In May 2026, healthcare logged 38 ransomware attacks, according to Comparitech's monthly tracking — down about 21 percent from April, even as the overall count climbed to 661 logged attacks. But the raw monthly volume undersells the problem. Comparitech's read on the year is that healthcare attacks are declining in number while escalating in impact, and across the first five months of 2026 the sector still absorbed more than 200 attacks, a roughly 10 percent rise over the same span in 2025. That is the pattern that has held for years: when attackers want leverage, they go where lives are on the line and where the pressure to pay is hardest to resist — and a dip in one month does not change the math.
The policy world has noticed. In April, a former senior FBI cyber official told Congress that the United States should consider treating ransomware crews who attack hospitals the way it treats terrorist organizations. It is a striking proposal, and it deserves a serious look — not a reflexive cheer or a reflexive dismissal. So let us take the surge and the policy debate on their own terms, then talk about what actually keeps a hospital running when the encryption starts.
Why Healthcare Keeps Losing
The reason hospitals get hit so often is not mysterious, and it is not mainly about weak passwords. It is about leverage. When a ransomware gang locks up a hospital's systems, the consequences are immediate and physical: ambulances get diverted, dialysis slips, surgeries are postponed, and clinicians fall back to paper. That urgency is exactly what the attacker is selling back to you. The faster a downed system threatens patient care, the more likely the victim pays.
The threat ecosystem behind those 38 healthcare attacks is not slowing down or consolidating either. Qilin led all groups in May, naming dozens of victims across every sector. A field of many active, competing crews is not a cartel you can decapitate with one indictment. It is a churning market where affiliates rotate between brands, infrastructure gets rebuilt in weeks, and "data extortion" increasingly happens with no encryption at all — just the theft and threatened publication of patient records. For a hospital, a leak of protected health information can be as damaging as a locked EHR.
The Terrorism Proposal, In Its Own Words
The case for treating these attacks as terrorism was made by Cynthia Kaiser, who served as deputy assistant director in the FBI's Cyber Division from 2022 to 2025 and is now a senior vice president at Halcyon's Ransomware Research Center. In testimony before the House Homeland Security Committee on April 21, 2026, first reported by Nextgov/FCW, she argued that attacks on life-safety infrastructure can meet the legal definition of terrorism.
Her framing was deliberate:
"When a ransomware gang encrypts a hospital's systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within those definitions."
Kaiser pointed to Executive Order 13224 as a possible vehicle for terrorism designations. She went further still, suggesting prosecutors examine whether the federal felony murder rule could apply when an attack on a healthcare facility results in a documented patient death. On the scale of harm, she did not mince words, estimating that the true number of lives lost to ransomware is "almost certainly in the hundreds."
What a Designation Would Actually Do
It helps to be specific about what a terrorism designation buys, because the word carries weight that the mechanism may not fully deliver.
The genuine upside is leverage of a different kind. A formal designation would let U.S. intelligence agencies expand collection against named groups and their infrastructure, and it would raise the diplomatic cost for countries that knowingly harbor these actors. Sanctions-style designations also reshape the economics: paying a designated entity can become a legal liability for the victim, which over time pushes the whole market away from "just pay and move on." That second-order effect — making payment radioactive — may matter more than the label itself.
The honest counterweight is that most of these operators sit in jurisdictions that already ignore U.S. indictments. A designation does not put handcuffs on anyone who is comfortably outside an extradition treaty. There is also a real risk of definitional creep: if hospital ransomware is terrorism, what about an attack on a water utility, a school district's payroll, or a regional pharmacy chain? The line between "critical, life-safety infrastructure" and "important but not life-threatening" is genuinely hard to draw, and broad national-security authorities have a way of stretching once they exist. The felony murder angle is harder still — proving that a specific death was caused by an outage, to a criminal standard, against a defendant you cannot arrest, is a steep climb.
None of this makes the proposal wrong. It makes it a tool with a specific shape: strong on deterrence economics and intelligence reach, weak on the parts that require physically reaching the attacker. Worth pursuing, worth scoping carefully, and not a substitute for the boring work that actually keeps patients safe.
The Defenses That Matter More Than the Label
Whatever Congress decides, no policy will decrypt a server at 2 a.m. The defenses that determine whether a hospital survives an attack are operational, and most of them are unglamorous.
Start with recovery, not prevention. The single biggest predictor of how badly a ransomware event hurts is how fast and how cleanly you can restore. That means tested, offline or immutable backups, a recovery runbook that has actually been rehearsed, and a clear-eyed estimate of how long care can continue on paper. Hospitals that can fail over to downtime procedures without panic take away the attacker's core leverage.
Then close the doors most often used. The recurring entry points have not changed much: exposed remote access, unpatched internet-facing systems, stolen credentials without phishing-resistant multi-factor authentication, and over-trusted third parties. That last one is where healthcare is uniquely exposed. A modern hospital runs on a sprawl of vendors — imaging platforms, billing services, EHR add-ons, transcription tools, remote monitoring devices — and many of the worst recent incidents started not inside the hospital but at a supplier or a shared software component. Third-party risk is patient risk.
Finally, assume extortion without encryption. Because so many crews now steal data and threaten to leak it, segmentation and data minimization matter even if your backups are flawless. Knowing exactly which systems hold protected health information, and limiting who and what can reach them, shrinks the blast radius when — not if — someone gets in.
How Safeguard Helps
A lot of healthcare's exposure lives in the software supply chain: the vendors, packages, and AI components stitched into clinical systems. Safeguard maps that surface with AIBOM and SBOM analysis, runs vendors through TPRM workflows and a vendor scorecard backed by a policy registry, and enforces policy gates so a risky component or unvetted supplier does not reach production unnoticed. Our Multi-Agent TAOR Deep Think AI Engine adds a verification and orchestration layer above any single model — model-agnostic by design, so engines like Anthropic Mythos or OpenAI Daybreak plug in as components while multi-agent verification cuts the false positives that bury overstretched healthcare security teams. If you want to see where your supply chain is most exposed before an attacker does, reach out.
Sources: Comparitech ransomware roundup, May 2026; Nextgov/FCW on the terror designation proposal.