Responding to a Healthcare Cyber Attack: FAQ

Two nurses discuss ways to respond to a healthcare cyber attack with their IT consultant.
bonnie-w-bio-image
Written by: Bonnie Wiegand, BSN, RN Content Writer

Healthcare cyber attacks are intentional, malicious strikes designed to steal data, slow or stop systems, or otherwise create consequences that require repair. The healthcare sector is a frequent target of cyber crime because of the high volume of electronic protected health information (ePHI) involved in care provision, along with the potential for urgency. Healthcare organizations are responsible for responding to attacks, but increasingly sophisticated technology and evolving regulations can make it a struggle.

We'll answer your questions about responding to cyber crimes, discuss the most common types of attacks, and give you examples to help you understand these threats to your facility. The answers provided will help you identify threats and enact a response plan. Use this guidance to better understand your reporting obligations and develop an effective response strategy.

What Are the Most Common Types of Cyber Attacks in Healthcare?

Cyber criminals use a variety of techniques to disrupt and infiltrate systems. The most common types of attacks seen in the healthcare industry can be categorized according to the method used to steal or cause damage.

  • Malware: Malicious software, such as ransomware
  • Distributed denial-of-service: A flood of traffic designed to slow down or crash a system
  • Man-in-the-middle: Theft of information (such as login credentials) or altering of communication
  • Code injection: Insertion of malicious code to disrupt systems or steal data
  • Brute force hacking: Cracking passwords by systematically trying all combinations
  • Social engineering: Tricking people (e.g., phishing email) to create system vulnerabilities
Graphic showing 6 common types of cyber attacks in healthcare.

What Are Some Healthcare Cyber Attack Examples?

According to the FBI's annual internet crimes report, the healthcare industry experienced 460 ransomware attacks and 182 data breaches in 2025. These events often overlap, with the ransomware attack acting as the driver for the data breach.

For example, consider a healthcare system attacked by a ransomware group. The malicious software could force the system offline, and payment may be demanded for a safe return of the "hostage" data and resumed operations. The criminal(s) behind the attack may decide to steal and sell sensitive patient information, such as names, birth dates, Social Security numbers, and medical records. Healthcare cyber attacks of this nature could result in delayed patient care as well as lawsuits from patients who are dealing with fallout from the breach (such as identity theft).

What Costs Are Associated With Cyber Attacks on the Healthcare Industry?

Cyber attacks can cost healthcare facilities in direct and indirect ways. Direct costs are often short term, and may represent only a fraction of the losses. Examples include:

  • Ransom payments.
  • Software upgrades and other technology fixes.
  • Labor costs of IT specialists enlisted to perform remediation.
  • Labor costs associated with investigating the criminals behind the incident.
  • Labor costs associated with notifying the individuals affected by the event.
  • Fines.

Indirect costs can be longer lasting and harder to pinpoint. Examples include:

  • Lost revenue due to operational downtime.
  • Lost revenue due to care delays resulting in suboptimal patient outcomes.
  • Damaged reputation.
  • Increased cyber-insurance rates.
  • Ongoing costs associated with increased compliance obligations.
  • Lawsuit payments.
  • Legal fees associated with defending against criminal charges.

What Types of Healthcare Organizations Are Most at Risk for Hacking Events?

Some types of healthcare organizations are more at risk for cyber crimes than others. Large hospitals are particularly susceptible, due to the high volume of ePHI they work with and the urgency that can be involved in getting operations back up and running. Other organizations that are at elevated risk for hacking events include:

  • Insurance companies.
  • Medical device manufacturers.
  • Third-party technology vendors.
  • Facilities with underfunded IT and cybersecurity departments.
  • Facilities with outdated legacy EHR systems.
  • Telehealth platforms.

What Steps Should a Facility Take to Respond to a Cyber Attack?

The Office for Civil Rights offers a Quick Response Checklist to help HIPAA covered organizations understand their responsibilities when responding to an attack. In general, the following steps are recommended (and in some cases, required):

  1. Initiate an incident response plan.
  2. Immediately perform technological fixes to stop the incident when possible.
  3. Make efforts to mitigate disclosure of ePHI.
  4. Report the crime to applicable law enforcement agencies.
  5. Report the crime to applicable information-sharing and analysis organizations (ISAOs) and federal agencies.
  6. Report breaches affecting 500 people or more to the OCR as soon as possible.
  7. Notify affected individuals about the breach.
  8. Notify the media (in some cases).

How Do Healthcare Facilities Report Attacks?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) initiated progress toward a federal reporting system for cyber incidents within critical infrastructure organizations. The healthcare and public health sector is categorized as critical because of the way it contributes to national stability. Another hub for reporting cyber crimes is the FBI's Internet Crime Complaint Center (IC3).

Reporting significant incidents to the federal government can help to ensure a thorough response. Contributing information can also help agencies identify trends, issue warnings, and better understand how to prevent cyber attacks in the healthcare and public health sector.

What Resources Are Available for a Facility Facing a Cyber Attack?

Here are some key resources available to healthcare facilities that are in the process of responding to a cyber attack:

  • Multi-State Information Sharing and Analysis Center (MS-ISAC) offers incident response and remediation support and resources.
  • U.S. Department of Health and Human Services, Office for Civil Rights (OCR) offers resources to help healthcare organizations respond to and report cyber security incidents, with a focus on HIPAA security rule compliance.
  • U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers response tools and services to help facilities navigate the aftermath of a cyber attack, as well as information on how to prevent cyber attacks in healthcare.

Get More Resources to Keep Your Facility Safe

Launching a thorough and detailed response to a healthcare cyber attack is one way to honor your commitment to your patients. We know that providing high-quality patient care amid ongoing changes can be challenging. That's why we've created healthcare leadership resources that offer current, expert-backed info on the topics you care about most.

Related Articles