadership a clear view of cyber risk across their environment.
- Obtain annual written verification that vendors and subcontractors have deployed required safeguards, therein significantly tightening third‑party oversight.
- Update business associate agreements (BAA) to mandate rapid reporting (within 24 hours) of incidents affecting contingency plans, improving visibility into emerging threats.
- Strengthen workforce security practices and ensure that access to systems and data is removed promptly when staff leave or change roles.
The Notice of Proposed Rulemaking eliminates the long‑standing distinction between required and addressable implementation specifications[10]. Under the proposal, all specifications become mandatory, unless a narrow exception applies. This is one of the most significant shifts in HIPAA since 2013.
What Hospitals Must Consider to Prevent Ransomware Attacks
- Deploy phishing‑resistant MFA (e.g., passkeys) wherever feasible, including clinician workflows on shared workstations via fast‑unlock methods.
- Elevate privileged access management for admins and vendors; enforce least‑privilege and time‑bound access for EHR, imaging, and remote support.
- Establish a maximum 14‑day patch window for firewalls, VPNs, and remote access gateways; add continuous external attack‑surface discovery to catch shadow assets[11].
- Segment clinical networks (EHR, imaging, lab, pharmacy) and medical devices from corporate IT; require MFA for all admin access.
- Ensure Endpoint Detection and Response (EDR) and/or Extended Detection and Response is deployed on servers and critical workstations; tune for ransomware precursors such as beaconing, Remote Monitoring and Management (RMM) abuse, and backup tampering.
- Maintain immutable, offline backups and test directory restores quarterly.
- Run a ransomware tabletop that simulates both encryption and extortion‑only scenarios, with a special track for clinical continuity.
- Bake minimum controls into business associate agreements and master service agreements including MFA everywhere, EDR, 24/7 monitoring, recovery time objective/recovery point objective commitments and breach notification (less than 24 hours).
The bottom line
Healthcare’s targeting isn’t about hype; it’s about economics (data value, extortion leverage), exposure (edge flaws and vendors), and consequences (patient care). But the sector is improving: more attacks are blocked before encryption, ransom payments are down, and recovery times are shortening. This serves as evidence that disciplined programs work. Make 2026 the year that your organization moves from compliance‑centric to outcome‑driven security. Achieving this looks like board‑owned governance, faster edge patching, identity management that clinicians can live with, segmented networks, resilient recovery, and real vendor accountability. The result is not just better information security; it’s safer patient care.
[1] https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024
[2] https://cyberscoop.com/fbi-ic3-cybercrime-report-2024-key-statistics-trends/
[3] https://www.hipaajournal.com/verizon-dbir-2025/
[4] See above.
[5] https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf
[6] https://www.hipaajournal.com/ascension-cyberattack-2024/
[7] The accumulated cost and risk of using outdated, unpatched, or poorly integrated IT systems (like legacy EHRs) instead of modernizing them.
[8] https://www.verizon.com/business/resources/Tea/reports/2025-dbir-data-breach-investigations-report.pdf
[9] https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-healthcare-2025
[10] https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
[11] Unapproved, unmanaged, or hidden resources, systems, or data that operate outside the control of an organization’s central IT, security, or administration departments.