Healthcare Data Breaches Are Up 256%. Here Is What Hospitals Are Getting Wrong.

Why Healthcare Gets Hit Harder Than Any Other Sector

Healthcare organizations are disproportionately targeted for three reasons that compound each other. First, the data is uniquely valuable. A stolen credit card number is worth maybe $5 on a dark web marketplace. A complete electronic health record with insurance details, social security numbers, and prescription history can fetch $250 to $1,000. Identity thieves use this data for years. Medical fraud is harder to detect than financial fraud because victims often do not notice until they try to file an insurance claim.

Second, the operational pressure is unlike any other industry. When a manufacturing plant gets ransomwared, production stops and money is lost. When a hospital's systems go down, people can die. Ransomware groups know this. They have watched hospitals pay six and seven-figure ransoms because the alternative, reverting to paper records and delaying care, is simply not viable. The FBI estimates that healthcare ransomware payments increased 278% between 2018 and 2023.

Third, the attack surface is enormous and historically under-resourced. A mid-size hospital might have 50,000 connected devices: imaging systems, infusion pumps, patient monitors, HVAC controls, and building management systems, all on the same network as clinical workstations and EHR systems. Many of those devices run operating systems that have not been patched in years because the vendor does not support updates or the device is FDA-cleared and cannot be modified without revalidation.

What Change Healthcare Actually Revealed

The February 2024 Change Healthcare attack by the ALPHV/BlackCat ransomware group is the most consequential healthcare cyberattack in US history. The initial breach vector was a Citrix remote access portal that did not require multifactor authentication. The attackers used compromised credentials, moved laterally through the network for nine days before deploying ransomware, and exfiltrated an estimated 6 terabytes of data affecting up to 190 million patients.

UnitedHealth Group, which owns Change Healthcare, reportedly paid a $22 million ransom. The group then received a second extortion demand from a splinter group that still had the data. The total financial impact exceeded $870 million in the first half of 2024 alone, with the full cost estimated to top $1.6 billion. The downstream impact on providers was severe: many small practices reported running out of cash because they could not process insurance claims for weeks.

What makes this particularly damning is that missing MFA on a public-facing remote access portal is not a nuanced or difficult problem to solve. CISA and the FBI had been issuing advisories about Citrix gateway vulnerabilities for two years prior. This was a known risk category with a known mitigation. The breach happened anyway.

HIPAA Is a Floor, Not a Ceiling

The Health Insurance Portability and Accountability Act Security Rule requires covered entities to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI). It mandates things like access controls, audit logging, transmission security, and a documented risk analysis. These are good requirements. The problem is that compliance with HIPAA does not mean you are secure.

HIPAA does not require specific technologies. It does not require MFA. It does not require endpoint detection and response. It does not prescribe patching timelines. A hospital can be technically HIPAA-compliant while running Windows Server 2012 R2 on an internet-facing system. The compliance framework gives auditors something to check boxes against. It does not prevent breaches.

The HHS Office for Civil Rights has levied over $130 million in HIPAA fines since 2003, but enforcement is slow and reactive. You get fined after a breach investigation, not before. The Scripps Health ransomware attack in 2021 (which exposed data for 147,000 patients) and the Lehigh Valley Health Network breach in 2023 (which included cancer patients' nude photos posted publicly) both resulted in post-breach investigations and settlements. The regulatory apparatus is not built to prevent attacks. It is built to adjudicate accountability after them.

The Legacy System Problem Is Structural

Ask any hospital CISO what keeps them up at night and legacy systems will be near the top of the list. Clinical environments are full of devices and software that cannot be patched, cannot run modern security agents, and cannot be easily replaced because they are tied to expensive clinical workflows or regulatory clearances.

The average hospital imaging department still runs workstations on Windows 7 or Windows 10 LTSC because the DICOM software required for CT and MRI viewing has not been certified by the vendor for newer OS versions. The FDA medical device cybersecurity guidance published in 2023 pushes manufacturers to build in patching and update capabilities, but that only helps new devices. The installed base of older equipment is a liability that cannot be wished away.

The practical response for most organizations is network segmentation: put vulnerable clinical devices on isolated VLANs with strict firewall rules that prevent lateral movement. This does not eliminate risk but it limits blast radius. If a ransomware payload lands on a radiology workstation, proper segmentation means it cannot hop to the EHR server or the pharmacy management system. Many hospitals are not doing this consistently, either because the network architecture was never designed for it or because clinical workflows break when you add network controls.

The Case for Automated Monitoring in Clinical Environments

The traditional healthcare security model, an annual pentest and quarterly vulnerability scans, is inadequate for the threat environment hospitals now operate in. Ransomware groups are running full-time operations with dedicated reconnaissance teams. They identify targets, buy access from initial access brokers, and wait for the right moment to deploy. The dwell time before ransomware deployment averages around 9 days based on incident response data. That is 9 days during which continuous monitoring could detect anomalous behavior and trigger a response before encryption starts.

Automated monitoring in a clinical environment needs to account for the unusual traffic patterns that come with medical devices. An infusion pump communicating with a central pharmacy server at regular intervals is normal. An infusion pump attempting to reach an external IP or making DNS queries to domains registered in the last 30 days is a red flag. These behavioral baselines require time to establish and automation to monitor at scale.

The hospitals that have fared best in recent years share a few characteristics: they have done network segmentation properly, they run 24/7 security operations with real alert triage, they have tested their incident response plan within the last 12 months, and they have immutable backups that are isolated from the production network. None of these are exotic. All of them require deliberate investment and ongoing operational discipline.

What Needs to Change

Healthcare organizations need to stop treating cybersecurity as a compliance function and start treating it as operational risk management. The board and C-suite need visibility into security posture the same way they have visibility into patient safety metrics and financial performance. Security leadership needs budget authority and the ability to enforce standards across clinical departments that have historically operated with significant autonomy.

The technology investments that matter most are not expensive or exotic: MFA on all remote access, network segmentation for clinical devices, endpoint detection and response on systems that can run it, immutable offsite backups, and automated vulnerability scanning that runs continuously rather than quarterly. These are not new recommendations. They have been standard advice for years. The gap is implementation, not knowledge.