* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Must-Read Articles](https://www.paloaltonetworks.com.au/blog/security-operations/category/must-read-articles/)
* Healthcare Organizations ...

# Healthcare Organizations Are the Top Target for Ransomware Attackers

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2021%2F08%2Fhealthcare-organizations-are-the-top-target%2F)  
[](https://twitter.com/share?text=Healthcare+Organizations+Are+the+Top+Target+for+Ransomware+Attackers&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2021%2F08%2Fhealthcare-organizations-are-the-top-target%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2021%2F08%2Fhealthcare-organizations-are-the-top-target%2F&title=Healthcare+Organizations+Are+the+Top+Target+for+Ransomware+Attackers&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2021/08/healthcare-organizations-are-the-top-target/&ts=markdown)  
\[\](mailto:?subject=Healthcare Organizations Are the Top Target for Ransomware Attackers)  
Link copied  
By [Steve Morrison](https://www.paloaltonetworks.com/blog/author/steve-morrison/?ts=markdown "Posts by Steve Morrison")  
Aug 18, 2021  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[healthcare](https://www.paloaltonetworks.com/blog/tag/healthcare-2/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[ransomware threat report](https://www.paloaltonetworks.com/blog/tag/ransomware-threat-report/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

This post is also available in: [繁體中文 (Chinese (Traditional))](https://www.paloaltonetworks.com.au/blog/2021/10/healthcare-organizations-are-the-top-target/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [日本語 (Japanese)](https://www.paloaltonetworks.com.au/blog/2021/08/healthcare-organizations-are-the-top-target/?lang=ja "Switch to Japanese(日本語)")

According to the [2021 Unit 42 Ransomware Threat Report](https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/), the healthcare sector was the most targeted vertical for ransomware in 2020. The report noted that ransomware operators likely targeted the sector, knowing that healthcare organizations were under enormous pressure from an influx of COVID-19 patients. They could not afford to have their systems locked out and thereby would be likely to pay a ransom. In May 2021, the FBI issued an alert stating that the Conti ransomware group, which had recently taken down Ireland's healthcare system, had also attacked at least 16 healthcare and first-responder networks in the U.S. the previous year.

The research firm, [Comparitech](https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/#Key_findings), tracked more than 92 individual ransomware attacks in the U.S. healthcare sector in 2020 --- a 60 percent increase over the previous year. This affected more than 600 clinics, hospitals and organizations, including more than 18 million patient records. Estimated costs of these attacks reached nearly $21 billion. We have concluded that threat actors [target healthcare organizations](https://www.paloaltonetworks.com/resources/use-case/healthcare-sector) based on several factors:

* **The Value of the Data Organizations Control and Maintain ---** Since many threat actors are motivated largely by monetary rewards, they target organizations that have valuable financial and/or data assets that can be converted to funds. Healthcare organizations gather a very broad span of information on their patients, including full contact information, Social Security numbers, payment card data, sensitive health information and healthcare insurance information. Many healthcare delivery organizations (HDOs) also make research part of their operations, which adds to this vast pool of highly valuable data. In total, this provides threat actors with opportunities for data theft, fraudulent insider acts and criminal schemes, such as waging insurance fraud.
* **The Perceived Security Posture of the Organization ---** Healthcare organizations include small and large organizations, spanning from device manufacturers to technology suppliers and HDOs, and each has a unique dedication to security. So, it's important to not apply generalizations. However, threat actors may well do just that. Healthcare is often considered lean on highly skilled IT/security manpower. The less secure a sector appears to be, the more attacks they will likely receive.
* \*\*The Security Posture of the Organization ---\*\*Attackers are naturally going to be more successful if there are vulnerabilities in the organization's defensive armor. With the growing complexity in the IT landscape, many healthcare organizations (and other organizations) are struggling to close every gap. Today's threat actors are highly skilled at scanning for any open port, exposed cloud misconfiguration or other vulnerability. And, the incidents for which we are called to assist correlate to one or more vulnerabilities left open.
* **Criticality of Ongoing Operations ---** We know that certain tactics rely on the organization's need to keep systems up and running in order to keep core operations functional. Healthcare organizations cannot afford discontinuity in patient care. Outages (system-wide, partial or localized) are unacceptable, which can force systems, such as a network switch, to go without patching/rebooting or proper maintenance for years. If the organization does not have an incident response (IR) plan to restore operations from backups, they may feel more compelled to pay attackers. And, even if the organization does have an IR plan and backups in place, some organizations still pay the ransom because backup systems may also get impacted or the volume of data and systems to restore is beyond what the backup systems are capable of handling in a reasonable amount of time. Regardless of the overall quality of the backup solution, if attackers are able to lock up just one important system that hasn't been recently or properly backed up, organizations may find themselves in the position of having to consider paying for the decryption key.

## Why Are Some Tactics Used More Frequently on Healthcare Organizations?

Let's assess what the healthcare threats cited earlier and what that suggests about these organizations' defensive postures and the threat actors who target them.

First, ransomware relies on an organization's need to keep core systems up and running. Applications such as EMR and PACS are most critical as they are used 24/7 for the purposes of accessing patient records, which contain vital information around disease, medication, etc. Not having access to these applications inhibits the ability to provide patient care. The healthcare sector is hardly the only sector that has a continuous operations imperative. Ransomware is also waged heavily against other sectors that require continuous operations.

Threat actors are motivated by financial fraud. They typically exploit the invoicing process, take over email accounts and pose as a legitimate executive or staff member to authorize payments, then divert funds to their own accounts. Healthcare organizations frequently send and receive invoices for expensive medical services, solutions and technology. Cybercriminals see healthcare organizations as an opportunity to potentially steal significant monetary assets from organizations and patients alike.

Finally, the inadvertent disclosure of data, such as accidentally exposing sensitive data stored in an internet-facing cloud database or internet application, can (and does) affect any industry. Healthcare organizations have increasingly embraced cloud computing and third-party solutions to keep up with business demands and medical innovations. Despite seeming to be outsourced, these solutions and providers require diligent application of organization-side security controls and monitoring. [Cortex Xpanse](https://www.paloaltonetworks.com/blog/2021/05/rsac-attack-surface-management/) typically finds customers have at least 30% more assets than they realize. As complexity increases, so does the attack surface. Threat actors are continuously scanning for any opportunity to make a move, and because healthcare is a desirable target, these opportunities are likely to be discovered and exploited if not found and addressed.

## What Can Healthcare Organizations Do to Protect Themselves?

There are many best practices to secure against these threat tactics, including employing advanced, capable products, such as [Next-Generation Firewalls (NGFW)](https://www.paloaltonetworks.com/network-security) with machine learning and [Extended Detection and Response (XDR) platforms](https://www.paloaltonetworks.com/cortex/cortex-xdr).

Besides [having proper backups](https://www.paloaltonetworks.com/resources/datasheets/best-practices-for-backing-up-your-data) and IR processes in place, below are our top 10 recommendations to defend against a range of threats:

1. Deploy a Zero Trust architecture to secure your organization's data, assets and people.
2. Implement multi-factor authentication (MFA) for all internet-accessible devices and accounts.
3. Keep an inventory of devices and software.
4. Secure configurations for hardware devices and software.
5. Perform continuous vulnerability management.
6. Limit the use of administrative accounts.
7. Encrypt laptops and mobile devices.
8. Maintain and monitor audit logs.
9. Educate users against the dangers of phishing and social engineering.
10. Keep backups segregated and/or offline.

## Conclusion

Some sectors receive more targeted attacks than others, and the more often threat actors are successful, the more often the attacks will occur. Part of threat actors' targeting strategy is to use tactics that are most likely to earn financial rewards and be successful, and for that reason, healthcare is bearing much of the brunt of ransomware,[business email compromise](http://www.paloaltonetworks.com/unit42/incident-response/business-email-compromise) (BEC) and inadvertent disclosure-related attacks.

Ransomware, in particular, is the top threat for healthcare organizations and ransomware operators now use double-extortion tactics that combine data exfiltration on top of encrypting data using data disclosure to force payment from organizations that may have proper backup and IR processes in place to quickly recover.

Ensuring that healthcare organizations are [attentive to their end-to-end security needs](https://www.paloaltonetworks.com/ransomware-readiness-assessment) is not only essential, it is increasingly imperative during times of health crisis like the COVID-19 pandemic. Learn about our cyber incident response and protection for [healthcare organizations](https://www.paloaltonetworks.com/security-for/industry/unit42-healthcare).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Ransomware Trends: Higher Ransom Demands, More Extortion Tactics](https://www.paloaltonetworks.com.au/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Extortion Payments Hit New Records as Ransomware Crisis Intensifies](https://www.paloaltonetworks.com.au/blog/2021/08/ransomware-crisis/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable](https://www.paloaltonetworks.com.au/blog/2021/03/ransomware-threat/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Learning From the Past --- Ten 2022 Cybersecurity Events to Know](https://www.paloaltonetworks.com.au/blog/2022/12/unit42-cybersecurity-events-2022/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Average Ransom Payment Up 71% This Year, Approaches $1 Million](https://www.paloaltonetworks.com.au/blog/2022/06/average-ransomware-payment-update/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Cybersecurity Tips From Unit 42 to Help Stop Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2021/07/stop-ransomware-attacks/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language