There is a version of ransomware preparedness that exists in boardrooms and tabletop exercises, and then there is what happens when systems actually go down. The gap between those two things has become one of the more consequential problems in healthcare security, not because security leaders are being dishonest, but because the conditions under which they assess their own recovery capability are almost nothing like the conditions under which recovery actually has to happen.

The Verizon 2026 Data Breach Investigations Report found ransomware present in 48% of all confirmed breaches, the highest proportion in the report's 19-year history. The American Hospital Association and the Joint Commission responded to the escalating pressure in May 2026 by launching the Cyber Resilience Readiness program, an initiative designed to help hospitals assess whether they can maintain clinical operations during extended cyber-related outages. The fact that the program needs to exist at all is its own signal that organizations have been investing in security for years, and the collective assessment of the two largest healthcare accreditation bodies is that recovery readiness remains a gap worth building an entire certification program around.

 

Where the confidence gap comes from

When security leaders assess their recovery capability, they are typically doing it through planning exercises, documentation reviews, and conversations with IT teams. Those assessments happen in calm conditions, with full access to information, adequate time to think, and no pressure from clinical staff who cannot access patient records. The actual recovery from a ransomware event happens in the opposite conditions, with systems down, workflows broken, and every hour of delay producing direct patient care consequences.

The FBI's 2025 Internet Crime Report recorded 460 ransomware attacks against healthcare and public health organizations in 2025, confirming healthcare as the most targeted critical infrastructure sector for the second consecutive year. For many of those organizations, the incidents were the first real test of recovery plans that had never been executed under genuine operational pressure. Tests that pass in exercises frequently encounter problems in reality because exercises compress timelines, assume cooperation from systems that may not function as expected, and skip the organizational friction that real incidents produce.

Healthcare environments add specific complications. Hospitals operate across multiple physical locations with staff working across different sites. Devices cannot be reimaged quickly when no one is sure who is responsible for which machines, when replacement equipment has not been pre-staged, and when the clinicians who need those devices to deliver care cannot wait for an orderly process. Ownership of recovery is often unclear, with IT teams, security teams, and clinical operations each having partial responsibility and no single authority that can make fast decisions across all three.

Read more: What is ransomware?

 

Why healthcare's recovery risk is different from other sectors

Across industries, operational downtime is typically the leading concern after a ransomware event. In healthcare, reputational damage tends to rank higher, and the reason indicates something specific about how the sector operates.

A ransomware breach at a hospital produces mandatory breach notifications to affected patients, public posting on the HHS OCR breach portal, commonly called the Wall of Shame, and media coverage tied to the specific community the organization serves. Patient trust in healthcare is deeply local, so people choose their primary care physician, their hospital, and their specialist based on relationships that took years to build, and a breach that appears in community news coverage affects those relationships directly. For providers in competitive regional markets, the trust erosion from a single incident can affect appointment volumes and referral patterns for months after systems are fully restored.

The financial picture compounds the reputational one. IBM's Cost of a Data Breach Report puts the average cost of a healthcare breach at $9.8 million, the highest of any sector tracked, covering direct costs including notification, forensics, remediation, and regulatory exposure. According to Paubox's 2025 Healthcare Email Security Report, nearly 70% of healthcare IT leaders estimate the consequence of a HIPAA violation at over $250,000. The distance between that estimate and the IBM figure suggests that security investment decisions in healthcare are often being made against a financial model that dramatically underestimates what a breach actually costs.

 

The ransom payment calculation

When clinical systems go down, and the recovery timeline stretches toward days rather than hours, paying the ransom begins to look like a rational economic decision. The FBI's 2025 Internet Crime Report found that ransomware losses in 2025 reached $32.3 million in reported payments, a figure the FBI acknowledges excludes downtime, equipment damage, and third-party recovery costs. The true financial pressure on an organization losing access to billing systems, patient records, and clinical workflows for multiple days substantially exceeds the ransom demand itself, which is precisely the advantage attackers rely on.

The Verizon 2026 DBIR offers useful context on how that calculation is trending. Ransom payments are declining as a proportion of attacks, with 69% of ransomware victims choosing not to pay, and the median payment falling year over year. The organizations declining to pay are those with recovery infrastructure strong enough that restoring from backups is faster than negotiating. The organizations facing the hardest payment decisions are those whose backup testing has been deferred, whose restoration processes are manual and slow, and whose clinical downtime losses exceed what they can sustain while waiting for recovery.

For healthcare specifically, the Verizon DBIR data on double extortion adds another layer to that calculation. Three out of four ransomware victims in the dataset had a prior credential leak, often within 95 days of the attack, with data exfiltration occurring before encryption in the majority of modern ransomware incidents. Restoring from backups addresses the encryption problem, but it does not resolve the exfiltration, and a healthcare organization that recovers cleanly without paying still faces breach notification obligations under HIPAA if patient data was accessed, along with the OCR investigation that assesses whether adequate security controls were in place before the attack.

 

What the AHA and Joint Commission programs tell us about the real state of readiness

The Cyber Resilience Readiness program that the AHA and Joint Commission launched in May 2026 is worth reading carefully because of what it treats as a baseline rather than an advanced capability. The program assesses whether organizations can maintain safe patient care during cyber disruptions, coordinate clinical and operational response during downtime, prepare staff to work together effectively during a cyber incident, and sustain clinical operations for 30 days or longer during a technology outage. Those are not elite capabilities. They are the minimum conditions for patient safety during a ransomware event, and the program exists because not enough healthcare organizations can currently demonstrate them.

Thirty days is the relevant benchmark because it proves how long recovery can take in severe incidents. Organizations that plan for 48-hour recoveries and find themselves managing week-long or multi-week outages discover that the gap between plan and reality produces exactly the kind of clinical harm, financial pressure, and reputational damage that a ransom payment was supposed to avoid.

 

Where the entry point sits

Recovery is a downstream problem. The more controllable question is what creates the initial access that makes recovery necessary in the first place. The Verizon 2026 DBIR found phishing as one of the top initial access vectors in healthcare-specific breaches, accounting for 14% of healthcare incident entry points alongside credential theft and vulnerability exploitation. Every day of recovery time and every ransom payment considered in a healthcare environment traces back to an initial access event, and most of those events, in healthcare, arrive through email.

Paubox's 2025 Healthcare Email Security Report puts the employee reporting rate at just 5% of known phishing attacks in healthcare, meaning the emails establishing initial access for ransomware chains go undetected by staff in the overwhelming majority of cases. The clinical time pressure that makes healthcare staff poor candidates for consistent security decision-making is the same time pressure that makes pre-delivery filtering a more reliable control than human detection. Paubox's 2026 Healthcare Email Security Report tracked a 47% increase in attacks avoiding native email defenses in 2025, confirming that default filtering in Microsoft 365 and Google Workspace is not catching what it needs to catch. Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals across every inbound message, stopping phishing attempts that bypass signature-based systems before they reach clinical and administrative staff.

Learn more: Paubox Inbound Email Security

 

FAQs

Why is there a gap between how secure healthcare organizations think they are and how long recovery actually takes?

Security assessments and tabletop exercises happen in conditions that do not show the operational reality of a genuine ransomware event. Organizations assess recovery capability with full information, adequate time, and no clinical pressure. Actual recovery happens with systems down, multiple locations affected, unclear ownership of the restoration process, and clinical staff who cannot wait for an orderly process to complete.

 

Why does healthcare rank reputational damage as a higher ransomware concern than other sectors?

Healthcare providers operate in community markets where patient trust is built on local relationships that take years to develop. A breach that appears in community news coverage, produces mandatory patient notifications, and results in public posting on the HHS OCR portal damages those relationships in ways that affect appointment volumes and referral patterns for months. The reputational consequence in healthcare is more localized and more personal than in most other sectors.

 

Does paying a ransom solve the recovery problem for healthcare organizations?

Not reliably. The Verizon 2026 DBIR found 69% of ransomware victims chose not to pay, with the declining payment rate tracking the improvement in recovery infrastructure among organizations that can restore from backups faster than they can negotiate. For healthcare organizations specifically, paying for decryption does not resolve the data exfiltration problem, and it does not eliminate HIPAA breach notification obligations for any patient data that was accessed.

 

What is the Cyber Resilience Readiness program, and why does it matter?

The Cyber Resilience Readiness program is a voluntary initiative from the AHA and the Joint Commission designed to assess whether healthcare organizations can maintain safe clinical operations during extended cyber-related technology outages. Its significance is that it treats 30-day clinical continuity as a baseline capability worth certifying, rather than as an advanced achievement, showing an honest acknowledgment that many healthcare organizations cannot currently show it.

 

What is the most effective way to reduce ransomware recovery time and ransom payment pressure?

Address the initial access vector. Phishing is among the top documented entry points for healthcare ransomware, and removing phishing attempts before they reach clinical staff through pre-delivery filtering eliminates the entry point before any subsequent recovery or payment decision becomes necessary. Organizations that stop the initial access avoid the recovery problem entirely, which is a more reliable outcome than improving recovery speed after access has been achieved.