Key Highlights
- Healthcare remains a top ransomware target due to high-value data, operational urgency and a complex web of interconnected systems and vendors
- Recovery speed often comes down to preparation, with tested incident response plans, segmented networks and resilient backups separating fast rebounds from prolonged disruption
- A proposed federal response framework aims to reduce fragmentation, but without clear coordination and resources, gaps in healthcare cybersecurity preparedness will persist
Ransomware attacks are no longer isolated IT incidents for healthcare providers; they have become operational crises that can shut down clinics, delay care and strain already stretched systems. The combination of aging infrastructure, sprawling vendor networks and strict regulatory demands has left many organizations exposed at a time when the consequences of disruption are immediate and real. Now, as lawmakers consider a more coordinated federal response, questions remain about whether the sector can get ahead of the next wave of attacks or continue reacting to them.
In this Executive Q&A, Meghan O’Connor, partner at Quarles & Brady, shares her perspective on why healthcare remains a prime target for cybercriminals, what separates organizations that recover quickly from those that do not, and how proposed legislation could reshape the sector’s approach to cyber resilience.
Why healthcare remains a prime ransomware target
Healthcare organizations continue to rank among the most targeted sectors for ransomware attacks. What factors make hospitals and health systems particularly attractive targets for cybercriminals?
Several converging factors make healthcare an especially appealing target. First, the stakes are uniquely high. Unlike many other industries, a ransomware attack on a hospital does not merely disrupt business operations, it can directly threaten patient safety. Cybercriminals understand that this urgency gives them leverage because a health system facing life-or-death consequences is far more likely to pay a ransom quickly than, say, a retail company dealing with a temporary website outage.
Second, the sheer volume and sensitivity of the data that healthcare organizations hold (protected health information, Social Security numbers, insurance details, financial records, etc.) makes them a goldmine for threat actors interested in both extortion and downstream identity fraud. A single health record can be worth significantly more on the dark web than a stolen credit card number.
Third, the complexity and interconnectedness of the healthcare industry make it particularly reliant on IT connectivity with many vendors and partners. Vendors are often any business’ weakest link, but with so many potential access points, even health systems with great technical safeguards can be an appealing target. Fourth, healthcare is an industry that has historically underinvested in cybersecurity relative to sectors like financial services. Many hospitals, particularly smaller and rural providers, operate on thin margins and have struggled to dedicate the capital and staffing needed to build mature security programs that align with the sensitivity of the data they hold.
That combination of high-value data, operational urgency, an IT web of vendors, and comparatively lower cyber defenses creates a profile that is extraordinarily attractive to criminal enterprises.
Many ransomware incidents in healthcare involve a combination of legacy systems, third-party vendors, and human error. Where do you most often see vulnerabilities emerge in healthcare environments today?
All three of those factors remain significant, but if I had to identify a common thread across the incidents we advise on, it is the complexity and interconnectedness of the healthcare IT environment. The most persistent vulnerabilities tend to show up at the seams, where older clinical systems, modern cloud services, and third-party platforms intersect. Hospitals rely on a sprawling ecosystem of clinical and administrative systems (e.g., electronic health records, imaging platforms, medical devices, billing systems, pharmacy management tools) many of which were not designed with modern cybersecurity in mind.
Legacy systems are a persistent challenge. It is not unusual to see critical clinical applications running on operating systems that are no longer supported by the manufacturer and cannot easily be patched or replaced because they are embedded in expensive medical equipment or tightly integrated with other platforms. Third-party risk is another major area of concern. Healthcare organizations depend on a wide array of vendors and service providers (e.g., billing, scheduling, transcription, analytics, etc.) but visibility into those vendors’ security practices is often limited. Each of these vendors represents a potential point of entry for attackers. We have seen that incidents at a single entity can cascade across providers and payers nationwide. Finally, human factors remain central.
Phishing, credential reuse, and social engineering continue to be common initial access vectors. Even well-resources organizations struggle with workforce fatigue and training gaps, particularly in clinical environments where speed and access are priorities.
Operational impact and recovery challenges
In your experience advising organizations on incident response, what separates healthcare providers that recover from ransomware attacks in a matter of days from those that face weeks of disruption?
The single biggest differentiator is preparation. Organizations that recover quickly are the ones that have invested in realistic, tested incident response plans before an attack occurs. That means not just having a written plan on a shelf, but conducting regular tabletop exercises that involve clinical leadership, IT, legal, communications, and executive management together in the same room working through realistic scenarios. Tabletop exercises should not focus only on the IT response.
Organizations need to test their communications and leadership teams who do not tend to appreciate the stress and complexity of incident response. Organizations should also work with their trusted law firms to engage important IR partners under privilege in advance of an incident to limit delays with insurance carriers or panel counsel in the first few critical hours of an incident.
Organizations that recover well also tend to have made smart infrastructure investments — particularly in network segmentation and backup architecture. If backups are properly isolated from production environments and regularly tested for integrity, you have a viable path to restoration that does not depend on paying a ransom. Segmentation, meanwhile, can be the difference between an incident that affects one department and one that takes down the entire enterprise.
On the other end of the spectrum, organizations that face prolonged disruptions often share certain characteristics: they lack clarity about roles and decision-making authority during a crisis, they have not established relationships with outside counsel, forensic investigators, and crisis communications firms in advance, and they have not rehearsed downtime procedures with clinical staff. When a ransomware attack hits, there is no time to figure out whom to call or how to operate without your EHR. Those decisions need to have been made and practiced well before the crisis begins.
Healthcare systems operate under strict regulatory and privacy obligations. What additional legal or compliance challenges do providers face when patient data is compromised during a cyberattack?
A cyberattack in healthcare is rarely just a technical problem – it is immediately a regulatory and compliance event as well. Healthcare providers navigating a ransomware event face a particularly dense web of legal and regulatory obligations. Under HIPAA, a breach of unsecured protected health information triggers notification requirements to affected individuals, the Department of Health and Human Services, and in many cases the media, all within specified timeframes. But HIPAA is just one layer. Depending on the nature of the data involved and the jurisdictions in which the organization operates, state breach notification laws may impose additional or different obligations, including shorter notification windows, broader definitions of personal information, and different content requirements for notices.
Getting to the notification phase is often more challenging than providers and regulators anticipate. Given the interconnected web of healthcare IT systems, the nature of electronic health records, and long retention time frames that keep unsupported devices in production environments, healthcare data can be messy and unstructured. Data mining is a complicated process and relying on a bad vendor can make the IR process slow and increase potential exposure for the providers.
Beyond notification, providers must contend with the regulatory scrutiny that follows a significant incident. HHS Office for Civil Rights investigations, state attorneys general inquiries, and potential enforcement actions can extend for years after an attack. There is also the litigation risk. Class action lawsuits following healthcare data breaches have become essentially routine, and plaintiffs' counsel have become increasingly sophisticated in how they pursue these claims. Organizations must also manage their obligations to business associates and contractual counterparties, consider how to coordinate with law enforcement, and in some cases address securities disclosure requirements if they are publicly traded.
All of this unfolds while the organization is simultaneously trying to restore clinical operations and take care of patients, which makes the legal complexity of healthcare cyber incidents genuinely unlike that in most other industries.
Congress is reportedly working on legislation that would require the Department of Health and Human Services to develop a coordinated incident response plan for healthcare cyberattacks. What problem is this proposal attempting to address?
The core problem is fragmentation. Today, when a major cyber incident strikes the healthcare sector, there is no single, clearly defined federal playbook for how the government will coordinate its response and support affected organizations. Multiple federal agencies have a role (e.g., HHS, CISA, FTC, FBI) but their respective authorities, expectations, communication channels, and support mechanisms have not been unified into a coherent, sector-specific response framework.
For healthcare organizations who are victims of an attack, this can mean confusion about whom to contact, duplicative requests for information from different agencies, and uncertainty about what federal resources are available.
Recent incidents have brought these coordination gaps into sharp relief. Providers across the country can face severe operational and financial disruptions due to a single incident, and many feel that the federal response to such incidents has lacked the speed and clarity the situation demanded.
The legislative proposal appears designed to address fragmentation by requiring HHS to develop and maintain a coordinated response plan that clearly delineates roles, establishes communication protocols, and ensures that the federal government can mobilize support to the healthcare sector in a more organized and timely fashion. In essence, the goal is to treat a major healthcare cyberattack with the same level of coordinated federal response planning that we would expect for other types of public health emergencies.
Policy response and the role of federal coordination
If implemented, how could a federal incident-response framework change the way healthcare organizations prepare for and respond to cyber incidents?
A well-designed federal framework that appreciates the day-to-day operational realities of healthcare operations and cybersecurity could have meaningful practical effects at both the organizational and sector-wide levels and drive greater standardization and predictability.
For individual healthcare organizations, having a clearly articulated federal response plan would provide greater certainty about what to expect from the government during an incident (e.g., what resources are available, what information will be requested, and how communication will flow). That predictability allows organizations to align their own internal incident response plans with the federal framework, reducing confusion and improving coordination when an actual event occurs.
At a sector level, a coordinated federal plan could facilitate faster information sharing about threat intelligence and common indicators of compromise, enabling organizations that have not yet been hit to take protective action while an incident is unfolding. It could also help address the particular vulnerabilities of smaller and under-resourced providers that may lack the internal capabilities and manpower to manage a sophisticated incident on their own and would benefit most from structured federal support.
That said, the value of any framework depends entirely on how it is implemented. If the legislation results in a plan that is overly bureaucratic, unfunded, or disconnected from the operational realities of healthcare delivery, it will not meaningfully change outcomes. The most effective approach would be one that is developed with substantial input from the healthcare community, appreciates that all 50 states have separate notification requirements, and that includes clear triggers, defined roles, and dedicated resources — not just another layer of guidance.
Federal Cyber Response Proposal
Lawmakers are weighing the Health Care Cybersecurity and Resiliency Act of 2025, a bipartisan proposal that would require the Department of Health and Human Services to establish a coordinated incident response framework for the healthcare sector.
The proposal appears to have bipartisan support but may face timing challenges on Capitol Hill. If the legislation stalls, what gaps in healthcare cybersecurity preparedness are likely to remain?
If this legislation does not advance, the healthcare industry will continue to operate under a patchwork of federal and state agency touchpoints during a crisis, and the coordination challenges that surfaced during recent major incidents will remain unresolved.
Well-resourced organizations may be able to coordinate effectively with federal partners, but smaller providers will remain unevenly supported. Without legislative action that includes dedicated resources (whether through grants, incentive programs, or other mechanisms) the gap between well-resourced health systems and the rest of the sector will continue to widen.
The absence of a federal framework also means continued ambiguity around HHS’s role during live incidents and how cybersecurity expectations translate into enforcement decisions. Without legislative momentum, progress will rely on ad hoc coordination and voluntary guidance, which leave persistent gaps in readiness. The risk is that the healthcare industry continues to learn these types of lessons only after major incidents, rather than building resilience in advance.
There is also the issue of technology developing faster than regulatory agencies can address. If Congressional action and regulatory implementation do not appropriately balance minimum standards with some capacity to future proof for evolving standards, legislative action will be obsolete as soon as it is issued. One of the benefits of HIPAA’s regulatory structure allows the standards to evolve with technology. Regulatory updates should appreciate this foresight and continue along these lines rather than implement prescriptive standards that make sense today but will not keep pace with technological developments.
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].