The ever-changing landscape of ransomware: Why healthcare organizations pay less

Ransomware has long been an ongoing and expensive threat to healthcare organizations that have a large amount of sensitive patient data and operate under critical time-sensitive conditions. The damage caused by these attacks can have life-threatening consequences, delaying basic treatment and impairing patient safety. Historically, the urgency of rapid service recovery and avoided interference forced many victims to pay ransom. But this started to change. As healthcare organizations grow, their cybersecurity investments (as IT budget allocations increase from 10% in 2020 to 14% in 2024), victims pay less ransoms due to defense and enhanced regulatory scrutiny.

Overall, US ransomware payments fell 35% in 2024 to a total of $813 million, down from $1.25 billion in 2023. Median ransom payments fell 45% in the 4Q 2024 median to $110,890, as payments remain largely the last payment with no alternative alternatives. Researchers from the Healthcare Information and Management Systems Association (HIMSS) also noted that the number of ransomware victims reporting ransom payments has declined. While these declining figures raise the question of whether payment cybercriminals are becoming the exception rather than the norm, continued innovations that threaten participants are actively adapting to the growing maturity of cybersecurity, but suggest oppose the conclusion of premature birth.

Strengthen backup and enhanced security measures

One of the most effective deterrents to paying for ransomware needs is the development of powerful backup and disaster recovery strategies. In the past, many healthcare organizations lacked enough redundancy and had little choice but to pay attackers to restore access to the system. However, the industry has made significant progress by investing in modern backup solutions, including unchanged storage, blank backups and real-time data replication. However, backup recovery is rarely instantaneous. This makes recording and practicing continuity planning critical for operations without critical technology.

These measures greatly reduce the maintenance of leverage attackers. With a reliable, easy-to-repair backup and rehearsal continuity program, healthcare providers can reject ransom needs and restore the system independently. Additionally, security tools that improve organizational security posture, such as endpoint detection and response (EDR), managed detection and response (MDR), and zero-value architecture, make it difficult for ransomware to gain a foothold in the first place.

The role of cyber insurance and regulatory pressure

Network insurance providers have become a key driver of reducing ransom payments. Previously, many policies covered ransom payments, resulting in a cycle in which organizations would pay attackers and seek reimbursement. However, insurers have adjusted their risk model since then. Today, cyber insurance policies impose stricter security requirements, often requiring multifactorial authentication (MFA), endpoint protection, and incident response plans, and then approve coverage. These security requirements greatly reduce the likelihood of being attacked and therefore require a reduction in the likelihood of payment. Some providers have even completely reduced or eliminated the payment coverage of ransom, which has allowed victims to financially impractical compliance with the attacker’s requirements.

Meanwhile, government regulations are increasing risks associated with payments. In the U.S., the Treasury Office of Foreign Assets Control (OFAC) issued a warning that organizations may face legal consequences for paying ransoms to groups associated with recognized entities. Given that many ransomware groups have ties to the approved area, health care providers face significant responsibilities if they choose to pay.

For healthcare institutions, this means that, in addition to financial considerations, paying ransoms can result in additional regulatory penalties and reputational losses, exceeding the ransom cost. The risk of unintentional funding of approved cybercrime organizations increases another layer of deterrence.

Threat participants turn to data flaking and ransomware

As direct ransomware payments decline, cybercriminals are adjusting their tactics. Many groups have moved from traditional encryption attacks to data flaking and ransomware. Not only does an attacker lock the organization into the system, he can steal sensitive patient records, financial data and proprietary information, threatening to publicly release it if their needs are not met.

The policy allows cybercriminals to bypass traditional defenses such as backup and file encryption protection, which is invalid for data leakage. While organizations can restore their infrastructure without paying, the risk of exposure to protected health information (PHI) creates a new stress point for victims. Given strict data privacy laws, including HIPAA, violations involving patient data can lead to serious regulatory fines and class action lawsuits.

Law enforcement and industry cooperation

Another major factor affecting the decline in ransomware payments is the increase in cooperation between law enforcement and the private sector. Federal agencies, including the FBI and CISA, strongly discourage payment of ransom payments and have developed dedicated task forces to track, destroy and remove ransomware operations. These agencies often help victims by providing decryption keys, sharing intelligence from threat actors, and determining attack patterns to mitigate further incidents.

The healthcare industry has also strengthened its information sharing efforts. Organizations such as the Health Information Sharing and Analysis Center (H-ISAC) facilitate real-time collaboration, enabling providers to be ahead of emerging threats and implement best practices.

The road ahead

Despite these positive developments, ransomware still poses a significant threat to the healthcare sector. Threat actors continue to refine their strategies, as well as economic incentives for cybercrime. But the combination of stronger defense, regulatory pressure and industry collaboration begins to change the balance in favor of defenders.

For healthcare organizations, the key point is clear: Continuous investment in cybersecurity and resilience is crucial. By proactively implementing a strong security framework, keeping up to date backups and following regulatory guidance, healthcare providers can reduce their risks and contribute to the greater efforts to tear down the ransomware ecosystem.

Photo: Boonchai Wedmakawand, Getty Images

This article passed Mixed Influencer program. Anyone can post a view on MedCity News' healthcare business and innovation through MedCity Remacence. Click here to learn how.