Cyberattacks on Critical Infrastructure Disproportionately Impact Women, Yet Policy Remains Gender-Blind
Cyberattacks on essential services healthcare, education, and transportation are increasing in frequency and severity, with consequences that extend far beyond technical disruptions. While these incidents are often framed as neutral operational failures, their impacts are deeply gendered, disproportionately burdening women due to their structural roles in both the formal workforce and unpaid care labor. Despite this, U.S. cybersecurity policy continues to treat these effects as evenly distributed, undermining resilience and risk assessment.
Healthcare: Frontline Workers Bear the Brunt
Women make up 80% of the U.S. healthcare workforce, particularly in nursing and frontline care roles. When ransomware attacks such as the 2024 Change Healthcare breach, the largest in U.S. history disrupt digital systems, women absorb the immediate operational strain. Nurses must manually transcribe records, manage patient care without electronic alerts, and navigate heightened safety risks from delayed diagnostics. These disruptions also worsen maternal health outcomes, with outages increasing risks like delayed obstetric care and elevated maternal mortality, yet these consequences remain unmeasured in incident reports.
Beyond clinical settings, cyber-induced healthcare failures shift caregiving responsibilities back to households, where women perform the majority of unpaid labor. The lack of gender-disaggregated data obscures these compounding burdens, leaving policymakers with an incomplete understanding of systemic harm.
Education: Teachers and Caregivers Face Cascading Disruptions
The education sector has become a prime target for ransomware, with over 80% of U.S. K-12 schools experiencing cyber incidents between mid-2023 and late 2024. Women comprise 77% of K-12 educators and nearly 90% of elementary school teachers, meaning they bear the brunt of operational fallout managing disrupted curricula, reconstructing lost data, and addressing student anxiety during outages.
School closures further exacerbate gendered disparities, as women disproportionately absorb childcare responsibilities, leading to lost work time, reduced income, and increased stress. Despite these patterns, cybersecurity incident reports rarely document gendered workforce impacts or caregiving burdens, and the education sector remains undervalued in federal critical infrastructure definitions, reflecting a broader blind spot in resilience planning.
Transportation: Mobility Disruptions Hit Women Hardest
Cyberattacks on transit systems such as those affecting Pittsburgh Regional Transit, Kansas City Transportation Authority, and Oahu Transit Services disrupt payment systems and service availability. Women, who constitute the majority of public transit users, rely on these systems for caregiving, household management, and service-sector employment. Outages limit access to medical care, workplaces, and essential services, yet transportation cyber incident analyses rarely include gender-based assessments, leaving compounded burdens unaddressed.
Interconnected Systems: The Invisible Labor of Recovery
Critical infrastructure sectors are deeply interdependent, and disruptions in one area such as healthcare cascade into others, intensifying caregiving demands at home. When schools close, childcare responsibilities shift to families; when transit fails, access to essential services diminishes. Each of these burdens falls disproportionately on women, yet cybersecurity policy frameworks focus on technical interdependencies rather than social ones, failing to account for the gendered distribution of labor that underpins recovery.
Why Gender-Blind Cybersecurity Undermines National Security
The assumption that cyberattacks affect all demographics equally is not just inaccurate it weakens resilience. Women’s paid and unpaid labor acts as a buffer during crises, yet this labor remains invisible in incident reporting and unaccounted for in policy. Without gender-disaggregated data, risk assessments are incomplete, response efforts underestimate consequences, and recovery strategies fail to address the populations most affected.
The Path Forward: Secure-by-Design and Gender-Intentional Policy
Many cyber incidents stem from preventable software vulnerabilities, yet manufacturers face little accountability for insecure products. Addressing these root causes through secure-by-design standards, regulatory reforms, and liability frameworks would reduce harm, particularly for women, who disproportionately rely on public services.
A gender-intentional cybersecurity framework would:
- Center real users in threat modeling, accounting for how women engage with technology in work, caregiving, and transit.
- Measure gender-disaggregated impacts to improve risk assessment and resilience planning.
- Adopt human-centered security, designing policies that reflect actual user behavior rather than idealized assumptions.
Efforts like Critical Cyber and the Foundation Layer initiative are mapping real-world consequences of cyberattacks, emphasizing that digital resilience depends on the stability of the communities interacting with these systems. Without integrating gender analysis, cybersecurity strategies will continue to fail in practice leaving the most vulnerable populations to bear the costs of systemic failure.
Change Healthcare cybersecurity rating report: https://www.rankiteo.com/company/change-healthcare
Oahu Transit Services Inc cybersecurity rating report: https://www.rankiteo.com/company/oahu-transit-services-inc
Arkansas Department of Health cybersecurity rating report: https://www.rankiteo.com/company/arkansas-health-department
Unversity of Pittsburgh Medical Center - MWRI cybersecurity rating report: https://www.rankiteo.com/company/unversity-of-pittsburgh-medical-center---mwri
"id": "CHAOAHARKUNV1775594838",
"linkid": "change-healthcare, oahu-transit-services-inc, arkansas-health-department, unversity-of-pittsburgh-medical-center---mwri",
"type": "Cyber Attack",
"date": "2/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'healthcare',
'location': 'U.S.',
'name': 'Change Healthcare',
'type': 'healthcare'},
{'industry': 'public transit',
'location': 'Pittsburgh, U.S.',
'name': 'Pittsburgh Regional Transit',
'type': 'transportation'},
{'industry': 'public transit',
'location': 'Kansas City, U.S.',
'name': 'Kansas City Transportation Authority',
'type': 'transportation'},
{'industry': 'public transit',
'location': 'Oahu, U.S.',
'name': 'Oahu Transit Services',
'type': 'transportation'},
{'industry': 'education',
'location': 'U.S.',
'name': 'U.S. K-12 schools',
'type': 'education'}],
'description': 'Cyberattacks on essential services such as healthcare, '
'education, and transportation are increasing in frequency and '
'severity, with gendered impacts disproportionately burdening '
'women due to their structural roles in both the formal '
'workforce and unpaid care labor. U.S. cybersecurity policy '
'continues to treat these effects as evenly distributed, '
'undermining resilience and risk assessment.',
'impact': {'operational_impact': ['manual transcription of records in '
'healthcare',
'disrupted curricula in education',
'transit payment system outages'],
'systems_affected': ['healthcare', 'education', 'transportation']},
'lessons_learned': 'Cyberattacks disproportionately impact women due to their '
'structural roles in the workforce and unpaid care labor. '
'Gender-blind cybersecurity policy undermines resilience '
'and risk assessment. Gender-disaggregated data is needed '
'to improve risk assessment and resilience planning.',
'post_incident_analysis': {'corrective_actions': ['Integrate gender analysis '
'into cybersecurity '
'frameworks.',
'Adopt secure-by-design '
'standards and regulatory '
'reforms.'],
'root_causes': ['preventable software '
'vulnerabilities',
'gender-blind cybersecurity '
'policy']},
'recommendations': ['Center real users in threat modeling, accounting for '
'gendered engagement with technology.',
'Measure gender-disaggregated impacts to improve risk '
'assessment and resilience planning.',
'Adopt human-centered security policies reflecting actual '
'user behavior.',
'Implement secure-by-design standards, regulatory '
'reforms, and liability frameworks to reduce preventable '
'vulnerabilities.'],
'references': [{'source': 'Critical Cyber'},
{'source': 'Foundation Layer initiative'}],
'title': 'Cyberattacks on Critical Infrastructure Disproportionately Impact '
'Women, Yet Policy Remains Gender-Blind',
'type': ['ransomware', 'cyberattack'],
'vulnerability_exploited': ['preventable software vulnerabilities']}