Ransomware attacks cost healthcare organizations $21.9 billion in downtime

Healthcare organizations lost a cumulative $21.9 billion just in downtime following a ransomware attack over the last six years, an average of $1.9 million daily, according to a recent analysis.

The report by software company Comparitech, which studies cyberattacks across various industries, used available data on downtime and ransom amounts to estimate a range for the likely overall costs of ransomware attacks for medical organizations. It noted downtime after ransomware attacks since 2019 varied from minimal disruption — due to frequent data backups — to months of recovery time.

Healthcare organizations lost an average of more than 17 days to downtime across all years examined. The shortest average downtime — four days — occurred in 2018 and the longest — 27 days — occurred in 2022.

“It is difficult to ascertain just how much is lost in these attacks to paid ransom demands, but there is a cost that affects the majority of attacked organizations: downtime,” wrote the report authors.

Downtime can include shutdowns of hospitals or other sites, as well as limitations on the availability of medical services.

The report noted at least 118 confirmed ransomware attacks on the healthcare sector took place in 2024, along with another 147 unconfirmed attacks, in which ransomware groups claimed attacks but they were not confirmed by the targeted healthcare organization. The known attacks breached more than 15 million patient records in 2024.

The research examined news reports, company notifications and state reporting tools to create estimates of downtime. Each organization’s financial statements and reports also were examined to determine the financial impact of the attacks.

CFO role

The increasing downtime costs from ransomware attacks demonstrates that CFOs need to take a larger role in prevention and preparation for ransomware attacks, said Joe Oleksak, a partner at Plante Moran. The CFO’s leadership of organizations’ business resiliency is a critical consideration in cybersecurity plans.

“For a long time, the CFO has ignored that side of resiliency and just assumed IT has it under control,” said Oleksak. “IT says ‘I’m technical, all I understand is technology and I think the technology is good.’ And usually technology is good. But not all of the investments are being made in the people and the processes.”

CFOs need to bring a focus on business continuity to any cybersecurity planning, he said.

“There’s often a distance between CFOs and CIOs, where CIOs think if this goes down, it’ll take us a week, but we’ll be back up and running,” Oleksak said. “A CFO might hear that week, and go ‘Oh my God, if we’re not up in three hours, we’ve got a huge issue.’”

CFOs need to think through business process controls from a cybersecurity perspective. For example, many business processes rely heavily on the technologies that support operations. When ransomware occurs those technologies go away.

“And if you haven’t thought about resilience properly, you’re not going to recover in an appropriate amount of time to continue the business,” Oleksak said.

Regulatory changes

The issue could soon take on increased regulatory importance, as well, following the December release of a proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to strengthen cybersecurity protections for electronic protected health information (ePHI).

If the HIPAA rule changes are finalized, federal cybersecurity requirements for healthcare organizations will be much more proscriptive and include annual reviews of their compliance processes, Oleksak said.

“Unfortunately for this industry there is a reconning coming,” he said. “Self-regulation, self-verification is slowly dying s a concept.”

Other areas for CFO action

CFOs should respond by ensuring their cybersecurity efforts address vulnerabilities outside of technology. For instance, “user awareness” efforts, require training all staff on ways attackers manipulate them to get around cybersecurity technology.

CFOs “need people to build a culture of responsibility around cybersecurity,” he said. “That comes through training, but it also comes through executive sponsorship by leaders who understand how important it is and impresses on people how important it is to do their job.”

CFOs should ensure business impact analyses are performed. That entails going beyond policy and procedure to look at the resilience of the people, the processes and the technologies and understand where their weaknesses are.

Vulnerability management programs, which regularly search for cyberattack vulnerabilities within an organization, need to be developed and operated effectively, he said.

Plante Moran frequently finds organizations either lack such programs or the ones they have only are reactive.

“Hackers are looking for what you’re not doing. And if you’re not fixing vulnerabilities, that’s what they’re going to look for,” Oleksak said.

CFOs also need to understand who is making risk decisions and whether it is appropriate for their business.

A CFO may say, “‘Yes, that could affect our business processes but we’re willing to make the investment because it raises the risk exponentially,’” Oleksak said.

Risk decision making also is driven by differing perspectives. Cybersecurity slows things down, while IT leaders and physicians want to speed things up.

“Someone from the business side has to look at cybersecurity and say, ‘Is it appropriately allowing us to do our business in a mature and secure way to enable our business to stay up and running?’” Oleksak said.

Insurance risk

Another role for CFOs is better understanding of the organization’s cybersecurity insurance. That can include understanding what’s covered and not, what the inclusions and exclusions are and how much will be paid out in different circumstances.

“Just because we’re getting money to address a problem doesn’t mean the problem will be addressed in an appropriate amount of time,” he said.

CFOs also should engage with chief legal officers to ensure appropriate notifications to regulators will occur, because such notifications can avoid costly fines.

“What CFOs need to understand is cybersecurity is not an IT issue,” Oleksak said. “IT plays a major role, but the CFO needs to step in and start to define cybersecurity differently in order for health systems to be more effective against ransomware and malware and business email compromise.”