The U.S. healthcare sector is facing a serious crisis as cyberattacks, especially ransomware incidents, have surged dramatically. In 2024 alone, these attacks increased by over 30%, according to a recent report from Resilience, a company that specializes in cyber insurance and risk management.
Despite the rising threat, many healthcare organizations are not prioritizing cybersecurity. Experts are alarmed by this disconnect. Travis Wong, a vice president at Resilience, points out that even after significant breaches, like the Change Healthcare incident, cybersecurity still ranks low on the list of concerns for many healthcare providers. He expressed disappointment that the urgency to improve security hasn’t translated into meaningful action.
The Change Healthcare breach in February 2024 serves as a stark example. This incident exposed 190 million records and disrupted services nationwide, affecting pharmacies, doctors, and patients alike. Wong emphasized that this event highlighted how interconnected the healthcare system is. A problem at one organization can ripple through thousands of providers, revealing a systemic risk to the entire sector.
According to Resilience, over half of the U.S. population’s healthcare records were breached in 2023, totaling 168 million records. Electronic Health Records (EHRs) are particularly valuable on the dark web because they contain sensitive personal and financial information that can be exploited for years. Unlike credit card information, which can be canceled quickly, health records remain useful to attackers for a long time.
Healthcare organizations are in a tough spot. They operate under tight budgets, often prioritizing patient care and compliance over IT upgrades. Wong identified three main barriers to improving cybersecurity: limited funding, a shortage of skilled professionals, and the operational complexity of healthcare systems. Many hospitals still rely on outdated technology, which complicates security efforts.
As ransomware demands escalate, with some reaching $4 million in 2025, the stakes for healthcare providers are higher than ever. Insurers are responding by tightening their requirements and scrutinizing the vendor ecosystems of healthcare organizations. The Change Healthcare breach underscored the need for insurers to understand which vendors are critical to an organization and how secure those supply chains are.
Wong advises healthcare organizations to develop comprehensive backup strategies, proactively manage vendor risks, and conduct thorough employee training. He believes that organizations demonstrating solid cybersecurity practices will be viewed as lower risks by insurers.
As the healthcare sector grapples with these challenges, the need for urgent action is clear. Protecting patient data and ensuring the security of vital services must become a priority for healthcare providers.