By Jeff Wardon, Jr., Assistant Editor

Healthcare facilities remain among the most vulnerable targets for ransomware attacks, and the consequences are increasingly life-threatening. The 2025 Ransomware Risk Report from Semperis highlights a sobering reality: While ransomware attack rates have slightly ticked downward, the healthcare sector continues to lag with legacy systems, slow recovery times and identity infrastructure weaknesses that leave critical services exposed. 

These are some key stats for healthcare, according to the report: 

• 78 percent of healthcare organizations were targeted by ransomware in the past 12 months. 
• 61 percent of those attacks were successful. 
• 53 percent of healthcare organizations reported their identity infrastructure was compromised. 
• Only 50 percent of healthcare organizations maintain dedicated, Active Directory (AD)-specific backup systems. 
• 31 percent of healthcare organizations took between one week and one month to resume normal operations after an attack – a 28-point drop in same-day recovery from the prior year. 

Business disruptions are a common effect of ransomware attacks. Some of the top disruptions in the healthcare sector included data breaches, brand damage and job losses. Even patient safety is at risk, with the report noting recent ransomware attacks on providers resulting in patient deaths. Additionally, cyber insurance implications are notable, with many organizations facing coverage cancellation, premium increases or increased difficulty securing insurance without robust cybersecurity protocols.  

Related Content: On the Lookout: The Software Supply Chain as a Healthcare Cyberattack Vector

The most common types of attacks are identity-based. Most healthcare facilities use AD, Entra ID and Okta, all of which are top attack vectors. Only 61 percent of healthcare facilities have an AD recovery plan, which is lower than the government and energy sectors. 

Some of the biggest threats to business resilience cited in the report were outdated or legacy systems. This highlights a vulnerability unique to healthcare due to aging infrastructure and tech debt. What’s more, healthcare organizations were among the slowest to resume operations after attacks, suggesting recovery procedures and staff training may be lacking.  

The report recommends these five points for healthcare facilities: 

1. Prioritize Identity Threat Detection and Response: 
   1. Implement recovery plans for AD and identity systems. 
   2. Maintain dedicated, secure backups of critical identity infrastructure. 
2. Practice crisis response plans tailored for healthcare settings: 
   1. Focus on minimum viable operations to keep clinical care functioning. 
3. Upgrade legacy systems and patch known vulnerabilities. 
4. Strengthen employee training and awareness around cyber hygiene. 
5. Align with compliance frameworks to reduce both regulatory risk and the chance of extortion via regulatory threat tactics. 

Jeff Wardon, Jr., is the assistant editor of the facilities market.