Ransomware attacks have become an increasing threat to healthcare organizations in recent years. Ransomware is a type of malicious software that encrypts an organization’s files and demands a ransom payment in order to regain access. Healthcare organizations are an attractive target for ransomware attacks due to the sensitive nature of patient data and the critical need for access to medical records and systems. A successful ransomware attack can cripple a healthcare facility’s operations and put patients’ lives at risk.
One high-profile example of a ransomware attack impacting healthcare was the WannaCry attack in 2017. WannaCry was a widespread ransomware campaign that affected over 200,000 computers across 150 countries. Healthcare organizations were among the hardest hit, with major disruptions to medical services in the UK, infecting systems at over a third of NHS trusts in England. This attack highlighted the vulnerabilities of healthcare networks and the potentially devastating effects of ransomware.
How the WannaCry Ransomware Spread
The WannaCry ransomware spread quickly through healthcare networks by exploiting a vulnerability in older Windows operating systems. It was one of the first prominent ransomware strains to self-propagate using a Windows SMB vulnerability referred to as EternalBlue. The EternalBlue vulnerability was originally developed by the U.S. National Security Agency and its existence was leaked in 2017 by a hacker group called Shadow Brokers. The leak of these Windows exploits allowed cybercriminals to take advantage of them for malicious attacks like WannaCry.
Once WannaCry infected an initial system on a network, it could then automatically spread to other unpatched Windows computers on the same network. It acted like a computer worm, scanning for vulnerable systems, embedding itself, and repeating the process to spread further. This enabled it to propagate rapidly across healthcare facilities, where many systems were running outdated Windows platforms like Windows XP no longer supported by security patches.
Impact on Healthcare Systems
In the UK’s National Health Service (NHS), WannaCry ransomware infected thousands of computers, forcing hospitals to divert ambulances, postpone non-urgent surgeries and appointments, and disrupt diagnostic services. Some hospitals had to fully shut down IT systems to contain the malware. Medical staff reverted to using pen and paper and had limited access to patient records, medical history, X-rays, and test results, complicating care. The attack showcased how dependent modern healthcare has become on digital systems and technology.
Beyond the NHS, WannaCry also affected healthcare operations globally. In Singapore, electronic medical record systems were knocked offline. In the United States, the Heritage Valley Health System had cancel surgeries and divert ambulances like the NHS. Medical devices like MRI machines reportedly became locked by the ransomware in some hospitals.
Ransom Demands
WannaCry demanded ransom payments of $300-$600 in Bitcoin to unlock encrypted systems. Despite the small ransom, the scale of infections enabled it to generate almost $140,000 in payments in just the first few days. However, even paying the ransom did not guarantee recovering data, as the ransomware authors provided no support. Due to the public spotlight on the campaign, direct ransom payments tapered off.
Ultimately WannaCry was halted by a cybersecurity researcher who discovered a “kill switch” domain that disabled the ransomware when registered. This allowed organizations to harden defenses and patch the underlying Windows vulnerabilities before attacks resumed.
Long-Term Impact and Costs
The WannaCry outbreak of 2017 served as a wake-up call for healthcare’s ransomware risks. Though direct ransom costs were limited, the total economic costs were estimated between $4-8 billion accounting for disruptions and recovery efforts. Up to 19,000 medical appointments were cancelled just in the UK.
The cyberattack showcased glaring vulnerabilities in legacy systems, lack of robust cybersecurity measures, and inefficient patching and upgrade processes in healthcare. Medical facilities began to place greater priority on IT security assessments, network segmentation, modernization of outdated systems, cybersecurity training, and incident response planning.
However, ransomware remains an ongoing threat for healthcare systems. Attacks continue to impact hospitals, specialty clinics, and medical centers on a regular basis. In 2021, over 45 healthcare providers were affected by ransomware, with average downtime of up to 36 days. The estimated cost of ransomware attacks on US healthcare is projected at $4.5 billion in 2022.
Lessons Learned
The major lessons learned from WannaCry’s impact include:
- The need for rigorous cybersecurity and keeping software updated with the latest security patches
- Not relying on outdated operating systems like Windows XP that are past end-of-life support
- Network segmentation and isolation to prevent malware spread across systems
- Backing up critical data regularly and keeping backups offline and protected
- Developing cyber incident response plans for scenarios like ransomware
- Cybersecurity awareness training for staff to recognize threats
- Potential benefits of cyber insurance to help offset financial costs of an attack
Long-Term Healthcare Cybersecurity Efforts
In the years since WannaCry, healthcare organizations have taken steps to improve cyber resilience including:
- Setup Security Operations Centers (SOCs) to continuously monitor networks
- Penetration testing to find and fix vulnerabilities proactively
- Transitioning to supported operating systems like Windows 10
- Installing security software like anti-malware and firewalls
- Applying system patches and upgrades as soon as available
- Training staff to be wary of phishing emails and suspicious links
- Increasing network segmentation and access controls
- Acquiring cyber insurance plans to help cover costs of an attack
However, progress has been uneven, and many medical facilities still lag on cybersecurity. The healthcare sector is challenged by tight budgets, legacy technology constraints, increasing digital attack surfaces, and lack of IT security personnel. Ransomware remains an ongoing critical threat, with new variants emerging frequently.
Recent Healthcare Ransomware Trends
While WannaCry highlighted ransomware risks, attacks have only grown more sophisticated and targeted in the years since. Some trends include:
- Targeting critical infrastructure – Attacks increasingly focus on hospitals, clinics, public health agencies, medical laboratories, and other critical healthcare functions
- Triple extortion – In addition to encrypting data, some ransomware now also threatens to leak stolen information and launch DDoS attacks unless paid
- Ransomware-as-a-service – Offers ransomware toolkits for easy purchase on dark web forums, expanding the pool of potential attackers
- High ransom demands – Average ransom payment increased 78% YoY to ~$250,000 in 2021
- Sophisticated tactics – Leveraging tactics like social engineering, vulnerabilities in third-party vendors, and supply chain attacks to infect systems
Major strains like Ryuk, Conti, CLOP, and MountLocker have extracted tens of millions in ransoms from the healthcare sector. Patient care continues to be impacted by loss of access to critical systems and data for prolonged periods.
Ransomware Defense Strategies
Healthcare organizations can apply several strategies to reduce ransomware risks:
- Implement defense-in-depth with firewalls, network segmentation, endpoint security, access controls, and intrusion detection across infrastructure
- Patch and update systems promptly, disable unnecessary services and ports
- Backup critical data regularly with air-gapped, offline storage and recovery testing
- Control access with least privilege and multifactor authentication
- Provide cybersecurity training to teach employees how to spot suspicious emails and links
- Monitor networks closely for irregular activity that may indicate compromise
- Develop and test incident response plans for scenarios like ransomware
- Leverage services like penetration testing to find and address vulnerabilities
- Consider cyber insurance to help cover costs, but focus on prevention first
Staying vigilant and continually assessing and improving defenses is key to managing the evolving ransomware threat.
Table: Major Healthcare Ransomware Attacks Since 2017
| Date | Entity | Details |
|---|---|---|
| May 2017 | NHS England | WannaCry attack disrupted medical services at ~80 NHS trusts |
| Jan 2018 | Hancock Health | Systems disabled, paid $55,000 ransom |
| March 2018 | Allscripts | EHR vendor infected, disrupted thousands of physician practices |
| Oct 2018 | LifeBridge Health | Forced to paper records, paid undisclosed ransom |
| June 2019 | Lake City, FL | City system infiltration, paid $460,000 ransom |
| Sept 2020 | Universal Health Systems | 400+ facilities affected, caused ambulance diversions |
| Oct 2021 | Sutter Health | Patients redirected, chemo appointments postponed |
| March 2022 | Advocate Aurora Health | Over 1,000 clinics & hospitals impacted, caused surgery delays |
Conclusion
Ransomware remains an ever-present threat to healthcare organizations of all sizes, putting patient health and safety at risk. Major attacks like WannaCry demonstrate the potential for massive care disruption when these threats are underestimated and defenses are lacking. Since 2017, assaults have only grown more sophisticated and targeted.
There is no foolproof way to completely eliminate the risk. Healthcare providers must continue to prioritize cybersecurity, practice defense-in-depth, keep systems patched and secured, control access, develop incident response plans, and follow best practices. Staying vigilant and resilient is key to navigating the ransomware threat landscape now and into the future. Though challenges remain, the healthcare sector must continue progress toward stronger cyber protections to safeguard patient wellbeing.