How Cyberattacks Hold Patient Care Hostage

My 68-year-old mother called her doctor’s office for 8 days straight and never got a response. She needed her diabetes drug adjusted as well as an evaluation for eye surgery. She had to hold her diabetes medication close to her face to read the label through cataract-clouded eyes. Concerned, I took over the phone campaign, only to find myself trapped in a 90-minute queue as the “first caller” — perpetually the next person in line. I grabbed my car keys to see what I could learn in person.

The scene at the doctor’s office was chaos. Elderly patients filled the room, many holding their own empty medication bottles. Staff scribbled patient information on loose papers, their computers dark. A cyberattack had paralyzed the entire health system more than a week earlier, leaving them unable to access medical records, schedule appointments, or even answer phones. In an instant, decades of technological progress were erased, leaving both patients and providers scrambling to adapt.

For my mother, this wasn’t just an inconvenience. Each day of delay meant her vision could worsen, her diabetes could spiral out of control. Having lost my father unexpectedly just months ago, the thought of another parent’s health in jeopardy was unbearable. When she finally secured a cataract surgery consultation, she took time off from work and arrived only to learn her appointment — documented on those scraps of paper during the outage — wasn’t in the system. Another month of anxiety ensued.

This scene is playing out in hospitals and clinics across America with alarming frequency, with the recent Change Healthcare attack affecting nearly one-third of the U.S. population. The cyberattacks ravaging our healthcare system are a metastasizing cancer, spreading silently and lethally through our digital infrastructure. Two-thirds of healthcare organizations were hit by ransomware in the last year alone. Cyberattacks on healthcare systems are more than just glitches, they are weapons of mass disruption, aimed at the very heart of our society. Moreover, the recovery time is worsening: only 22% of affected organizations fully recovered within a week, down from 47% the previous year. Nearly 40% took over a month to return to normal operations, just like my mother’s healthcare system.

Healthcare proves uniquely vulnerable to these attacks. Unlike other industries, hospitals can’t simply shut down to fix security breaches. The complex web of interconnected devices — from electronic health records to MRI machines — creates countless entry points for cyber-criminals. Outdated systems, insufficient staff training, and the pressure to maintain continuous patient care make healthcare an attractive target. When hackers strike, hospitals often face an impossible choice: pay ransoms reaching into the millions or risk patients’ lives.

The contrast with other sectors is stark. As a public health professor at the University of Michigan, I witnessed our institution’s swift response to a cyber threat last fall. When systems were proactively taken offline, we adapted quickly — guiding lost students to classrooms and distributing paper handouts for my required health behavior theory course. Within days, we were back online. The university’s rigorous security protocols even required intensive vetting before I could launch a research project with a third-party vendor where protected health information would move through their servers.

Healthcare organizations, however, can’t afford such nimble responses. Americans pay rising portions of their income for health insurance. In cyberattack situations, they’re effectively denied the care they’ve paid for.

For millions of Americans managing chronic conditions, these disruptions can prove catastrophic. Those in health maintenance organizations, like my mother, face even greater challenges — switching providers means navigating bureaucratic mazes and potentially crushing out-of-network costs.

We stand at the precipice of a healthcare apocalypse. The U.S. can no longer afford to tackle this crisis piecemeal. While our nation’s cybersecurity strategy has evolved across both Democratic and Republican administrations since the late 1990s, healthcare remains trapped in a maze of federal, state, and industry-specific regulations. Unlike the European Union, which maintains comprehensive cybersecurity standards across sectors, our healthcare systems struggle with the same kind of fragmentation that left my mother’s doctor’s office scribbling appointments on paper.

We must accelerate and strengthen our National Cybersecurity Strategy, particularly in three critical areas. First, we need to shift liability to technology companies, compelling them to build more secure products from the ground up. When my mother’s health system went dark, it wasn’t just because of sophisticated hackers — it was because the very infrastructure meant to protect her health was built on vulnerable foundations.

Second, healthcare organizations must adopt zero-trust security models, and create a culture of security awareness to minimize human errors. This approach, already proven effective in sectors like finance and defense, could have prevented the total system shutdown that left elderly patients clutching empty pill bottles in waiting rooms. Building on existing security measures, organizations can further strengthen their defenses through enhanced encryption, multi-factor authentication, and comprehensive backup strategies that include cloud-based solutions.

Third, we must foster stronger international cyber norms. Healthcare cyberattacks don’t respect national boundaries — the same criminals who hold my mother’s medical records hostage today could target hospitals in allied nations tomorrow.

The digital siege on our hospitals isn’t just a battle of bits and bytes — it’s an all-out war on our nation’s health. With each breach, with each ransomware attack, we’re risking civilian casualties. My mother was lucky — an unexpected cancellation finally secured her surgery consult. The successful cataract surgery that followed gave her back clear vision. Others aren’t so fortunate. In an age where healthcare increasingly relies on digital systems, every moment we delay addressing these vulnerabilities puts more lives at risk. The technology meant to advance medicine shouldn’t be the very thing holding it hostage.

Minal R. Patel, PhD, MPH, is a professor at the University of Michigan School of Public Health, and leadership team member for the Institute for Healthcare Policy and Innovation.