Here's a piece of genuinely good news: healthcare facilities are getting harder to extort.
In 2025, only 36% of healthcare organizations hit by ransomware paid the ransom, down from 61% in 2022, and the median ransom demand collapsed by 91% in a single year, according to Sophos' State of Ransomware in Healthcare 2025 report.
The bad news? Attackers didn't leave. They adapted.
Extortion-only attacks—where criminals steal patient data and demand payment without encrypting a single file—have tripled (from 4% in 2023 to 12% in 2025), now the highest rate of any sector. Meanwhile, healthcare remains the most expensive industry for data breaches for the 14th consecutive year, averaging $7.42 million per incident, according to IBM's Cost of a Data Breach Report 2025.
If you're a facility administrator, here's the reframe that matters: Cybersecurity is not just an IT problem. It's an operations and continuity problem. When systems go down, schedules go down, claims go down, and patient care goes down with them.
Why healthcare cybersecurity is more urgent than ever
America's cyber defense agency, Cybersecurity & Infrastructure Security Agency (CISA), defines cybersecurity as:
"The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information."
Think of it as the TSA checks to pass through to the boarding area for a flight or the plastic columns at the entrances and exits of shopping stores that sound an alarm if someone walks out with a tagged item. Those 2 examples can serve as appropriate metaphors for you to consider how robust your cybersecurity is:
- Does your facility have budget and staff attention specifically directed to strengthening and maintaining cybersecurity?
- Do you have some standard measures in place (like the alarm columns), or are you somewhere in between?
The threat landscape those defenses face has shifted. Each person's healthcare information is a lucrative mine for hackers and threat actors on the dark web.
Why is healthcare data more valuable than credit card data?
Personal health information (PHI) is reportedly more valuable than credit card information: credit cards can be canceled, and email addresses and phone numbers can be blocked, but how does a person address medical information theft?
PHI includes birth dates, social security numbers, and former mailing addresses, which can all be sold or used for other forms of identity theft.
That value is exactly why data theft is overtaking data encryption as the attack of choice—and why healthcare was the most-targeted critical infrastructure sector in the FBI's most recent Internet Crime (IC3) Report, with more reported ransomware incidents than any other sector.
No incident defines this new era better than the February 2024 ransomware attack on Change Healthcare, a claims clearinghouse processing roughly 1 in 3 US medical claims: facilities that were never breached themselves suddenly couldn't verify coverage or submit claims for weeks. According to the U.S. Department of Health and Human Services (HHS), approximately 192.7 million individuals were ultimately affected—the largest healthcare data breach ever recorded. A single vendor failure became a nationwide operational crisis.
Why smaller healthcare facilities are prime ransomware targets
Smaller facilities that have yet to invest time, money, and thought into cybersecurity preparation should do so now because data breaches and ransomware attacks can cause serious disruptions to a facility's workflow and routines and threaten the security of PHI.
The core logic hasn't changed: a leaner budget means leaner defenses, and attackers know it.
What has changed is who's in the crosshairs. Attackers are increasingly hitting smaller providers, specialty clinics, and the business associates that serve them—not just large health systems. Verizon's most recent Data Breach Investigations Report found that breaches involving a third party have surged to nearly 50% of all breaches in just 2 years. If you're a small facility, you're both a target and a potential entry point into everyone you connect with.
5 free cybersecurity steps for healthcare facilities
Are there cybersecurity measures you can take that are also cost-effective?
Yes, there are. In fact, we've made a list of 5 steps you can take that are free.
1. Use the NIST Cybersecurity Framework
In February 2024, the National Institute of Standards and Technology (NIST, a US government agency) released a major update to their Cybersecurity Framework—CSF 2.0—which organizes cybersecurity into 6 functions:
- Govern
- Identify
- Protect
- Detect
- Respond
- Recover
This resource is specifically designed for agencies and businesses of all sizes and across all industries. The agency supports implementation with videos, guides, and FAQs for facilities of all sizes, especially small ones.
Tip: The Small Business Quick-Start Guide is the best entry point—it's built specifically for organizations with modest or no cybersecurity plans in place.
The framework and all of its supporting materials are free to use.
2. Train your staff
Training is a valuable tool for administration and staff. How can your people be part of cybersecurity solutions and preparedness if they aren't aware of the risks or how to avoid or mitigate them?
To meet this need in an affordable yet valuable way, the government provides another free resource built specifically for healthcare facilities.
The HHS offers a free online training platform called Knowledge on Demand through its 405(d) program. 5 training courses are available covering the top 5 cybersecurity threats to healthcare, including ransomware and social engineering. Each training includes interactive videos, presentations, learning management system files, and resource documents.
The 405(d) program's Health Industry Cybersecurity Practices publication also adds mitigation recommendations tailored to facilities of different sizes.
3. Tighten your password policy
When your staff is required to set or update their passwords, what is the minimum character length your systems require?
According to the NIST, the minimum should be 8 characters, but they also recommend that you allow for at least 64 characters. Logically, the longer the password, the more difficult it is to crack. Maintain a password blocklist—a list of words your users are prohibited from using, including your facility's name, local sports teams, and other predictable choices.
Tip: Adopt a password manager so staff only need to remember 1 strong passphrase while every system gets its own unique credential. Many reputable password managers offer free tiers, keeping this step within a zero-dollar budget.
4. Turn on multi-factor authentication (MFA)
Multi-factor authentication requires a second proof of identity—a phone prompt, an authenticator code, a hardware key—before granting access, which means a stolen password alone is no longer enough to get in.
Stolen and abused credentials remain one of the most common ways attackers breach healthcare organizations, and MFA is the most direct countermeasure.
It's also usually free: MFA is built into most modern EHR platforms, email systems (Microsoft 365, Google Workspace), and VPNs—it just has to be turned on and enforced.
Start with the accounts that matter most: email, remote access, and anything with administrative privileges. There's a practical bonus, too. Cyber insurers now routinely require MFA as a condition of coverage, and HHS has proposed updates to the HIPAA Security Rule that would make MFA an explicit requirement. Turning it on now puts your facility ahead of both.
5. Vet and monitor third-party vendor access
The landmark Change Healthcare attack made this step unavoidable: your cybersecurity is only as strong as the vendors connected to your systems. Every scheduling platform, billing service, lab interface, and staffing tool that touches your network or your data is part of your attack surface.
A basic vendor risk review costs nothing but time. For each vendor, ask:
- What data do they touch? PHI, payroll, credentials—know exactly what's exposed if they're breached.
- Do they have an incident response plan? And will they commit to notifying you within a defined window if they're compromised?
- Do they carry cyber insurance? A vendor without coverage may not survive an incident—or compensate you for yours.
- What access do they actually need? Limit vendor accounts to the minimum necessary and enable MFA for them as well.
Keep a simple inventory of vendors, the data they access, and the date you last reviewed them. When a vendor incident makes the news, you'll know within minutes whether your facility is exposed—instead of finding out from your billing department.
Additional cybersecurity investments worth making
Not everything you can and should do to boost your cybersecurity is free. If the budget allows, talk with your IT department about the measures you currently have in place and review the recommendations above with them. Depending on your facility's size and complexity, that conversation may lead to hiring or contracting dedicated cybersecurity expertise—whether a staff analyst or a managed security service.
You likely won’t be the only one having that conversation either. According to a Statista report published this year, 57% of healthcare facilities plan to increase their cybersecurity budgets.
Cyber insurance coverage can be challenging for healthcare facilities to obtain because insurers seek to reduce risk, and the healthcare industry is well known as a target. Nevertheless, by shoring up your facility’s cyber defenses to meet underwriting requirements—which now commonly include MFA, tested backups, and vendor risk management—a facility reduces its risk of a successful attack, whether or not it ultimately buys the policy.
The application process itself functions as a free security audit.
You're not alone in this. Here's where to start
If you're reading this and feeling bad because cybersecurity hasn't been much of a priority for you, as much as, say, staffing shortages, you aren't alone. Healthcare facilities are grappling with major changes and challenges across multiple fronts.
Now is the time to arm yourself with information and take steps to protect your facility from service delivery disruptions and data breaches. Start with step 1 this week: download the NIST quick-start guide and put 30 minutes on the calendar with whoever manages your IT.
See what's shaping healthcare staffing in 2026.
Sources:
- The State of Ransomware in Healthcare 2025 | SOPHOS
- 1 2025 IC3 ANNUAL REPORT
- Cost of a data breach 2025 | IBM
- What is Cybersecurity? | CISA
- Change Healthcare Cybersecurity Incident Frequently Asked Questions | HHS.gov
- 2026 Verizon DBIR
- NIST Special Publication 800-63B
- 2026 HIPAA Security Rule Update: New Requirements to Prepare For | Medcurity










.png)

.png)