The HBO Series, “The Pitt,” is a realistic portrayal of a day in an urban hospital – showing not only realistic images of trauma professionals, but also of the interaction between hospital administrators, staff, nurses, etc. In the new season, depicting a July 4 in Pittsburgh, the showrunners add an additional quirk – the ED shuts down because of a ransomware attack, and practitioners have to get by with paper records.

Hospitals keep getting hit with ransomware for the same reason Willie Sutton robbed banks: That is where the money is, and in healthcare, the “money” is not just cash, it is downtime leverage. When a threat actor can freeze e-prescribing, radiology, lab interfaces, bed management, claims submission, and even basic nurse-station communications, they are no longer negotiating over “data.” They are negotiating over continuity of care, and they know exactly how fast leadership will feel the heat. Because hospitals cannot afford downtime, they are more likely to pay a ransom to avoid it. Often, paying or not paying ransom is the difference between life and death. Well, not often, but sometimes.

Start with the single most consequential recent example: the February 2024 Change Healthcare incident, attributed to ALPHV/BlackCat, which disrupted claims processing and pharmacy workflows nationwide. Congress’s own research arm reported that Change paid roughly $22 million (about 350 BTC) as part of the response. Reuters later reported that the U.S. Department of Health and Human Services breach-listing was updated to approximately 192.7 million affected individuals, making it the largest healthcare data breach in U.S. history. In other words, ransomware in healthcare is now routinely a systemic-risk event, not merely an “IT outage.”

The Change event also illustrates why hospitals and providers are targeted even when the direct victim is “just” a vendor. The American Hospital Association warned that the attack disrupted clinical and eligibility operations and threatened provider solvency because cash flow depends on intermediated digital claims rails. That is the attacker’s business model: maximize blast radius by hitting the connective tissue—clearinghouses, revenue cycle vendors, managed service providers, imaging and lab integrations—then let operational necessity do the coercion. So it’s not just healthcare providers at risk – it’s anyone who provides services to or for these providers.

If you want a “direct-to-hospital” illustration, take Ascension’s May 2024 ransomware event, which forced workarounds and a reversion to paper processes across a sprawling system; reporting later tied the incident to data exposure affecting millions of individuals and described material financial fallout. Ascension’s financials show a $1.3 billion cost from a cyberattack, and in 2025, the same operational storyline repeated at Kettering Health, which publicly described a May 20, 2025 ransomware-linked incident and the staged restoration of Epic components in early June 2025.

The cost profile is equally grim, and it is not limited to ransom. IBM’s Cost of a Data Breach Report 2024 put the average healthcare breach cost at $9.77 million, still the highest of any industry, even after a year-over-year decline. That average can understate the real-world “all-in” impact for large, operationally intertwined incidents; public reporting on Change Healthcare’s response costs reached into the billions based on UnitedHealth disclosures and subsequent reporting. In healthcare, business interruption is not an accounting line item; it is an access-to-care event, which is why the AHA has been blunt that ransomware attacks on hospitals are “threat-to-life crimes.”

So why healthcare, specifically? The incentives stack up neatly. Providers run heterogeneous, legacy-heavy environments where unpatchable medical devices, vendor “black boxes,” and complex identity and access needs collide with lean IT staffing. They hold data that is durable for fraud and extortion—identity attributes, insurance identifiers, diagnoses, and treatment details—while also operating services where downtime creates immediate reputational and patient-safety pressure. And the sector’s supply chain is uniquely “flat”: a compromise at a billing hub, EHR integration layer, or MSP can become a regional disruption. HHS’s HC3 has repeatedly emphasized that the sector is seeing sustained ransomware pressure and social-engineering aimed at help desks (the cheapest path to privileged access), tracking hundreds of attacks in short time spans.

The Role of HIPAA

From a compliance standpoint, the uncomfortable truth is that “HIPAA compliance” has too often been treated as a documentation exercise rather than an engineering program. The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic protected health information. 45 C.F.R. §§ 164.302–.318 (2025), including risk analysis and risk management (45 C.F.R. § 164.308(a)(1)), access controls (45 C.F.R. § 164.312(a)), audit controls (45 C.F.R. § 164.312(b)), integrity controls (45 C.F.R. § 164.312(c)), and transmission security (45 C.F.R. § 164.312(e)). For practical implementation guidance that maps those requirements to a modern control set, NIST’s updated HIPAA resource guide is worth treating as required reading, not optional reference material. Nat’l Inst. of Standards & Tech., SP 800-66 Rev. 2, Implementing the HIPAA Security Rule (Feb. 2024). So we need to move from check-the-box compliance to real resilience. And planning and preparation is key.

What does “best practice” look like in a way that survives contact with a real hospital? First, it means resilience engineering, not just prevention. That starts with immutable, tested backups and restoration runbooks that assume EHR, PACS, and identity systems are down simultaneously, aligned to CISA’s current ransomware guidance. Second, it means hardening the identity plane: phishing-resistant MFA for remote access and privileged actions, aggressive conditional access, and help-desk verification that anticipates deepfake- and AI-assisted social engineering (an area HC3 has specifically warned about). Third, it means segmentation that reflects clinical reality: you cannot “air gap a hospital,” but you can design enclaves so that compromise of a workstation subnet does not become a compromise of imaging, lab middleware, domain controllers, and backup repositories. Fourth, it means third-party risk management as an operational discipline, because your vendor’s incident is your incident.

HHS’s 405(d) program tries to translate those principles into implementable practices tailored to healthcare, including prioritization around common threats like ransomware and social engineering. The 405(d) program is a collaborative effort between the Health Sector Coordinating Council and the federal government to align healthcare industry security practices. Under the Administration for Strategic Preparedness and Response (ASPR), the 405(d) Program’s goal is to align cybersecurity approaches and strengthen the cybersecurity posture of the Healthcare and Public Health (HPH) sector.

This is where the sector needs to stop arguing about whether it is “fair” to expect baseline controls and start arguing about sequencing: which controls reduce the most patient-safety risk the fastest. That is also why federal policymakers have been moving toward more prescriptive security expectations for HIPAA-covered entities after the scale of 2024’s incidents. Also, remember that healthcare is not just a hospital or clinic – it is an ecosystem.

The punchline is not “ransomware is bad.” The punchline is that healthcare ransomware is a predictable outcome of incentives: high-leverage operations, high-value data, and uneven cybersecurity maturity spread across a dense vendor ecosystem. The operational cure is equally predictable: treat identity, segmentation, backup integrity, and third-party dependency mapping as patient-safety controls; test them like you test disaster recovery; and assume the adversary is already practicing on a copy of your org chart. Also, it looks like Dr. Michael “Robby” Robinavitch is going to have a bad Independence Day. Maybe not as bad as Bill Pullman’s President Thomas J. Whitmore, but bad nonetheless.

Recent Articles By Author