Hospitals Hit by Ransomware Cannot Treat Patients for Weeks

Ransomware attacks against hospitals and healthcare systems have escalated from nuisance-level disruptions to genuine threats to human life. In 2024 alone, the Change Healthcare attack disrupted billing and pharmacy services for thousands of providers across the United States for weeks. Ascension Health, one of the largest U.S. hospital systems, was forced to divert ambulances, cancel surgeries, and revert to paper records after a ransomware attack took down its electronic health record systems. The downstream consequences are not abstract. When a hospital's IT systems go dark, clinicians lose access to medication histories, lab results, and imaging. Nurses must hand-transcribe orders, increasing the risk of dosing errors. Emergency departments divert patients to already-strained neighboring facilities, extending transport times for stroke and cardiac patients where every minute of delay worsens outcomes. A 2023 University of Minnesota study found that ransomware attacks on hospitals were associated with a measurable increase in in-hospital mortality rates. This problem persists because healthcare IT infrastructure is chronically underfunded relative to its criticality. Hospitals operate on thin margins (averaging 2-3% for U.S. hospitals), and cybersecurity competes for budget against direct patient care. Legacy medical devices running outdated operating systems cannot be easily patched without recertification. Meanwhile, ransomware-as-a-service has lowered the barrier to entry for attackers, and cryptocurrency makes ransom payments difficult to trace. The combination of high-value targets, weak defenses, and profitable attack economics creates a structurally persistent vulnerability that no single hospital can solve alone.