About 90% of healthcare organizations are insecurely connected to the internet and running systems vulnerable to exploitation by ransomware gangs, according to research released this week by cybersecurity firm Clarorty.
The report examined data from more than 350 healthcare organizations, finding that 78% of them have made ransomware payments of $500,000 or more.
Healthcare cybersecurity incidents are often egregiously expensive because they create a wide range of costs — chief among them being the inability to provide patient care, noted Ty Greenhalgh, industry principal of healthcare at Claroty.
“When systems are locked down by ransomware or disrupted by cyberattacks, hospitals may be forced to divert patients, cancel procedures or revert to manual operations, all of which impact revenue and patient safety,” he explained.
Beyond service disruption, costs can build up due to things like ransomware payments, regulatory fines, class action lawsuits and the provision of identity protection services for impacted patients, Greenhalgh added.
He pointed out that even simple expenses like notification letters add up fast when thousands of people are affected. Depending on the healthcare organization and its footprint, millions of people could be affected by a single cyberattack. For instance, Change Healthcare’s cyberattack from last year exposed the data of 190 million people, and Ascension’s cyberattack from last year impacted more than 5 million people.
“For example, at $0.15 per letter, a breach affecting 2 million patients results in a $300,000 cost just for mailing notifications. Combine this with forensic investigations, system recovery, lost revenue, and reputational damage and the total financial impact can reach millions — or even billions — of dollars,” Greenhalgh explained.
In his eyes, the riskiest exposure facing healthcare organizations right now is internet-facing devices that have known exploitable vulnerabilities (KEVs) linked to ransomware attacks in the wild.
KEVs refer to security flaws that have been actively exploited by cybercriminals — posing an immediate risk to systems and requiring urgent remediation.
“These devices are actively communicating outside the health system, have been compromised in attacks against other organizations, and remain a prime target for cybercriminals,” Greenhalgh said.
The traditional cybersecurity tools and processes that healthcare providers are using to manage their IT devices are not addressing these vulnerabilities adequately, he added.
Healthcare organizations often struggle to stay on top of cybersecurity best practices because of how quickly the threat landscape is evolving and how complex their operating environments are, Greenhalgh stated.
“Historically, humans were the weakest link, with phishing and social engineering being the primary entry points for attackers. However, since 2024, hands-on-keyboard system exploitation has surged, making direct system hacking just as prevalent,” he remarked.
Cybercriminals won’t stop targeting healthcare providers, so they can’t completely prevent a motivated hacker from gaining access to their network, Greenhalgh noted. Instead, he said their focus should be on raising barriers to lateral movement and privilege escalation, which are key steps in ransomware attacks. These steps enable attackers to spread across a network, gain higher-level access and maximize damage by encrypting an organization’s critical systems and data.
But healthcare providers have a very tall task in front of them when it comes to elevating risk barriers, Greenhalgh said.
“This requires strong cybersecurity basics, including device identification, communication mapping, network segmentation and vulnerability management — all of which are difficult to achieve,” he declared.
Photo: WhataWin, Getty Images
