How Healthcare Organizations Can Protect Themselves from Cyberattacks

As modern technology becomes more common in healthcare, the vulnerability to cyber threats continues to increase. Healthcare cyberattacks targeting US organizations have risen sharply over the past several years, compromising the health information and security of tens of millions of Americans. In 2024 alone, healthcare data breaches affected more than 289 million individuals, representing nearly 85% of the US population. Globally, healthcare remains one of the most targeted industries, and the average cost of a healthcare data breach has reached $10.93 million, the highest of any sector.

The Current State of US Healthcare Cyberattacks

The scale of healthcare cyberattacks in the United States has reached a crisis point. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has tracked a steady and steep rise in large healthcare data breaches since 2009. Between 2022 and 2023, the number of individuals affected by healthcare data breaches increased by more than 193%. Between 2023 and 2024, that number surged by another 58%, driven largely by a wave of mega breaches targeting third-party vendors and critical healthcare infrastructure.

The drivers behind this surge are varied. The rapid expansion of digital health technologies, including telemedicine, cloud-based electronic health records, and internet-connected medical devices, has dramatically expanded the attack surface for healthcare organizations. Remote work adoption, accelerated during the Covid-19 pandemic, introduced new vulnerabilities as employees accessed clinical systems from home networks without enterprise-grade security controls. Nation-state threat actors, organized ransomware groups, and financially motivated cybercriminals have all identified healthcare as a high-value, high-vulnerability target.

Specific threat vectors targeting US healthcare organizations today include:

• Business email compromise (BEC): Attackers impersonate executives or vendors to trick employees into transferring funds or revealing credentials. BEC is one of the costliest attack types in healthcare.
• Exploited VPNs and remote access tools: Unpatched virtual private network appliances and remote desktop protocol (RDP) services have served as common entry points for ransomware groups. Healthcare organizations that rapidly expanded remote access during the pandemic often did so without sufficient security hardening.
• Phishing and spear-phishing: Targeted email campaigns remain the most common initial access vector, using deceptive messages designed to steal credentials or deliver malware.
• Supply chain attacks: Rather than targeting a hospital directly, attackers compromise a widely used third-party vendor or software provider. The downstream impact can affect hundreds or thousands of healthcare organizations simultaneously.
• Medical device cybersecurity vulnerabilities: Interconnected medical devices, including infusion pumps, imaging systems, and patient monitors, often run outdated operating systems and lack robust authentication controls. These devices create entry points directly onto clinical networks and are increasingly exploited as attack vectors. The FDA has introduced cybersecurity requirements for new medical devices, but legacy equipment remains a significant gap.

Case Studies: The Impact of Change Healthcare and Black Basta

Two attacks in particular illustrate just how devastating healthcare cyberattacks have become for US patients and providers.

The Change Healthcare Cyberattack

On February 21, 2024, the Russian ransomware group ALPHV BlackCat launched an attack against Change Healthcare, a subsidiary of UnitedHealth Group. Change Healthcare is the largest health payment processing company in the United States, annually processing 15 billion healthcare transactions and touching one in every three patient records. The attack encrypted and incapacitated significant portions of Change Healthcare's systems.

The consequences were catastrophic and nationwide. A March 2024 survey of nearly 1,000 hospitals by the American Hospital Association (AHA) found:

• 74% reported direct patient care impact, including delays in authorizations for medically necessary care.
• 94% reported the attack impacted them financially.
• 33% reported the attack disrupted more than half of their revenue.
• 60% required between two weeks and three months to resume normal operations.

Many hospitals were forced to pull from cash reserves or take out emergency loans to cover payroll, medical supplies, and essential services while manual processes replaced automated ones. The Change Healthcare cyberattack demonstrated that attacking a single critical third-party vendor can effectively hold the entire US healthcare system hostage.

The Black Basta Ransomware Group

Black Basta is a ransomware-as-a-service group that has encrypted and stolen data from at least 12 of 16 critical infrastructure sectors, with healthcare among its most frequent targets. CISA, the FBI, HHS, and MS-ISAC have issued joint advisories warning healthcare organizations about Black Basta's tactics, which include exploiting known VPN vulnerabilities, deploying credential harvesting tools, and using double extortion, encrypting files while also threatening to publish stolen data publicly. Attacks attributed to Black Basta have disrupted hospital operations across the country, forcing care diversions and access restrictions to patient records.

Together, these cases illustrate a core truth: in healthcare, a cyberattack is not just a technology problem. It is a patient safety emergency.

Cyber Risk Is Patient Risk

Unlike a data breach at a retailer or financial institution, a cyberattack on a hospital or health system can directly harm patients. When clinical systems go down, care delivery is disrupted in ways that have measurable consequences for health outcomes.

Documented patient safety impacts of healthcare cyberattacks include:

• Ambulance diversions: Hospitals that cannot access electronic systems are often forced to divert incoming ambulances to other facilities, increasing transport times for critically ill patients.
• Delayed procedures and diagnostic results: Ransomware attacks that encrypt laboratory systems, imaging archives, and scheduling platforms force clinicians to delay surgeries, cancer treatments, and time-sensitive diagnostics.
• Compromised medical devices: Cyberattacks that reach clinical networks can affect networked infusion pumps, ventilators, and monitoring equipment, creating direct risks to patients receiving treatment.
• Access loss to medication records: When pharmacy systems are knocked offline, care teams may lack access to patient medication histories, increasing the risk of dosing errors or dangerous drug interactions.

A 2025 narrative review published in a peer-reviewed journal found that the number of cybersecurity incidents affecting hospital systems has tripled over the past decade. The review identified cyber incidents as a genuine public health concern requiring multi-level prevention and preparedness strategies. As CISA has stated plainly: "Cyber Safety is Patient Safety."

Healthcare organizations must understand that investment in cybersecurity is not simply an IT budget decision. It is a clinical governance responsibility.

US Regulatory Compliance: HIPAA and HHS Cybersecurity Goals

US healthcare organizations operate under a specific and evolving set of federal cybersecurity requirements. Understanding these obligations is essential for compliance and for building an effective security posture.

HIPAA Cybersecurity Requirements

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). HIPAA cybersecurity requirements include conducting regular risk assessments, implementing access controls, encrypting ePHI where appropriate, establishing audit controls, and maintaining policies for responding to security incidents. The HHS OCR enforces the HIPAA Security Rule and can impose civil monetary penalties for violations, with fines reaching into the millions of dollars for willful neglect.

Importantly, HIPAA also includes a breach notification requirement. Covered entities must notify affected individuals, HHS, and, in cases involving more than 500 residents of a state or jurisdiction, local media, following the discovery of a breach of unsecured ePHI. Notifications must be made without unreasonable delay and within 60 days of discovery.

HHS 405(d) and the Cybersecurity Performance Goals

The HHS 405(d) program, established under the Cybersecurity Act of 2015, is a public-private partnership designed to align healthcare industry security approaches. It produced the Health Industry Cybersecurity Practices (HICP), a set of voluntary but widely recognized technical volumes and implementation guides covering the most impactful cybersecurity practices for healthcare organizations of all sizes.

In 2024, HHS released the Healthcare and Public Health Cybersecurity Performance Goals (CPGs), developed in coordination with CISA. The cybersecurity performance goals are divided into Essential Goals, a foundational set of high-priority controls all healthcare organizations should implement, and Enhanced Goals, which represent more advanced practices for organizations with greater resources. Essential CPGs include mitigating known vulnerabilities, implementing multi-factor authentication, and establishing basic incident response capabilities. The CPGs are voluntary, but HHS has signaled its intent to tie them to future funding and regulatory incentives.

Healthcare administrators should treat the CPGs as a practical roadmap for improving their security posture, regardless of organization size.

Federal Resources for US Healthcare Cybersecurity

US healthcare organizations do not have to navigate the threat landscape alone. Several federal programs and resources exist specifically to support the healthcare and public health (HPH) sector.

• Health Sector Cybersecurity Coordination Center (HC3): Operated by HHS, HC3 produces regular threat intelligence briefings, analyst notes, and sector alerts specifically tailored to healthcare organizations. HC3 reports are publicly available and provide actionable information on active threat actors, vulnerabilities, and defensive recommendations.
• HHS 405(d) Program: Beyond the CPGs, the 405(d) program provides free resources, including the HICP guides and awareness and training materials, to help healthcare organizations of all sizes implement recognized security practices. Resources are available at 405d.hhs.gov.
• Multi-State Information Sharing and Analysis Center (MS-ISAC): MS-ISAC, operated by the Center for Internet Security (CIS), provides cybersecurity services and threat intelligence to state, local, tribal, and territorial governments, including public health agencies. It issues joint advisories with CISA and the FBI and can provide incident response support.
• Cybersecurity and Infrastructure Security Agency (CISA): CISA offers free vulnerability scanning, cybersecurity assessments, and training resources to critical infrastructure operators, including healthcare organizations. Healthcare entities can contact CISA directly to request support through their regional advisors.
• FBI Cyber Division: The FBI investigates ransomware and other significant cyber incidents targeting US healthcare organizations. Reporting to the FBI via IC3.gov helps law enforcement track threat actors and may support recovery efforts.

Incident Response: What to Do When Your Organization Is Breached

Even well-prepared organizations can experience a breach. Having a defined incident response plan specific to the US healthcare environment is essential for minimizing harm and meeting legal obligations.

Immediate steps upon discovery:

1. Contain and isolate: Disconnect affected systems from the network to prevent further spread of malware. Do not shut down systems entirely before taking forensic snapshots where possible, as evidence may be needed.
2. Activate your incident response team: Notify your CISO, legal counsel, and executive leadership immediately. Engage a qualified cybersecurity incident response firm if you do not have internal forensic capability.
3. Contact federal authorities:
   • Report ransomware and significant cyber incidents to CISA via cisa.gov/report or by calling 1-888-282-0870.
   • File a complaint with the FBI at IC3.gov. The FBI Cyber Division can provide operational support and threat intelligence.
   • Notify HHS OCR of any breach of ePHI. For breaches affecting 500 or more individuals, notification must occur within 60 days of discovery. OCR's breach reporting portal is available at hhs.gov/hipaa/breaches.
4. Preserve evidence: Document the timeline of events, preserve logs, and avoid making changes to affected systems before forensic analysis is complete.
5. Assess scope: Determine what data was accessed or exfiltrated, which systems were affected, and whether patient care has been or could be impacted.
6. Notify affected individuals: Under HIPAA, affected patients must be notified following confirmed breaches of ePHI. Work with legal counsel to determine the correct notification timeline and method.
7. Review and remediate: After recovery, conduct a root cause analysis, patch the vulnerability that was exploited, and update your risk assessment and security policies accordingly.

Organizations that have engaged HC3, MS-ISAC, or CISA before an incident occurs are better positioned to receive rapid support when one happens. Establishing these relationships proactively is strongly recommended.

How Organizations and Individuals Can Stay Protected

Phishing, ransomware, and other types of cyberattacks against healthcare organizations are on the rise. It's imperative that healthcare providers, medical research facilities, and other healthcare institutions invest in cybersecurity to protect themselves from these threats. Engaging penetration testing companies can help identify security weaknesses before malicious actors exploit them. One of the most effective investments today is in DMARC solutions for business, which offer scalable email security tailored to organizational needs.

To combat these growing threats, healthcare organizations should implement SPF, DKIM, and DMARC protocols, which work together to authenticate email senders and protect against phishing and email spoofing attacks. In this section, we take a look at some of the measures that healthcare organizations can take to combat the threat of cybersecurity.

Backup Your Data

As stated earlier in the article, Ransomware has become very common these days targeting both organizations and individuals. This type of threat is one of the reasons that you need to back up your data. Even the most security-oriented companies are still susceptible to Ransomware attacks. That's why organizations in the healthcare sector need to back up their data regularly. With a proper backup, you can easily retrieve data and restore operations when disaster strikes.

Encrypt Personal Devices

The use of personal devices in the retrieval, transmission, and collection of electronic health records has increased during the pandemic. Bring Your Own Device (BYOD) present a significant cybersecurity risk to the confidentiality of health information. Encrypt your smartphones, tablets, and computers to protect healthcare data. Encryption uses cryptography to conceal information by altering it so that it appears to be random, unintelligible data.

Encrypting your devices makes it harder for cybercriminals to hack into them and steal sensitive information, these concepts that are often covered in a comprehensive cyber security course.

Improve Password Security

Passwords are essential to data security. The vast majority of cyberattacks result from insecure or stolen passwords. This is not surprising, given that a lot of people don't take password manager seriously. For instance, 'password' is among the top 25 most commonly used passwords across the globe. Use strong passwords to prevent hackers from gaining access to your devices via brute force. You can use a open source password manager app to generate and store strong passwords.

Protect Your Wi-Fi

A Virtual Private Network (VPN) has become a vital security tool for individuals and organizations. VPNs are popular for their online privacy benefits, but they can also improve your organization's security. A VPN employs protocols, servers, and encryption to conceal sensitive data from malicious actors on the internet. For instance, using a VPN prevents cybercriminals from intercepting, modifying, or stealing sensitive personal and organizational data, including login credentials, patient health records, emails, and more. Even tracking your location through your IP address. If you're concerned about online privacy, you can check what is my IP to see what information is publicly visible and take necessary precautions.

Cybersecurity experts from Cybernews recommend reading their Surfshark VPN review to explore how a trusted VPN service can further bolster your online privacy and security.

Install Antivirus

The vast majority of cybersecurity threats in the healthcare industry are malware-related. When it comes to protecting against malware threats such as Ransomware. If you are using Mac scanning with CleanMyMac or installing an antivirus or antimalware software can go a long way. Antivirus programs can detect and eliminate malicious software and Potentially Unwanted Programs (PUPs) from your system. Security software such as antivirus can protect from a wide range of malware threats, including viruses, Trojans, spyware, adware, etc., but doesn't guarantee ransomware protection.

Keep Software Up To Date

Update your software regularly to keep cybersecurity threats at bay. Hackers will often attempt to exploit vulnerabilities within your system to gain access to valuable data. Software providers consistently release updates for their applications to keep them secure. Ensure that you install these updates as soon as they are made available. Keeping your operating system, applications, and third-party plugins up to date prevents hackers from accessing your system through vulnerabilities in your installed software.

Cybersecurity Training

We all make mistakes, and cybercriminals are looking for every opportunity to exploit them. Hackers target the human element for their most effective attacks. They employ social engineering tactics such as phishing, spoofing, etc., to exploit human weaknesses. Healthcare organizations need to address the human element in their vulnerability to cybersecurity risks to defend against these threats effectively. Security awareness training can keep workers aware of the danger as well as the most common cyberattack tactics and how to protect against them.

Beyond reactionary measures, a robust action plan is paramount. Educating your staff on the importance of incident response goes beyond identifying threats. To truly fortify your healthcare organization, taking proactive steps to build an incident response plan tailored to your specific needs ensures not only preparedness but resilience against potential cyber threats.

Cyberattacks targeting US healthcare organizations are growing in both frequency and severity. When it comes to defending against these cybersecurity threats, being proactive is the best approach. Take a close look at your systems to find out where you are exposed. Use the federal resources available to you, including HC3, CISA, and the HHS 405(d) program, to benchmark your defenses against recognized standards. Then take targeted measures to address the gaps. The tools and guidance in this article provide a strong foundation for protecting your organization and the patients who depend on it.

Frequently Asked Questions

1. What are the most common types of healthcare cyberattacks in the US?

Ransomware remains the most disruptive attack type, but business email compromise (BEC), phishing, exploited VPN vulnerabilities, and supply chain attacks are all significant threats. Attackers frequently combine techniques, using phishing to steal credentials and then deploying ransomware once they have network access.

2. Is a healthcare organization liable for a data breach?

Yes. Under HIPAA, covered entities and their business associates can face civil and criminal liability for breaches of electronic protected health information (ePHI), particularly where a risk assessment was not conducted or reasonable safeguards were not in place. HHS OCR has levied fines ranging from thousands to millions of dollars depending on the level of negligence involved.

3. What are the HIPAA reporting requirements after a breach?

Following discovery of a breach involving unsecured ePHI, covered entities must notify affected individuals without unreasonable delay and within 60 days. For breaches affecting 500 or more individuals, HHS OCR must also be notified within 60 days, and local media outlets in affected states must be notified as well. All breaches, regardless of size, must be reported to OCR at least annually.

4. How do I report a ransomware attack on my healthcare organization?

You should report to three federal bodies concurrently. File a report with CISA at cisa.gov/report or by phone, submit a complaint to the FBI's Internet Crime Complaint Center at IC3.gov, and notify HHS OCR through the breach reporting portal at hhs.gov/hipaa/breaches if ePHI was involved. Contacting these agencies early can provide access to technical assistance and support recovery efforts.

5. What is the HHS 405(d) program and why does it matter for small practices?

The HHS 405(d) program provides free, practical cybersecurity guidance tailored specifically to healthcare organizations, including small and medium-sized practices that may lack dedicated IT security staff. Its Health Industry Cybersecurity Practices (HICP) guides offer actionable steps organized by organization size and are widely regarded as a baseline for HIPAA-aligned security. Small practices can access all resources free of charge at 405d.hhs.gov.

6. What are the Healthcare and Public Health Cybersecurity Performance Goals?

The cybersecurity performance goals (CPGs) are a set of prioritized security practices developed by HHS and CISA to help healthcare organizations focus their limited resources on the controls most likely to reduce risk. Essential CPGs cover foundational measures such as multi-factor authentication, asset inventory, and vulnerability patching. Enhanced CPGs cover more advanced capabilities. While currently voluntary, HHS has indicated the CPGs may be tied to future regulatory requirements and funding conditions.