Of those organizations surveyed, two-thirds (67%) were impacted by ransomware attacks in the past year, up from 60% in 2023.

The rising rate of ransomware attacks against healthcare institutions contrasts with the declining rate of ransomware attacks across sectors; the overall rate of ransomware attacks fell from 66% in 2023 to 59% in 2024.

Alongside an increase in the rate of ransomware attacks, the healthcare sector reported increasingly longer recovery times.

Only 22% of ransomware victims fully recovered in a week or less, a considerable drop from the 47% reported in 2023 and 54% in 2022.

In addition, 37% took more than a month to recover, up from 28% in 2023, reflecting the increased severity and complexity of attacks.

“While we’ve seen the rate of ransomware attacks reach a kind of “homeostasis” or even decline across industries, attacks against healthcare organizations continue to intensify, both in number and scope.

The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals. Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times. These attacks can have immense ripple effects, as we’ve seen this year with major ransomware attacks impacting the healthcare industry and impacting patient care,” said John Shier, field CTO, Sophos.

“To combat these determined adversaries, healthcare organizations must adopt a more proactive, human-led approach to threat detection and response, combining advanced technology with continuous monitoring to stay ahead of attackers.”

Additional findings from the report include:

• Ransom Recovery Costs Surge:The mean cost of recovery in a healthcare ransomware attack was $2.57 million in 2024, up from $2.2 million in 2023 and double the 2021 cost
• Ransom Demands vs Payments: 57% of healthcare institutions that paid the ransom ended up paying more than the original demand
• Root Cause of Attack: Compromised credentials and exploited vulnerabilities were tied for the number one root cause of attack, each accounting for 34% of attacks
• Backups Targeted: 95% of healthcare organizations hit by ransomware in the past year said that cybercriminals attempted to compromise their backups during the attack.
• Increased Pressure: Organizations whose backups were compromised were more than twice as likely to pay the ransom to recover encrypted data (63% vs. 27%)
• Who Pays the Ransom: Insurance providersare heavily involved in ransom payments, contributing in 77% of cases. 19% of total ransom payment funding comes from insurance providers

The latest Sophos report on real-world ransomware experiences explores the full victim journey, from attack rate and root cause to operational impact and business outcomes, of 402 healthcare organizations.

The results for this sector survey report are part of a broader, vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024 across 14 countries and 15 industry sectors.

Sophos, a global leader in innovating and delivering cybersecurity as a service, today shared its sector survey report, “The State of Ransomware in Healthcare 2023,” which revealed that, among those organizations surveyed, cybercriminals successfully encrypted data in nearly 75% of ransomware attacks.

This is the highest rate of encryption in the past three years and a significant increase from the 61% of healthcare organizations that reported having their data encrypted last year.

In addition, only 24% of healthcare organizations were able to disrupt a ransomware attack before the attackers encrypted their data—down from 34% in 2022; this is the lowest rate of disruption reported by the sector over the past three years.

“To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress.

“Part of the problem is that ransomware attacks continue to grow in sophistication, and the attackers are speeding up their attack timelines. In the latest Active Adversary Report for Tech Leaders, we found that the median time from the start of a ransomware attack to detection was only five days. We also found that 90% of ransomware attacks took place after regular business hours. The ransomware threat has simply become too complex for most companies to go at it alone. All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” said Chester Wisniewski, director, field CTO, Sophos.

Additional key findings from the report include:

• In 37% of ransomware attacks where data was successfully encrypted, data was also stolen, suggesting a rise in the “double dip” method
• Healthcare organizations are now taking longer to recover, with 47% recovering in a week, compared to 54% last year
• The overall number of ransomware attacks against healthcare organizations surveyed declined from 66% in 2022 to 60% this year
• Compromised credentials were the number one root cause of ransomware attacks against healthcare organizations, followed by exploits
• The number of healthcare organizations surveyed that paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46%

“In 2016, the Red Cross Hospital of Córdoba in Spain suffered a ransomware attack that reached servers and encrypted hundreds of files, medical records and other important patient information. It was a major disruption to our operations and interfered with our ability to care for our patients. The stakes are high in ransomware attacks against healthcare organizations—and attackers know that—meaning we’ll always be a target. After this ransomware attack, we worked hard with Tekpyme to bolster our defenses, and now we have reduced our incident response time by 80%. I think the industry as a whole is making improvements, but there is still work to do, because of the constantly changing nature of cybercrime. Hopefully healthcare organizations can leverage the help that is available from security vendors such as Sophos to prevent a very real ‘threat to life’ if systems go offline due to a ransomware attack,” said José Antonio Alcaraz Pérez, head of information systems and communications at Cruz Red Andalusia in Spain.

“Cyberspace today is ripe with technically sophisticated actors looking for vulnerabilities to exploit. What all this translates to is a multidimensional cyberthreat of actors who have the tools to paralyze entire hospitals. Partnering with the private sector is critical to our mission. The information [they] share has real-world impacts and can save real businesses and real lives,” said Christopher Wray, FBI Director.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities
  • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider
• Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

To learn more about the State of Ransomware in Healthcare 2023, download the full report from Sophos.com.

*The State of Ransomware 2023 survey polled 3,000 IT/cybersecurity leaders in organizations with between 100 and 5,000 employees, including 233 from the healthcare sector, across 14 countries in the Americas, EMEA and Asia Pacific.

The findings reveal a 94% increase in ransomware attacks on the organizations surveyed in this sector. In 2021, 66% of healthcare organizations were hit; 34% were hit the previous year.

The silver lining, however, is that healthcare organizations are getting better at dealing with the aftermath of ransomware attacks, according to the survey data.

The report shows that 99% of those healthcare organizations hit by ransomware got at least some their data back after cybercriminals encrypted it during the attacks.

Additional ransomware findings for the healthcare sector include:

• Healthcare organizations had the second-highest average ransomware recovery costs with $1.85 million, taking one week on average to recover from an attack
• 67% of healthcare organizations think cyberattacks are more complex, based on their experience of how cyberattacks changed over the last year; the healthcare sector had the highest percentage
• While healthcare organizations pay the ransom most often (61%), they’re paying the lowest average ransoms, $197,000, compared with the global average of $812,000 (across all sectors in the survey)
• Of those organizations that paid the ransom, only 2% got all their data back
• 61% of attacks resulted in encryption, 4% less than the global average (65%)

“Ransomware in the healthcare space is more nuanced than other industries in terms of both protection and recovery,” said John Shier, senior security expert at Sophos. “The data that healthcare organizations harness is extremely sensitive and valuable, which makes it very attractive to attackers. In addition, the need for efficient and widespread access to this type of data – so that healthcare professionals can provide proper care – means that typical two-factor authentication and zero trust defense tactics aren’t always feasible. This leaves healthcare organizations particularly vulnerable, and when hit, they may opt to pay a ransom to keep pertinent, often lifesaving, patient data accessible. Due to these unique factors, healthcare organizations need to expand their anti-ransomware defenses by combining security technology with human-led threat hunting to defend against today’s advanced cyberattackers.”

More healthcare organizations (78%) are now opting for cyber insurance, but 93% of healthcare organizations with insurance coverage report finding it more difficult to get policy coverage in the last year.

With ransomware being the single largest driver of insurance claims, 51% reported the level of cybersecurity needed to qualify is higher, putting a strain on healthcare organizations with lower budgets and less technical resources available.

In the light of the survey findings, Sophos experts recommend the following best practices for all organizations across all sectors:

• Install and maintain high-quality defenses across all points in the organization’s environment. Review security controls regularly and make sure they continue to meet the organization’s needs
• Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines and open Remote Desktop Protocol ports. Extended Detection and Response (XDR) solutions are ideal for helping to close these gaps
• Make backups, and practice restoring from them so that the organization can get back up and running as soon as possible, with minimum disruption
• Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in house, outsource to a Managed Detection and Response (MDR) specialist
• Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated

“The State of Ransomware in Healthcare 2022” report is available on Sophos.com.  

The State of Ransomware in Healthcare 2022 survey polled 5,600 IT professionals, including 381 healthcare respondents, in mid-sized organizations (100-5,000 employees) across 31 countries.