Healthcare Sector Strengthens Ransomware Defenses as Recovery Times Improve, Sophos Report Shows

The global healthcare sector is finally gaining ground against ransomware, according to the newly released State of Ransomware in Healthcare 2025 report from cybersecurity company Sophos. The study reveals significant improvements in the way hospitals and healthcare providers defend against, respond to, and recover from ransomware attacks—marking the strongest progress the sector has recorded in years.

The report shows that 58 percent of healthcare organizations were able to recover from an attack within one week, a substantial jump from just 21 percent in 2024. Median ransom demands also dropped sharply, falling by 91 percent to USD 345,000, while overall recovery costs reached their lowest point in three years. Data encryption rates declined to 34 percent, the lowest in five years, and only 36 percent of healthcare organizations reported paying a ransom in the past year, compared with 61 percent in 2022.

Despite these encouraging trends, the report underscores that ransomware remains a persistent and disruptive threat. Healthcare providers continue to grapple with chronic staffing shortages that directly affect their security readiness. Almost half of surveyed organizations said they fell victim to attacks due to insufficient personnel or capacity. At the same time, extortion-only attacks—where data is stolen but systems are not encrypted—have surged dramatically, tripling since 2023 and now occurring more frequently in healthcare than in any other sector. The human strain is also evident, with 37 percent of respondents reporting increased anxiety over future attacks and nearly a quarter noting staff absences linked to stress caused by ransomware incidents.

Alexandra Rose, Director of the Sophos Counter Threat Unit, said the findings highlight both the progress made and the challenges that persist. She noted that Sophos X-Ops identified 88 different ransomware groups targeting healthcare organizations in the past year, demonstrating that even moderate levels of threat activity can have severe consequences for a sector where operational downtime directly affects patient care. Rose added that the improvement in recovery times reflects better preparedness, but warned that prevention remains the ultimate priority.

In its recommendations, Sophos stresses the importance of proactive vulnerability management, as system and application exploits continue to be a primary entry point for attackers. The report also urges healthcare organizations to invest in round-the-clock threat detection and response—either internally or through managed services—to keep pace with the growing number of threat actors focusing on the sector. Strengthening authentication, improving phishing defenses, tightening credential hygiene, and maintaining encrypted offline backups are cited as essential measures for minimizing exposure and enabling rapid recovery without paying ransoms. The report emphasizes that improved cyber readiness must be accompanied by ongoing staff training, especially as workforce shortages and burnout continue to heighten risk.

Sophos concludes that while 2025 marks a meaningful turning point in the sector’s fight against ransomware, continued vigilance and sustained investment in security capabilities are crucial to protecting patient care and operational continuity.