What is a Healthcare Cyberattack?

Why Healthcare Is the Most Targeted Sector

The healthcare sector consistently leads breach statistics, ransomware victim counts, and regulatory enforcement actions year over year. The structural drivers are specific and persistent.

The Data Has High Black-Market Value

Protected health information (PHI) commands the highest prices on cybercriminal markets among consumer data categories. A complete medical record — name, date of birth, Social Security number, insurance details, treatment history, prescription information — sells for $50-$1,000 per record on dark web markets, compared to $1-$5 for a credit card number. The price differential reflects the sustained utility of PHI for fraudulent insurance claims, identity theft, prescription drug diversion, and synthetic identity creation.

Operational Disruption Forces Ransom Decisions

When a hospital's electronic health record system goes down, patient care is immediately and materially impacted. Surgeries are postponed. Emergency department patients are diverted. Diagnostic imaging is delayed. Patients suffer real medical harm — in several documented cases including Universal Health Services in 2020 and Ascension Health in 2024, attributable patient deaths have been linked to ransomware-related care disruption. The combination of high regulatory penalty exposure, immediate operational impact, and the moral imperative to restore patient care produces a structurally higher ransom payment rate than other sectors.

The Attack Surface Is Diverse and Legacy-Heavy

Modern hospitals operate a complex IT environment: clinical systems running on aging operating systems, medical devices with embedded software that cannot be patched, telehealth platforms, supplier integrations, third-party billing services, research computing infrastructure, and the standard enterprise IT stack. Each layer is exposed to different threat patterns, and most healthcare organizations cannot fully patch the medical device layer because manufacturers have not certified the OS updates for clinical use.

The Recent Pattern

2024-2025 demonstrated the maturation of healthcare-targeted attack patterns. Change Healthcare (UnitedHealth subsidiary) experienced a ransomware attack in February 2024 that disrupted prescription processing for an estimated one-third of US patients for weeks; the parent company paid an estimated $22 million ransom and incurred over $2.5 billion in incident costs. Ascension Health (May 2024) lost EHR access across 140 hospitals for over a month. The 2025 Oracle Health/Cerner breach exposed an estimated 30+ million patient records through compromise of the EHR vendor itself rather than individual hospital systems. The pattern is clear: healthcare is targeted, attacks are successful at scale, and the regulatory and operational consequences are substantial.

Why Healthcare Defenses Are Frequently Inadequate

The Compliance-vs-Security Gap

HIPAA's Security Rule, in place since 2003, defines security requirements for healthcare organizations handling electronic PHI. The framework was modern at its inception but has not been substantively updated for the post-cloud, post-ransomware threat environment. Many healthcare organizations are HIPAA-compliant in audit terms while operating substantially below the security posture appropriate for current threats. The gap is structural — HIPAA compliance does not mean adequate security against modern adversaries.

The Medical Device Patching Problem

FDA-regulated medical devices typically cannot be patched outside manufacturer-approved channels because patches change the device's regulatory certification. Devices with embedded Windows XP, Linux distributions from the 2010s, and proprietary operating systems no longer receiving updates remain in clinical use because they perform their primary function correctly. The result is a substantial population of unpatched, unpatchable devices on hospital networks — each one a potential foothold for an attacker.

The IT Investment Lag

Healthcare organizations typically allocate 4-7% of operating budget to IT, compared to 7-10% for financial services and 8-12% for technology companies. The relative underinvestment compounds over years: legacy systems persist, security tooling lags, security headcount is undersized. Hospital CIOs and CISOs operate with substantially less budget and headcount than peers in other regulated industries despite facing equivalent or higher threat exposure.

The Third-Party Vendor Dependency

Healthcare organizations depend on extensive third-party vendors — EHR providers (Epic, Cerner/Oracle Health, Athenahealth), billing services, laboratory information systems, radiology platforms, telehealth providers, medical device manufacturers. Each vendor relationship is a third-party risk surface, and the broader trend toward consolidation (Oracle's acquisition of Cerner, UnitedHealth's expansion through Change Healthcare) concentrates compromise impact across larger customer bases.

What Healthcare Organizations Must Do

The Six Operational Priorities

1. Network segmentation between clinical systems and corporate IT. The lateral movement that turns initial access into full-environment compromise requires flat-network architectures. Segmenting clinical systems, medical device networks, and corporate IT into separate trust zones limits the blast radius of compromise.
2. Backup and recovery testing under ransomware conditions. Backups exist in most healthcare environments. Tested, isolated, immutable backups that survive ransomware encryption are substantially less common. Quarterly recovery exercises with documented recovery time and recovery point objectives are the operational discipline.
3. Phishing-resistant MFA on clinical and administrative accounts. The 2024 Change Healthcare breach reportedly began with stolen credentials on an account without MFA. Phishing-resistant MFA (hardware keys, passkeys) on every account that can access PHI is the appropriate baseline.
4. Vendor risk management as a continuous program. The Oracle Health/Cerner 2025 incident demonstrates that EHR vendor compromise is the new norm. Healthcare organizations need active visibility into vendor security posture, contract terms covering breach disclosure, and contingency plans for major vendor disruption.
5. Tabletop exercises simulating ransomware scenarios. Healthcare incident response plans typically describe HIPAA-required notification timelines and patient communications protocols. They less frequently rehearse the operational decision of whether to pay ransom, when to declare a disaster and revert to paper, and how to coordinate with FBI and state regulators during an active incident.
6. Cyber insurance with healthcare-specific coverage. Standard cyber insurance does not always cover the medical-malpractice and patient-harm exposures that ransomware can produce. Healthcare organizations need policy language that explicitly addresses these scenarios.

The Board-Level Question

For hospital boards, the question is whether cyber risk is being treated with the same governance discipline as clinical quality, financial risk, and regulatory compliance. The structural answer at most healthcare organizations is no — cyber risk reports to the IT committee at a level of detail inconsistent with its business impact. The post-Change Healthcare regulatory environment is making this gap untenable.

Related Reading

• What is HIPAA Security? — the compliance baseline
• What is Ransomware? — the dominant healthcare attack pattern
• What is Incident Response?
• What is Network Segmentation?