Ransomware has long been a persistent and costly threat to health care organizations, which hold large amounts of patients sensitive to patients and operate in critical and time -sensitive conditions. The disturbance caused by these attacks can have potentially fatal consequences, delay essential treatments and compromise patient safety. Historically, the urgency of quickly restoring services and avoiding disturbances forced many victims to pay ransoms. But it starts to change. While health care organizations increase their cybersecurity investments – IT budget allowances from 10% in 2020 to 14% in 2024 – fewer victims paying ransoms, thanks to stronger defenses and an increased regulatory examination.
Overall, ransomware payments in the United States dropped by 35% in 2024, totaling $ 813 million, compared to $ 1.25 billion in 2023. Rentçon’s median payment also dropped by 45% in the fourth quarter 2024 to $ 110,890, because payments remain largely a last claim option for those without alternatives to recover. Critical data. Researchers from the Company of Information Systems and Health Care (HIMSS) have also noted a drop in the number of ransomware victims reporting ransom payments. Although these decreasing figures raise the question of whether the payment of cybercriminals becomes the exception rather than the standard, the persistent innovation of threat actors, which actively adapt to the growing maturity of cybersecurity, warns against premature conclusions.
Reinforced backups and improved safety measures
One of the most effective deterrents to pay for ransomware requests is to have a backup and recovery strategy after robust disaster. In the past, many health care organizations lacked adequate redundancy, leaving them few options beyond the payment of attackers to restore access to their systems. However, industry has made significant progress by investing in modern backup solutions, including immutable storage, air backups and real -time data replication. The restoration of backups is rarely instantaneous, however. This makes continuity plans documented and practiced essential to maintain operations without key technology.
These measures considerably reduce the maintenance of leverage attackers. With reliable and easily restorable backups and repeated continuity plans, health care providers can refuse ransom requests and recover systems independently. In addition, the safety tools that improve the safety posture of organizations, such as the detection and response of termination points (EDR), managed detection and response (MDR) and zero-frust architectures, make it more difficult for ransomware to take a foothold in the first place.
The role of cyber-assurance and regulatory pressure
Cyber-assuring providers have become a key engine in reducing ransom payments. Previously, many policies covered ransom payments, leading to a cycle where organizations would pay the attackers and request reimbursement. However, insurers have since adjusted their risk models. Today, cyber-assurance fonts impose strictest security requirements, often forcing multifactorial authentication (MFA), the protection of terminals and incident response plans before the coverage. These security requirements considerably reduce the probability of undergoing an attack, thereby reducing the probability that a payment will be necessary. Some providers have even reduced or eliminated the coverage of ransom payments, which makes victims financially impractical to comply with the attackers’ requests.
At the same time, government regulations increase the risks associated with the realization of payments. In the United States, the Ministry of the Treasury of Foreign Active Control (OFAC) has issued warnings that organizations paying ransoms to groups related to sanctioned entities could face legal consequences. Given that many ransomware groups have links with the sanctioned regions, health care providers are faced with significant responsibility if they choose to pay.
For health care organizations, this means that beyond financial considerations, the payment of a ransom could lead to additional regulatory penalties and reputation damage beyond the cost of the ransom. The risk of inadvertently funding a sanctioned cybercriminal organization adds inadvertently adds another layer of deterrence.
Threat actors move towards data exfiltration and extortion
As direct ransomware payments decrease, cybercriminals adapt their tactics. Many groups have moved away from traditional encryption attacks only towards data exfiltration and extortion. Instead of only locking organizations in their systems, attackers steal from the sensitive patients of patients, financial data and proprietary information, threatening to release it publicly if their requests are not satisfied.
This strategy allows cybercriminals to bypass traditional defenses such as backups and file protection of files, which are ineffective against data leaks. Although organizations can recover their infrastructure without paying, the risk of exposing information on protected health (PHI) creates a new pressure point for the victims. Given the strict laws on the confidentiality of data governing health care, including HIPAA, a violation involving data on patients can cause serious regulatory fines and current prosecutions.
Application of the law and collaboration of the industry
Another major factor influencing the drop in ransomware payments is the increased collaboration between the police and the private sector. Federal agencies, including the FBI and CISA, greatly discourage ransoms from paying and have developed specialized working groups to follow, disturb and dismantle ransomware operations. These agencies often help the victims by providing decryption keys, by sharing information on threat actors and identifying attack models to mitigate other incidents.
The health care industry has also strengthened its information sharing efforts. Organizations such as the Health Information Shart and Analysis Center (H-ISAC) facilitate collaboration in real time, allowing suppliers to stay ahead of emerging threats and to implement best practices.
The upcoming road
Despite these positive developments, ransomware remains a significant threat to the health care sector. Threat actors continue to refine their strategies and financial incentives for cybercrime persist. However, the combination of stronger defenses, regulatory pressure and industry collaboration begins to move the balance in favor of defenders.
For health care organizations, the key to remember is clear: continuous investment in cybersecurity and resilience is essential. By proactively implementing robust security frameworks, maintaining up -to -date backups and joining regulatory guidelines, health care providers can reduce their risk and contribute to broader efforts to dismantle ransomware ecosystems.
Photo: Boonchai Wedmakawand, Getty Images
Chris Henderson directs threat operations and internal security in Huntress. He has obtained MSPs and their customers for over 10 years thanks to various roles in software quality insurance, commercial intelligence and information security.
This message appears through the Medcity influencers program. Anyone can publish their point of view on business and innovation in health care on Medcity News through Medcity influencers. Click here to find out how.
:max_bytes(150000):strip_icc()/VWH-GettyImages-2232339499-cf28b82c851048238ea390ce9ad94fac.jpg?w=390&resize=390,220&ssl=1 "3 essential ways that magnesium supports women’s health")
:max_bytes(150000):strip_icc()/VWH-GettyImages-1807239973-13b3185e5c224ffa8eafa762fae1ef8d.jpg?w=390&resize=390,220&ssl=1 "What happens to your body when you stop taking Ozempic")