A Comparative Evaluation of Machine Learning and Deep Learning Models for Healthcare Ransomware Prediction: Architecture Alignment, Feature Importance, and Deployment Strategy

In healthcare organizations, ransomware threats are on the rise, resulting in a greater disruption of critical patient care operations, yet current cybersecurity approaches are mostly reactive rather than proactive. As part of this study, a systematic comparative evaluation of traditional machine learning versus deep learning methodologies on small-scale tabular cybersecurity datasets characteristic of healthcare security operations is conducted to address the critical knowledge gap regarding optimal algorithmic approaches for healthcare ransomware threat prediction. In this study, the Healthcare Ransomware Dataset is used, which contains 5,000 simulated attack records with no missing values across 16 attributes capturing organizational attributes, attack characteristics, and outcome metrics. This study evaluated eight machine learning algorithms (Logistic Regression, Decision Tree, Random Forest, Gradient Boosting, Extra Trees, AdaBoost, Naive Bayes, K-Nearest Neighbors) and eight neural network architectures (Simple Deep Neural Network, Wide Deep Neural Network, Residual DNN, CNN_1D, LSTM, GRU, Ensemble DNN) across five performance dimensions: accuracy, precision, recall, F1-score, and ROC-AUC. According to the feature importance analysis, there is a strong correlation between organizational size (27.94%), recovery time (16.18%), and data restoration (12.06%) which account for 56% of the predictive power. A gradient boosting approach achieved 84.1% accuracy with 95.19% ROC-AUC and Simple DNN represented the best deep learning architecture with 85.2% accuracy and 95.44% ROC-AUC using only 12,355 parameters. As compared to machine learning (5.19%), deep learning demonstrated significantly lower performance variance (1.64% standard deviation). Across all sequence architectures (CNN_1D, LSTM, GRU), sequential architectures consistently underperformed by 2.6-4.5 percentage points, confirming the architectural mismatch for unordered tabular features. Based on the results of the analysis, Simple DNN provides the highest predictive accuracy (85.2%) for healthcare ransomware threat assessment. The complexity of an architecture beyond shallow dense networks yields diminishing returns without improving accuracy. In comparison to traditional machine learning ap-proaches, deep learning offers superior consistency across a variety of architectures. It is recommended that Simple DNN be de-ployed as the primary prediction model and Gradient Boosting be used as the fault-tolerant backup model. It is important to place a high priority on the eight top features that capture 90 percent of the predictive power of data. In the case of unordered tabular cybersecurity data, sequential architectures (CNNs, LSTMs, GRUs) should be avoided.