The US healthcare sector is confronting an unprecedented wave of cyberattacks, with ransomware incidents surging by more than 30% in 2024 alone, according to a report by cyber insurance and risk management provider Resilience.
Despite the escalating threat, experts warned that cybersecurity remains alarmingly low on the list of business priorities for many healthcare organizations.
Travis Wong (pictured), vice president of customer engagement at cyber risk firm Resilience, flagged a disconnect between these firms’ exposure and their investment in protection.
“Despite the many significant cyber incidents that have already affected the healthcare industry, cybersecurity still ranks surprisingly low on the priority list for many organizations, lower than we would expect or hope,” Wong told Insurance Business.
“Events like the Change Healthcare breach and the repeated waves of ransomware attacks should have been clear wake-up calls, yet the urgency hasn’t fully translated into action.”
Electronic Health Records (EHRs) are among the most lucrative data types on the dark web.
Unlike credit cards, which can be quickly cancelled, health records contain sensitive personal and financial details that can be exploited for years. According to Resilience’s 2025 report, 168 million healthcare records were breached in 2023 – more than half the US population’s data.
“Healthcare isn’t just critical infrastructure for communities and countries because it provides essential services,” said Wong. “It’s also a sector that stores extremely sensitive information, which makes it valuable on secondary markets.”
Beyond data theft, the sheer criticality of healthcare services makes organizations vulnerable. Hospitals and clinics cannot simply pause operations during a cyberattack, and that urgency often drives victims to pay ransoms quickly to restore patient care.
“Attackers aren’t always looking to disrupt systems permanently,” Wong said. “They just want to get in, create enough exposure to force a payout, and then move on.”
The February 2024 breach of Change Healthcare, one of the largest healthcare payment processors, exposed 190 million records and paralyzed services across the country. Pharmacies couldn’t process prescriptions, doctors couldn’t get reimbursed, and patients faced delays in treatment.
Wong said the incident revealed just how interconnected the healthcare sector really is. “A disruption at one organization cascaded across thousands of providers, demonstrating systemic risk on a national scale,” he said.
Despite the scale of the disaster, Resilience’s report cites a survey of 250 US healthcare executives that found cybersecurity ranked last among top business concerns, behind operational costs, compliance, and even patient data protection.
“Part of the challenge is that implementing comprehensive cybersecurity measures takes time,” said Wong. “Healthcare workforces are, understandably, focused first and foremost on patient care. That means security often feels secondary, even though the two are closely connected.
“Organizations must recognize that they have a duty not only to deliver care but also to protect their patients’ sensitive data and the systems that support critical services.”
The barriers to stronger cyber defences are multifaceted. Healthcare organizations often operate under tight budgets, with funds directed toward patient care and compliance rather than IT upgrades.
Wong pointed to three main constraints: funding shortfalls, talent shortages and operational complexity. “Security budgets aren’t keeping pace with the rising cost and complexity of threats,” he said.
He also pointed to a lack of specialized cybersecurity professionals, particularly within healthcare IT teams. At the same time, hospitals rely on mobile workstations, legacy systems, and specialized medical devices, making consistent security controls difficult to implement. These realities mean healthcare systems are managing sprawling networks with countless points of potential failure.
“Staff need to badge in and out of systems constantly, which makes identity and access management complicated,” said Wong. “All of these moving pieces create more opportunities for failure and, ultimately, more risk.”
As ransomware losses mount among healthcare providers, cyber insurers are tightening requirements. Underwriters are increasingly scrutinizing healthcare organizations’ vendor ecosystems, given the ripple effects seen in the Change Healthcare breach. However, a softer cyber market is also balancing out stricter terms.
“What we are seeing is much more scrutiny of vendor ecosystems,” Wong said. “The Change Healthcare attack really drove this home. Carriers and underwriters want to know which critical vendors an organization depends on and how secure those supply chains are. So, while pricing and conditions still vary by organization, the focus on supply chain dependencies has definitely grown.”
With extortion demands now reaching $4 million in some 2025 incidents, the stakes for healthcare providers are higher than ever. Industry analysts warn that the sector may soon face not only financial and operational losses, but also direct patient fatalities tied to cyber incidents.
Wong’s recommendations for healthcare organizations include crafting comprehensive backup strategies that include all data types, validated under realistic attack scenarios; proactive vendor risk management that goes beyond paper policies to continuous monitoring; and robust employee training and simulations to address human error, which is still the leading cause of breaches.
“Organizations that can demonstrate comprehensive, validated strategies and show that they’ve tested recovery under realistic conditions stand out as far better risks in the eyes of insurers,” he said.
