Survey: Two-thirds of health care organizations hit by ransomware in past year

Recovery from ransomware attacks is taking longer — sometimes more than a month — as attacks increase against the health care industry, according to a survey published last week by cybersecurity firm Sophos.  

About two-thirds of respondents said they were hit by a ransomware attack in the past year, up from 60% the year prior. Just 34% said they were hit by a ransomware attack in Sophos’ 2021 report.  

Recovery times have also increased. Only 22% of victims fully recovered from the attack in less than a week, compared with 47% in the year prior. Nearly 40% took more than a month to return to normal operations. 

Increased ransomware attacks in the health care sector come as other industries face fewer incidents, according to the survey, which included more than 400 respondents from health care organizations. 

Nearly 60% of respondents from all sectors reported an attack in the 2024 survey, down from 66% in the previous two years. Health care has the second-highest rate of ransomware attacks globally, second only to federal governments, according to the report.  

When ransomware attacks succeed, they can have serious consequences for health care organizations. On average, nearly 60% of an organization’s computers are affected by an attack, according to the survey. 

Nearly all companies hit by a ransomware attack in the past year said cybercriminals attempted to compromise their backed up data, and about two-thirds of organizations said they were successful. 

Without backups, outcomes were often worse — organizations reported higher ransom demands, and they were more likely to shell out money to return access to their data. Median overall recovery costs doubled, according to the survey.  

Though nearly all organizations got their data back, about half said they ended up paying a ransom — which the FBI advises organizations to avoid, given it could encourage cybercriminals and incentivize more attacks.  

Paying a ransom can also be pricey. The median payment for ransomware attacks was $1.5 million, according to the Sophos survey. Victims also rarely paid the initial amount demanded by cybercriminals; nearly 60% paid more than the first demand. 

Patching software vulnerabilities is key for health care organizations to avoid ransomware attacks, Sophos said. But hospitals often struggle to stay on top of software updates and patches, which could require them to take devices offline, experts say.  

Health care companies should use multi-factor authentication, which uses a second method to verify a user’s identity, and train workers to detect malicious emails or phishing attempts to help prevent incidents, the cybersecurity firm added.