The global healthcare sector is showing signs of meaningful progress in its fight against ransomware. Sophos’ “State of Ransomware in Healthcare 2025” report indicates that providers are recovering faster, paying less, and facing fewer encryption-led disruptions than in previous years. The findings suggest that hospitals and healthcare systems are maturing their cybersecurity playbooks even amid persistent threats and chronic workforce shortages.
This year, 58 percent of healthcare organizations recovered within a week, a dramatic improvement from 21 percent in 2024. Median ransom demands also dropped 91 percent to USD 345,000, while overall recovery costs hit a three-year low. Encryption rates have fallen to 34 percent, the lowest in five years, and only 36 percent of providers paid a ransom in 2025, compared to 61 percent in 2022.
However, the threat landscape is shifting rather than easing. Extortion-only attacks — where data is stolen but not encrypted — have tripled since 2023, making healthcare the most targeted sector for this tactic.
Ransomware Recovery Improves, but Operational Pressure Remains High
The report paints a nuanced picture. On one hand, stronger preparedness, better backup strategies, and improved detection tools are helping organizations bounce back faster. On the other, 42 percent of providers cite staffing shortages as the primary reason they fell victim to attacks. Burnout, system overload, and limited 24/7 monitoring capacity remain critical vulnerabilities.
The human impact is also pronounced. Nearly 40 percent of healthcare staff reported increased anxiety around future attacks, and a quarter noted absences directly tied to stress from cyber incidents. For a sector already operating close to capacity, this emotional strain has operational consequences.
Threat Actors Shift to Data Theft as Defenses Improve
Sophos highlights a notable decline in encryption attempts but a sharp increase in pure data-theft attacks. With backups improving and ransom payments dropping, attackers are pivoting toward stealing sensitive patient information to pressure organizations into paying.
In 2025, 88 different threat groups targeted healthcare organizations worldwide. Even moderate volumes of attacks can be devastating, given healthcare’s reliance on continuous uptime and the sensitivity of medical data.
Sector Moves Toward Proactive Defense and 24/7 Response
To sustain their resilience gains, providers will need to move beyond threat cleanup and toward proactive vulnerability management. The report urges healthcare organizations to:
Strengthen continuous monitoring and adopt 24/7 detection and response models
Implement strong MFA, credential hygiene, and phishing defenses
Maintain encrypted, offline, and regularly tested backups
Invest in cybersecurity training to address workforce gaps
Patch vulnerabilities more aggressively, given that exploitation remains a top root cause
Sophos analysts note that while the sector is improving its ability to recover, true resilience requires reducing exposure in the first place. With extortion-only attacks rising, data governance and incident transparency will become central to defense strategies.
