Skip to main content
Microsoft Security

Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action

Healthcare organizations are an increasingly attractive target for threat actors. In a new Microsoft Threat Intelligence report, US healthcare at risk: strengthening resiliency against ransomware attacks, our researchers identified that ransomware continues to be among the most common and impactful cyberthreats targeting organizations. The report offers a holistic view of the healthcare threat landscape with a particular focus on ransomware attacks observed in recent years. By reading the report, healthcare organizations will gain insights that will help navigate these cyberthreats and understand how collective defense strategies can help improve protection and increase access to relevant threat intelligence.

Prior to 2020, there was an unspoken rule of threat actors to not launch attacks against schools and children, infrastructure, and healthcare organizations.1 However, that “rule” no longer applies, and in the past four years the healthcare threat landscape has seen tremendous shifts for the worse.

To put this shift into context, consider these trends from the Microsoft Threat Intelligence report showing healthcare cybersecurity challenges:

  • Healthcare is one of the top 10 most targeted industries in the second quarter of 20242—and has been for the past four quarters.
  • Ransomware attacks are costly, with healthcare organizations losing an average of $900,000 per day on downtime alone.3
  • In a recent study, out of the 99 healthcare organizations that admitted to paying a ransom and disclosed the ransom paid, the average payment was $4.4 million.4

The serious impact of ransomware on healthcare

While the potential financial risk for healthcare organizations is high, lives are at stake because ransomware attacks impact patient outcomes. If healthcare providers are not able to use diagnostic equipment or access patient medical records because it’s under ransom, care will be disrupted.

Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner. As a result, patients can experience longer wait times, which studies show could lead to more severe stroke cases and heart attack cases.5

These attacks don’t just impact facilities in large cities; in fact, rural health clinics are also a target for cyberattacks. They are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for a community as these hospitals are often the only healthcare option for many miles in the communities they serve.  

Why healthcare is an appealing target for threat actors

Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks. However, a more significant reason these facilities are at risk is the potential for huge financial payouts. As referenced earlier, lives are at stake and healthcare facilities committed to patient care can’t risk poor patient outcomes if their systems are taken down. They also can’t risk their patients’ data being exposed if they don’t pay the ransom. That reputation for paying ransoms—for understandable reasons—makes them a target.

What is phishing?

Learn more

Healthcare facilities are also targeted because of their limited security resources and cybersecurity investments to defend against these threats compared to other sectors. Facilities often lack staff dedicated to cybersecurity and in fact, some facilities don’t have a chief information security officer (CISO) or dedicated security operations center at all. Instead, their IT department may be tasked with managing cybersecurity. Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.

How cyber criminals target healthcare organizations

Financially motivated cyber criminals are using an evolving set of ransomware tactics on healthcare organizations. One common approach involves two steps. First, they gain access to an organization’s network, often using social engineering tactics through a phishing email or text. Then, they use that access to deploy ransomware to encrypt and lock healthcare systems and data so they can seek a ransom for their release.

“Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours,” said Jack Mott of Microsoft Threat Intelligence in the Microsoft ransomware report. “They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom.”

Social engineering tactics often involve convincing the email recipient to act in ways they normally wouldn’t, such as clicking on an unknown link, and using the tactics of urgency, emotion, and habit. Social engineering fraud is a serious problem. In just this fiscal year, a staggering 389 healthcare institutions across the United States fell victim to ransomware attacks, according to the 2024 Microsoft Digital Defense Report.6 The aftermath was severe, resulting in network closures, offline systems, delays in critical medical operations, and rescheduled appointments.

Another common approach is ransomware as a service (RaaS), a cybercrime business model growing in popularity. The RaaS model is an agreement between an operator, who develops extortion tools, and an affiliate, who deploys the ransomware. Both parties benefit from a successful ransomware and extortion attack, and it’s “democratized access to sophisticated ransomware tools,” Mott said. This model enables cyber criminals without the means of developing their own tools to launch their nefarious activities. Sometimes, they may simply purchase network access from a cybercrime group that has already breached a network. RaaS severely widens the risk to healthcare organizations, making ransomware more accessible and frequent.

Cybercrime tactics continue to grow in sophistication. Microsoft is continually tracking the latest cybercrime threats to support our customers and increase the knowledge of the entire global community. These threats include actions by threat actor groups Vanilla Tempest and Sangria Tempest, which are known for their financially motivated criminal activities.

Take a collective defense approach to boost your cyber resilience and visibility

We recognize that not all organizations have a robust cybersecurity team or even the resources to enable a cybersecurity resilience strategy. This is why it is important for us as a community to come together and share best practices, tools, and guidance. We encourage your organization to collaborate with regional, national, and global healthcare organizations such as Health-ISAC (Information Sharing and Analysis Centers). The Health-ISAC provides healthcare organizations with platforms to exchange threat intelligence. Health-ISAC Chief Security Officer Errol Weiss says these organizations are like “virtual neighborhood watch programs,” sharing threat experiences and defense strategies. 

It’s also important to foster a security-first mindset among healthcare staff. Dr. Christian Dameff and Dr. Jeff Tully, Co-directors of the University of California San Diego Center for Healthcare Cybersecurity, emphasize that breaking down silos between IT security teams, emergency managers, and clinical staff to develop cohesive incident response plans is key. They also recommend running high-fidelity clinical simulations that expose doctors and nurses to real-world cyberattack scenarios.

For rural hospitals that provide critical services to the communities they serve across the US, Microsoft created the Microsoft Cybersecurity Program for Rural Hospitals, which provides affordable access to Microsoft security solutions, builds cybersecurity capacity, and helps solve root challenges through innovation.

For healthcare organizations that have the resources, as part of this report we provide guidance on how to:

  • Establish a robust governance framework.
  • Create an incident response and detection plan. Then be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery.
  • Implement continuous monitoring and real-time detection capabilities.
  • Educate your organization using our cybersecurity awareness and education #BeCyberSmart Kit.
  • Harness more resilience strategies found in the report.

Given the serious cyberthreats against healthcare organizations, it’s critical to protect your assets by understanding the situation and taking steps to prevent it. For more details on the current healthcare cyberthreat landscape and ransomware threats, and for more in-depth guidance on boosting resilience, read the “US healthcare at risk: Strengthening resiliency against ransomware attacks” report and watch our healthcare threat intelligence briefing video, which is included in the report. To stay up-to-date on the latest threat intelligence insights and get actionable guidance for your security efforts, bookmark Microsoft Security Insider.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1How to protect your networks from ransomware, justice.gov.

2Threat Landscape: Healthcare and Public Health Sector, April 2024. Microsoft Threat Intelligence.

3On average, healthcare organizations lose $900,000 per day to downtime from ransomware attacks, Comparitech. March 6, 2024.

4Healthcare Ransomware Attacks Continue to Increase in Number and Severity, The HIPAA Journal. September 2024.

5Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US, JAMA Network. May 8, 2023.

6Microsoft Digital Defense Report 2024.