By Daniel Bardenstein
As cyberattacks recently paralyzed St. Paul's city services and forced Kettering Health hospitals onto emergency reroute just a month before that, healthcare executives across the country are asking the same question: Are we next?
From my experience leading a company that secures hospitals, researching healthcare security policy with the Aspen Institute, and serving as cybersecurity lead for Operation Warp Speed, I’ve seen the challenges up close. During 2020 and 2021, I witnessed a devastating wave of ransomware attacks hitting hospitals already overwhelmed by COVID-19. The data suggests that most hospitals remain dangerously exposed—not despite their technology investments, but because of them.
Ad Statistics
Times Displayed: 340
Times Visited: 1 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money.
The numbers tell a sobering story. In 2024, healthcare suffered 444 reported cybersecurity incidents according to the FBI's Internet Crime Report—more than any other critical infrastructure sector, comprising 238 ransomware threats and 206 data breach incidents. Among healthcare organizations surveyed by Sophos, 67% experienced a ransomware attack in the past 12 months, with recovery costs averaging $2.57 million excluding any ransom payments.
But statistics only tell part of the story. In 2020, a woman seeking emergency care at Düsseldorf University Hospital died after ransomware attackers encrypted 30 servers, forcing her to be redirected to a hospital 20 miles away. The delay proved fatal. More recently, Ascension Healthcare's May 2024 cyberattack disrupted operations across 120 hospitals, taking 37 days to restore systems while creating a mile-high equivalent of paper record backlogs and costing $130 million in response efforts plus $900 million in lost operating revenue.
The procurement blind spot
The problem isn't that hospitals aren't investing in technology—it's that they're making massive investments without visibility into the cybersecurity risks those purchases introduce. When I worked with one hospital system planning a $20 million upgrade of their MRI fleet, they had detailed specifications for imaging quality, patient throughput, and regulatory compliance. What they lacked was any information about the software running on those machines—whether they operated on outdated systems like Windows 7, contained default passwords, or harbored known vulnerabilities that could serve as entry points for attackers.
This blind spot is particularly dangerous in healthcare, where medical devices often remain in service for 10-15 years or more. Unlike IT equipment that gets regularly refreshed, that MRI machine purchased today will likely still be on the network in 2040. If it's insecure now, it becomes an increasingly vulnerable asset as new attack methods emerge and underlying software becomes obsolete.
