Why Is Healthcare Such A Target For Ransomware?
In Checkpoint’s 2025 Security Report, it was confirmed that Ransomware remained the most significant cyber threat to businesses worldwide throughout 2024, reaching new heights in both scale and impact.
One concerning trend seen was the rise of attacks on Healthcare globally. Checkpoints report stated “The migration of ransomware groups to targeting healthcare organisations underscores the gradual decline of previously established “ethical” guidelines. In the early months of the COVID-19 pandemic, many RaaS operators publicly declared hospitals and medical providers off-limits. However, over time, these restrictions weakened. Some RaaS administrators adopted a more nuanced approach. While they discouraged outright service disruption, such as encrypting critical systems, they permitted the theft of sensitive medical data. Affiliates could then extort victims by threatening to leak patient information and pressure healthcare entities to pay without directly endangering patients. This approach deteriorated further after the law enforcement operation against ALPHV. The group openly encouraged affiliates to specifically target hospitals. By February 2024, the healthcare and medical sectors became the most targeted sectors for ALPHV, making up approximately 30% of their reported victims.”
The critical nature of healthcare operations and their limited capacity to withstand extended disruptions make them particularly attractive targets. All indications suggest that this troubling trend will persist into 2025, along with the worrying addition of Data Exfiltration Extortion (DXF) – which involves stealing the data and asking victims to “buy back” their information to prevent public exposure.
The Checkpoint report states: “The rise of data exfiltration-only extortion marks a critical shift in cyber security priorities. Organisations must now focus on strengthening Data Leak Prevention (DLP) strategies by leveraging advanced monitoring and detection systems to identify and mitigate potential breaches earlier.”
The report goes on to say that Healthcare and Medical Organisations now account for 10% of all publicly reported ransomware victims, making healthcare the second most targeted sector in 2024, trailing only the manufacturing industry.
With this concerning rise in the targeting of the healthcare sector – what can these organisations do to protect themselves, and their patients’ data?
There are several key reasons why healthcare is particularly vulnerable and attractive to cybercriminals:
1. Valuable and Sensitive Data
- Hospitals and healthcare providers hold significant volumes of personally identifiable information (PII) and health records, which are incredibly valuable on the dark web.
- Medical records can include names, birth dates, Medicare numbers, diagnoses, treatments, insurance info — a goldmine for identity theft and fraud.
2. Urgency and Disruption
- Ransomware cripples operations, and in healthcare, that can literally mean life or death.
- Because systems are critical to care (e.g. imaging, patient monitoring and care, surgical systems), hospitals are often pressured to pay the ransom quickly to resume services.
3. Underfunded Cybersecurity
- Many healthcare providers — especially smaller clinics or rural health services — run on tight budgets. That often means legacy systems, outdated software, or limited investment in cybersecurity tools or staff.
4. High Interconnectivity
- Healthcare networks are vast and complex: think of interconnected systems between hospitals, GPs, pathology labs, insurers, government databases, etc.
- This interconnectedness means more attack vectors and often weaker points of entry.
5. Human Factor
- Medical staff are often focused on patient care, not cybersecurity hygiene.
- They're more likely to click on phishing emails or reuse passwords, increasing the chances of a successful breach.
6. The Australian Context
- The Australian Cyber Security Centre (ACSC) has reported healthcare as one of the top five sectors targeted in ransomware incidents.
- The 2023-2030 National Cyber Security Strategy includes specific actions aimed at hardening the health sector, showing it’s a recognised risk.
7. Examples of Real Incidents in Australia
- Medibank (2022): Personal and health data of nearly 10 million Australians exposed. The company refused to pay the ransom, and the attackers published the data.
- Eastern Health (2021): A major Melbourne hospital network was hit, forcing cancellations of surgeries and appointments.
How Can Healthcare Defend Itself?
At a bare minimum, the following should be considered essential to ensure a good foundation for a Healthcare Cyber Security strategy:
- Implement strong Access Control.
- Segment networks to isolate critical systems.
- Ensure a robust Detection & Response solution is in place for Endpoints, Network infrastructure, Cloud and OT environments, and mobile.
- Have strong mail security in place to ensure malicious links are identified and mitigated.
- Ensure strong DLP measures are in place.
- Regularly patch and update software.
- Train staff in phishing awareness and create a culture of vigilance.
- Have a strong incident response plan and backup strategies to ensure swift recovery.