Hackers Hit Aging Water, Power, Hospital Systems

Water, power, and hospital systems run on 1990s control software ransomware crews know how to break. Attacks rose 22% in a year, and the $22 billion Change Healthcare hit proved one failure can freeze whole supply chains.

Share
Hackers Hit Aging Water, Power, Hospital Systems

Attacks on the systems that run America's water, power, and hospitals are climbing 22% a year, and the software controlling them is often 20 to 30 years old. These control systems cannot be patched without shutting off service, so attackers exploit them freely. We estimate the cost at $12–15 billion today, rising toward $17–25 billion by 2027.


The market underprices this because it treats cyber as a routine technology cost. Insurers disagree: Lloyd's and Munich Re have capped cover for large events, leaving operators carrying under $10 million against bills in the hundreds of millions. The February 2024 Change Healthcare attack froze claims for over 36,000 providers at a $22 billion cost—proof that one failure spreads.


UnitedHealth Group, owner of Change Healthcare, has already lived the worst case. American Water Works and the 57% of water utilities lacking basic defenses run exposed legacy controls. Grid operators NextEra Energy and Duke Energy face the same aging systems with no offline fallback. Hospital chain HCA Healthcare sits in the sector where ransomware rose 128%.


Why this matters. Attacks on the water, power, and hospital systems Americans depend on are rising 22% a year, and the control software running them is decades old and barely defended. When one operator goes down it can freeze whole supply chains, as the $22 billion Change Healthcare attack proved. Lenders, operators, and investors are exposed because insurers have capped their cover, leaving most of the bill to land directly on the companies and the communities they serve.

Blindside · US Macro Risk
Hackers Hit Aging Water, Power, Hospital Systems
Critical services run 1990s control software ransomware crews already know how to break
Imminent
91
Blindside index

What drives it — drag to test

each slider starts at our cited estimate — drag to see the range
How much yearly costs pile up over three years30%
Sourced — incidents grow 22% a year and breach costs 18%; compounded over three years that is roughly an 80% rise.
Share of the damage no insurer pays60%
Sourced — Lloyd's and Munich Re cap large-event cover; most operators carry under $10M against costs in the hundreds of millions.
Extra cost if one failure spreads across sectors+18%
Our judgment — the health-claims attack hit 36,000 providers; a grid or water cascade has no tested economic example.
Time to impact
1–3 yearsImminent
now3 yrs7+ yrs
When the financial hit begins to land, on our read.
How to read this. Drag any slider to test your own number — the chart and index update live. The likelihood and the locked facts stay put.
Likely yearly economic cost
$16.3bn23.28% of sector
outside estimates 5–15% $0 yearly $ at risk → $30.0bn
Dark line = most likely · faint lines = low–high (8 in 10 outcomes land between) · shaded band = what outside analysts expect
Our estimate lands within what outside analysts expect ✓
Chance this is a permanent shift, not a blip
66%
Average of five independent reads (range 52–75%):
The track record72%
Rising attack counts are counted, not guessed. The health-claims attack already proved the chain-reaction at $22 billion.
How it works75%
Water, grid, and hospital controls run on 20-to-30-year-old systems that cannot be patched without shutting off service.
The skeptic's case52%
Information sharing has improved and big attacks like Colonial and Change Healthcare pushed operators to patch faster.
What insurers show65%
Lloyd's and Munich Re capped large-event cover, meaning the market expects a big hit and refuses to insure it.
What regulators show68%
New mandatory water and disclosure rules in 2024 show regulators expect attacks to grow, not shrink.
Fixed — the sliders change the size of the hit, not the odds it's permanent.

Why this matters

Attacks on the water, power, and hospital systems Americans depend on are rising 22% a year, and the control software running them is decades old and barely defended. When one operator goes down it can freeze whole supply chains, as the $22 billion Change Healthcare attack proved. Lenders, operators, and investors are exposed because insurers have capped their cover, leaving most of the bill to land directly on the companies and the communities they serve.
Most exposed companies
UnitedHealth Group UNH · American Water Works AWK · NextEra Energy NEE · HCA Healthcare HCA · Duke Energy DUK
🔒

The facts — locked

measured, not editable
+22% YoY
The federal cyber agency recorded a 22% rise in serious attacks on critical infrastructure in 2023 versus the year before.
CISA — Annual Cyber Report FY2023 (March 2024)
+128%
Ransomware attacks on hospitals jumped 128% from 2022 to 2024; 134 million people had records exposed in 2023 alone.
HIPAA Journal — Healthcare Data Breach Statistics (2024)
$22bn
The February 2024 ransomware attack on Change Healthcare froze claims for over 36,000 providers, costing an estimated $22 billion.
American Hospital Association / AHA News (May 2024)
700,000
The United States is short about 700,000 cybersecurity workers, with control-system skills the hardest to find.
ISC2 Cybersecurity Workforce Study 2024
$5.3M
The average cost of a critical-infrastructure data breach reached $5.3 million in 2024, 18% above the all-industry average.
IBM / Ponemon Institute — Cost of a Data Breach Report 2024
57%
An environmental agency audit found 57% of water utilities skip basic protections like patching, multi-factor login, and network separation.
EPA Office of Inspector General — Cybersecurity Vulnerabilities at Drinking Water Systems (May 2024)
Attention is falling while the impact compounds. the blind spot is widening, not closing.
We estimate the yearly economic cost of attacks on critical infrastructure at $12–15 billion today (midpoint $13.8 billion), rising to $17–25 billion by 2027 as incidents compound at 22% a year. The real danger is a grid or water cascade: an environmental audit found 57% of drinking-water utilities lack basic protection, running 1990s-era control software with no offline backup. The market still treats this as a routine technology expense, not a threat to the physical economy.