A new report finds healthcare organizations face heightened ransomware risk during holidays, weekends, and corporate transitions as attackers exploit reduced staffing and system vulnerabilities.
The holidays bring little cheer for healthcare organizations facing heightened cyberthreat activity.
Companies in the industry are more vulnerable to ransomware attacks during weekends, holidays, and periods of organizational change, according to a new Semperis report analyzing global ransomware activity and identity-system vulnerabilities.
The report, which surveyed 1,500 security and IT leaders across 10 countries, found that 47% of healthcare organizations were targeted on holidays or weekends, periods in which many hospitals operate with reduced security staffing. The data shows that attackers increasingly time intrusions for moments when monitoring is thinnest and response times are slow.
Troublingly, most organizations significantly reduce security operations center (SOC) staffing during off-hours, with 73% of respondents cutting coverage by 50% or more and 5% leaving security operations completely unstaffed.
"Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks,” Chris Inglis, former U.S. National Cyber Director and Semperis strategic advisor, said in a news release. “Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions.
"In addition, corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on."
Semperis also found that ransomware attacks frequently follow major corporate events, another high-risk period common in healthcare as health systems consolidate, restructure, or reduce staff. Sixty percent of surveyed organizations said they were attacked after a merger or acquisition and 50% reported attacks after layoffs. During these transitions, identity systems are often undergoing configuration changes that create openings for attackers.
The report highlights that identity platforms remain a primary point of compromise and that organizations often overestimate their preparedness. While 90% of respondents reported having identity threat detection and response tools, only 66% have automated identity-system recovery, and less than half (38%) have formal remediation procedures. The report suggests that even with detection tools in place, response and recovery capabilities are lagging.
For healthcare organizations, identity-system weaknesses pose immediate operational risks. Compromise of identity systems can shut down access to electronic health records, clinical systems, medical devices, and communication platforms, causing disruptions that impact patient care and safety.
The report recommends that organizations think beyond prevention and emphasize resilience to guide their cybersecurity strategy.
For hospitals and health systems facing increasing consolidation and workforce shortages, leaders should rethink how staffing models and organizational changes intersect with cyber risk, especially as attackers continue to target environments where disruption has the greatest impact.
Jay Asser is the CEO editor for HealthLeaders.
KEY TAKEAWAYS
Nearly half of ransomware attacks on healthcare organizations occur during holidays or weekends, when security staffing is limited.
Ransomware attacks often follow mergers, acquisitions, and layoffs, creating openings in identity systems.
Despite widespread detection tools, many providers lack strong remediation and automated recovery capabilities, heightening operational risk.