What Are the Effects and Costs of Downtime to Healthcare Organizations?

Any break in the standard flow of a business can result in severe financial losses. Where do these losses stem from? One of the most expensive business interruptions is IT or system downtime.

What is system downtime? It's when a technological "glitch" shuts down production. For healthcare companies, it's when servers shut down and your electronic health records become unavailable. No appointment scheduling. No access to patient records. No processing of payments.

There are some estimates that average downtime costs range from $14,056 per minute for small businesses to as high as $23,750 for large enterprises!

According to Xitoring, the usual suspect causes of downtime in any business are:

• Human error
• Internet outage
• Malfunctioning hardware
• Cybersecurity threats
• Server instability
• Software updates
• Network issues

In the world of healthcare, however, IT downtime can result in patients missing critical appointments or surgeries, the loss of sensitive Personal Health Information (PHI), and providers receiving fines in the thousands or even millions of dollars for non-compliance. When server downtime strikes, every minute counts. Will you be ready?

When it comes to healthcare organizations, ransomware is by and large the greatest threat to loss of PHI and cause of significant EHR downtime. Ransomware is a form of malware that places encryption on the files of its victim. In order to restore access to the data a ransom payment is required, usually in the form of Bitcoin. Depending on the particular situation, the amount can range from thousands of dollars to hundreds of thousands or more.

Downtime Statistics and Effects in Healthcare

Whether it is through data backups or cloud infrastructure, there are ways that organizations can better prepare for potential server downtime. The healthcare industry in particular is highly coveted by cybercriminals. Sensitive data targeted by ransomware can often yield large financial gains for the perpetrators.

Downtime in the healthcare industry is a critical situation. It goes beyond lost revenue but can be a life-or-death situation for patients relying on results or treatment powered by modern technology. It can also render feelings of uncertainty for both patients and providers who wait, not knowing how bad the potential damage on the other side of the attack may be.

Though large healthcare organizations can produce an extensive library of PHI and perhaps even larger ransom payout, smaller providers are not off the hook.

According to The Secretary of the U.S. Department of Health and Human Services (HHS), between January 2024 and April 2025 there have been 667 breaches of unsecured PHI affecting 500 or more individuals with the number continuing to grow year over year. Data breaches of this scale almost always contribute to downtime as reaction and recovery commence.

Historically, for 14 consecutive years, healthcare organizations have acquired the dreaded reputation of having the highest data breach costs of any industry. In 2024, the average cost of a healthcare data breach was $9.77 million.

One of the best ways to avoid downtime, let alone being financially destroyed, is to protect against cybercrime. It is the one area that most organizations, including those in healthcare, can control (to a certain degree).

What is EHR Downtime?

When it comes to downtimes in healthcare, the most significant instances are those referred to as Electronic Health Record (EHR) downtime. This refers to any period in which an EHR system is either partially or fully unavailable. Not only is this disruptive to day-to-day operational flow, but it also poses risks to patient reporting. Believe it or not, most hospitals are not adequately prepared for such a situation.

Examples of Healthcare Downtime from Cyberattacks

Change Healthcare

In February 2024, the ransomware group BlackCat mounted a cyberattack against Change Healthcare, a subsidiary of UnitedHealth. This has become the largest healthcare data breach in U.S. history to date. The hackers stole patient data and locked important systems, demanding a $22 million ransom, which UnitedHealth paid. But even after the payment, the stolen data was not protected. As the largest healthcare company in the country, UnitedHealth has faced a long and expensive recovery that is still ongoing.

The impact of the breach has been massive. UnitedHealth recently said that up to 190 million people may have been affected--almost double the first estimate. The company spent $3.1 billion in 2024 to deal with the attack. Smaller healthcare providers were hit especially hard because Change Healthcare processes 15 billion transactions a year.

The system outage caused huge delays in care, billing, and prescriptions. UnitedHealth gave $8.5 billion in loans to help. This breach has shown how important strong cybersecurity is for the healthcare industry.

Ascension

In the spring of 2024, nonprofit health system Ascension experienced a ransomware attack that exposed the personal data of nearly 5.6 million people. The breach affected current and former patients, senior living residents, and employees, with potentially exposed data including Social Security numbers, medical and payment information, and insurance details. It ranks as the third-largest healthcare data breach reported to federal regulators.

The attack, which began when an employee downloaded a malicious file, caused system outages that disrupted patient care, including ambulance diversions and paused elective procedures.

The cyberattack also had serious financial consequences for Ascension, contributing to a $1.1 billion net loss for the fiscal year.

What Might Downtime Look Like at Your Organization and How Do You Calculate Its Loss?

Downtime can cost an organization more than just money, but it can also damage reputations, productivity, opportunities and data. According to OpsWorksCo, organizations can calculate the cost of their downtime using the following equation:

Lost Revenue + Lost Productivity + Recovery Costs + Intangible Costs

Nadeem Mustafa notes that, in a study by Uptime Institute, the average cost of downtime in healthcare to hospitals is $25,000 per minute.

Further, a College of Healthcare Information Management Executives (CHIME) study found that a one-hour EHR outage can cost a medium-sized hospital $1.7 million, and up to $3.2 million for a large hospital.

The Bottom Line: Minimize Downtime

Cyberattacks can wreak havoc on an organization, regardless of the industry. However, in healthcare, besides financial and data losses, the downtime created by these types of attacks can inconvenience both clients and patients, many of whom require access to critical services or who have paid for services in advance.

The best way to minimize downtime at a healthcare organization is to develop and fund an effective cyberattack response plan. Educating employees on best practices and investing in modern technology, such as cloud solutions, can also protect organizations from costly cyberattacks.