Ransomware pressures ease for healthcare sector: Sophos Report

The global healthcare sector is finally seeing some breathing room in its long fight with ransomware. According to the latest State of Ransomware in Healthcare 2025 report from Sophos, recovery is getting faster, ransom demands are shrinking, and fewer organisations are choosing to pay.

This shift marks a meaningful change for an industry that has spent years on the defensive.

Steady improvements in recovery

The biggest finding is clear: healthcare providers are bouncing back faster.
The report notes that 58% of organisations recovered within one week in the past year. That is a sharp rise from 21% in 2024. Recovery costs have also fallen to a three-year low.

Ransom demands have dropped too. The median figure stood at USD 345,000—a 91% fall. And data encryption during attacks hit a five-year low at 34%.

Fewer hospitals and clinics are paying ransoms as well. Only 36% did so in the past year, compared with 61% in 2022.

Persistent challenges and rising pressures

Despite the progress, the threat remains steady.
Healthcare providers continue to face resource constraints driven by chronic staffing shortages. Almost half—42%—said lack of personnel or capacity contributed to falling victim to an attack.

A worrying trend is the rise of extortion-only incidents. These attacks involve data theft without encryption, and their rate has tripled since 2023. They are now more common in healthcare than in any other sector.

The human impact is growing too.
About 37% of respondents reported higher stress or anxiety about future attacks. Nearly a quarter said this strain had already led to staff absences.

A view from the threat front line

Alexandra Rose, Director, Sophos Counter Threat Unit (CTU), said healthcare continues to face persistent activity from ransomware groups.

She noted that Sophos X-Ops identified 88 different groups targeting healthcare in the past year. Even moderate levels of threat activity, she said, can have serious consequences for patient care.

Rose pointed to early signs of resilience as well.
“Nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning,” she said. Faster recovery is critical, she added, but prevention is still the long-term goal.

Recommendations for stronger resilience

The report outlines several steps to strengthen defences:

• Adopt proactive vulnerability management, as exploitation remains a primary root cause of attacks.

• Invest in 24/7 threat detection and response—either in-house or through managed services.

• Implement strong MFA, phishing defences, and better credential hygiene.

• Maintain encrypted, offline, and regularly tested backups for reliable recovery.

• Improve staff readiness and expand continuous cybersecurity training to address workforce-related stress and shortages.

These measures reflect a dual message: the sector is improving, but the pressure from ransomware groups is not going away.

The bottom line

Healthcare may finally be turning a corner on ransomware, but it cannot afford to slow down. Faster recovery and fewer ransom payments show that resilience efforts are paying off. Yet rising extortion-only attacks and ongoing staffing constraints reveal how fragile these gains remain.

The report makes one thing clear. Progress is real, but so is the need for constant vigilance.

Read More:

AI-Powered interactive displays: Solitaire’s vision for 2030

India hit by 265 million cyberattacks: Seqrite’s 2026 report warns of escalating threats

CrowdStrike on empowering India’s channel partners for cybersecurity’s future

How Tiger Analytics is reimagining enterprise AI from POC to production