Ransomware has long been a persistent and costly threat to healthcare organizations, which hold vast amounts of sensitive patient data and operate under critical, time-sensitive conditions. The disruption caused by these attacks can have life-threatening consequences, delaying essential treatments and compromising patient safety. Historically, the urgency of restoring services quickly and avoiding disruptions compelled many victims to pay ransoms. But that’s starting to change. As healthcare organizations boost their cybersecurity investments — with IT budget allocations rising from 10% in 2020 to 14% in 2024 — fewer victims are paying ransoms, thanks to stronger defenses and heightened regulatory scrutiny.
Overall, ransomware payments in the U.S. dropped 35% in 2024, totaling $813 million, down from $1.25 billion in 2023. The median ransom payment also fell 45% in Q4 2024 to $110,890, as payments remain largely a last-resort option for those without alternatives to recover critical data. Healthcare Information and Management Systems Society (HIMSS) researchers also noted a decline in the number of ransomware victims reporting ransom payments. While these declining figures raise the question of whether paying cybercriminals is becoming the exception rather than the norm, the persistent innovation of threat actors, who are actively adapting to growing cybersecurity maturity, cautions against premature conclusions.
Strengthened backups and enhanced security measures
The Top 6 Best Analytics Tools for Health Care Revenue in 2025
Finding the best analytics tools for health care revenue management can revolutionize operational processes. Compare the leading software options to discover helpful team resources.
One of the most effective deterrents to paying ransomware demands is having a robust backup and disaster recovery strategy. In the past, many healthcare organizations lacked adequate redundancy, leaving them with few options beyond paying attackers to restore access to their systems. However, the industry has made significant progress by investing in modern backup solutions, including immutable storage, air-gapped backups, and real-time data replication. Restoration from backups is rarely instantaneous, though. This makes having documented and practiced continuity plans critical for maintaining operations without key technology.
These measures significantly reduce the leverage attackers hold. With reliable, easily restorable backups, and rehearsed continuity plans, healthcare providers can refuse ransom demands and recover systems independently. Additionally, security tools that improve organizations security posture, like endpoint detection and response (EDR), managed detection and response (MDR), and zero-trust architectures, are making it harder for ransomware to gain a foothold in the first place.
The role of cyber insurance and regulatory pressure
Cyber insurance providers have become a key driver in reducing ransom payments. Previously, many policies covered ransom payments outright, leading to a cycle where organizations would pay attackers and seek reimbursement. However, insurers have since adjusted their risk models. Today, cyber insurance policies impose stricter security requirements, often mandating multifactor authentication (MFA), endpoint protection, and incident response plans before coverage is granted. These security requirements significantly reduce the likelihood of suffering an attack, thus lowering the likelihood a payment will be required. Some providers have even reduced or eliminated ransom payment coverage altogether, making it financially impractical for victims to comply with attackers’ demands.
The Top Surgical Instruments Needed for Extractions
Discover what tools are essential for efficient, safe surgical extractions in today’s health care landscape, from elevators to forceps and beyond.
At the same time, government regulations are increasing the risks associated with making payments. In the U.S., the Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued warnings that organizations paying ransoms to groups linked to sanctioned entities could face legal consequences. Given that many ransomware groups have ties to sanctioned regions, healthcare providers face significant liability if they choose to pay.
For healthcare organizations, this means that beyond financial considerations, paying a ransom could result in additional regulatory penalties and reputational damage beyond the cost of the ransom. The risk of inadvertently funding a sanctioned cybercriminal organization adds another layer of deterrence.
Threat actors shift to data exfiltration and extortion
As direct ransomware payments decline, cybercriminals are adapting their tactics. Many groups have shifted away from traditional encryption only attacks toward data exfiltration and extortion. Instead of only locking organizations out of their systems, attackers steal sensitive patient records, financial data, and proprietary information, threatening to release it publicly if their demands aren’t met.
This strategy allows cybercriminals to bypass traditional defenses such as backups and file encryption protection, which are ineffective against data leaks. While organizations may recover their infrastructure without paying, the risk of exposing protected health information (PHI) creates a new pressure point for victims. Given the stringent data privacy laws governing healthcare, including HIPAA, a breach involving patient data can lead to severe regulatory fines and class-action lawsuits.
Law enforcement and industry collaboration
Another major factor influencing the decline in ransomware payments is increased collaboration between law enforcement and the private sector. Federal agencies, including the FBI and CISA, strongly discourage paying ransoms and have developed specialized task forces to track, disrupt, and dismantle ransomware operations. These agencies often assist victims by providing decryption keys, sharing intelligence on threat actors, and identifying attack patterns to mitigate further incidents.
The healthcare industry has also strengthened its information-sharing efforts. Organizations such as the Health Information Sharing and Analysis Center (H-ISAC) facilitate real-time collaboration, enabling providers to stay ahead of emerging threats and implement best practices.
The road ahead
Despite these positive developments, ransomware remains a significant threat to the healthcare sector. Threat actors continue to refine their strategies, and the financial incentives for cybercrime persist. However, the combination of stronger defenses, regulatory pressure, and industry collaboration is starting to shift the balance in favor of defenders.
For healthcare organizations, the key takeaway is clear: continued investment in cybersecurity and resilience is essential. By proactively implementing robust security frameworks, maintaining up-to-date backups, and adhering to regulatory guidance, healthcare providers can reduce their risk and contribute to the broader effort to dismantle ransomware ecosystems.
Photo: boonchai wedmakawand, Getty Images
Chris Henderson runs Threat Operations and Internal Security at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in Software Quality Assurance, Business Intelligence, and Information Security.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.