Healthcare has always been a high-pressure environment. What’s changed is how consistently cyber incidents now interrupt real operations—scheduling, documentation, billing, and sometimes patient-facing systems.
For healthcare leaders, the core issue isn’t just “more alerts.” It’s that attackers (and even vendor outages) can create immediate downtime, expensive recovery, and long-tail trust damage.
The 2025 reality check: volume is still high
Breach reporting continues at a pace that should concern any organization handling PHI. For example, by July 31, 2025, 444 large breaches (500+ records) had already been reported to HHS OCR—about a 2% year-over-year increase versus the same point in 2024.
Even monthly reporting can be heavy. In September 2025, OCR added 41 large breaches to the portal (as of Dec 18, 2025) affecting at least 1.7M individuals.
And “mega-incidents” have reshaped the impact side of the risk equation. The Change Healthcare breach was updated to ~192.7 million impacted individuals—making it the largest healthcare data breach publicly reported in U.S. history.
Ransomware is evolving—and shifting toward vendors
Ransomware remains a major driver of disruption, but the pattern is changing. Comparitech tracked 211 ransomware attacks on healthcare companies in H1 2025, with 68 publicly confirmed by the targeted organizations.
Later 2025 reporting also pointed to a shift: attacks rose across healthcare “businesses” even as incidents targeting hospitals/clinics declined—pushing more risk into vendors, platforms, and third parties that healthcare depends on.
The economics changed in 2025 (but the stakes didn’t)
If you’re still thinking in “hundreds or thousands” of dollars for ransom demands, that’s outdated—healthcare demands can still reach the millions in high-impact incidents. At the same time, it’s worth being precise: 2025 survey data suggest the median healthcare ransom demand fell sharply to about $343K, with a median amount paid of $150K—even though outlier events can be far higher.
That doesn’t mean attacks are “cheaper” in the real world—downtime, remediation, legal, notifications, and reputational damage can dwarf the ransom.
Why downtime is the real multiplier
Even outside ransomware, outages are expensive—and healthcare feels the pain fast.
Uptime Institute’s Annual Outage Analysis 2025 found 54% of respondents said their most recent significant outage cost over $100,000, and one in five said it cost over $1 million.
Healthcare also got a stark reminder in 2024 that not all disruption is “a hack.” A JAMA Network Open study of the July 19, 2024 CrowdStrike outage measured disruptions at 759 U.S. hospitals (34%) among those with available data, and identified 239 (21.8%) outages tied to direct patient care functionality.
Internally, we’ve seen how preparedness changes outcomes. During the CrowdStrike event, our controls and layered endpoint approach helped keep a long-time client online when millions of systems failed.
Compliance pressure is rising (HIPAA Security Rule proposal)
On Dec 27, 2024, HHS OCR issued a proposed rule to update the HIPAA Security Rule for the first time since 2013—aimed at strengthening cybersecurity protections for ePHI.
Whether or not the final rule lands exactly as proposed, the direction is clear: more formal requirements, less ambiguity, and more scrutiny on fundamentals like inventory, access controls, encryption, and recovery readiness.
What we recommend healthcare leaders prioritize
If you want practical, high-leverage moves that reduce both breach risk and downtime risk:
-
Get ruthless about identity
-
MFA everywhere (email, remote access, admin tools)
-
Least privilege + rapid deprovisioning for staff changes
-
-
Treat vendors as part of your perimeter
-
Review third-party access paths, integrations, and contingency plans
-
-
Harden what attackers actually use
-
Patch/inventory discipline, especially edge devices and remote access
-
Email security + user training tuned to real workflows
-
-
Make recovery real
-
Immutable/offline backups + routine restore testing
-
Documented downtime procedures so teams aren’t improvising
-
-
Operationalize security
-
Continuous monitoring + response playbooks + tabletop exercises
-
How we help at Managed Services Group
We help healthcare organizations reduce cyber risk and downtime risk by combining managed IT and security into one accountable program. As a SOC 2 Type 2 certified MSP/MSSP, we focus on practical controls that hold up under real pressure—not just policy binders.
If you want to understand where risk is hiding in your environment, contact us to get started with a free network assessment. You’ll get a clear view of what’s vulnerable, what’s outdated, and what to prioritize next—whether you move forward with us or not.