News|Articles|May 22, 2026

Healthcare sector most targeted for cyberattacks

Author(s)Ron Southwick

The FBI says healthcare remains the industry of choice for ransomware groups. Authorities are going after attackers, but hospitals face greater risks amid financial pressures.

Federal authorities say the healthcare industry remains the most targeted sector for cybercrimes.

It’s a sobering if not surprising assessment. Scores of hospitals and health systems have experienced ransomware attacks in recent years, and the vast majority of the nation’s healthcare providers suffered disruptions due to the Change Healthcare cyberattack two years ago.

Andrew Bailey, co-deputy director of the FBI, publicly confirmed that the healthcare industry is targeted more than any other critical infrastructure. He made the assessment during a discussion at the American Hospital Association conference next month.

"We’re no longer talking about a data crime. We’re talking about physical harm to patients,” Bailey said at the association’s annual meeting.

John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, told Chief Healthcare Executive® that the FBI deputy director’s public announcement underscores the dangers to health systems.

Riggi also says it’s imperative for the federal government to offer as much help to hospitals and health systems as possible.

“I think that's what the government must understand, that we are critical infrastructure, and we're going to need assistance to help defend against nation-state attacks,” Riggi says. “The government has a vested interest in defending critical infrastructure, right? We can't be left on our own to defend against these attacks.”

The Cybersecurity and Infrastructure Security Agency and other federal authorities issued an advisory last month warning that China-affiliated cybercriminals are increasingly targeting connected devices and networks, posing risks to hospitals and health systems.

“The Chinese government … they have in place disruptive malware on our critical infrastructure, including telecommunications and internet-provider networks, and that we should be prepared for disruptions by China, in the event there is serious geopolitical tensions or conflict. First time I've ever heard a government agency call it out that bluntly,” Riggi said.

Riggi said hospitals should take a look at potential vulnerabilities and also look at connected devices that may be outdated or lacking patches. Health systems should also be watching for unusual traffic patterns or behaviors.

With the U.S. at war with Iran, authorities have also warned that hospitals and the healthcare industry should be prepared for the threat of cyberattacks. An Iranian group claimed responsibility for the cyberattack of Stryker, a Michigan-based company that produces medical and surgical equipment.

Partnership with Joint Commission

The American Hospital Association and the Joint Commission announced a new partnership earlier this month to help health systems improve their cybersecurity.

They have launched the Cyber Resilience Readiness program, which is designed to help hospitals evaluate their ability to safely provide patient care even in the event of a cyberattack. The hospital association says the program is focused on dealing with patient care and goes beyond restoring networks and computer systems.

The program offers tools to help hospitals assess their own resilience and capabilities, along with expert reviews. The Joint Commission also says it will offer a cyber-resilience readiness certification, starting in the summer. The commission says the program draws on lessons from cyberattacks aimed at hospitals.

The Joint Commission previously published guidelines in 2023 for hospitals and health systems to respond to cyberattacks and continue caring for patients. The commission has advised hospitals to have robust plans, including plans to work without access to electronic health records. Hospitals should be prepared to maintain services even if they are without life-critical technology for four weeks or longer, the commission has said.

Cybersecurity and financial pressures

The healthcare sector has topped all industries in another unwanted category when it comes to cybercrime: the cost of breaches.

The average healthcare breach costs $7.4 million, and the health sector has led all industries for 14 consecutive years, according to a report from IBM.

Hal Wolf, president and CEO of HIMSS, told Chief Healthcare Executive® in a March interview that there’s certainly more investment in cybersecurity than in the past.

When asked if he sees greater urgency on cybersecurity since the Change Healthcare cyberattack, Wolf said, “I'm going to say yes, but still not enough.”

“Cybersecurity, it’s one of those table stakes issues,” he said. “Do I have the right number of locks on my doors and windows in my house? If someone's really determined to come in, at what level can I build towards? Do I have the expertise? Am I getting the right guidance?”

Riggi also acknowledged that many hospitals and health systems have struggled to invest as much as they would like in cybersecurity. And he said that it’s likely going to get harder for health systems as they brace for cuts in Medicaid spending in the coming years.

“We have to do the best we can in the increased threat environments, but also immense, enormous financial pressures facing hospitals these days and more to come,” Riggi says.

Riggi does see some positive developments, including better information sharing between federal authorities and the private sector.

“We are seeing that cooperation between the private, critical infrastructure sectors and the federal government,” Riggi says. “The FBI has done astounding offensive work in the past year, bringing the fight to the bad guys. So that's what we need, this whole of society, whole-of-nation approach.”


Latest CME