What is ransomware in healthcare?

Ransomware is a type of malicious software that infects computer systems and restricts users’ access to their files or threatens the permanent destruction of their data unless a ransom is paid. Healthcare organizations have become a major target for ransomware attacks in recent years due to the sensitivity of patient data and the disruption that such attacks can cause to critical healthcare operations.

What are the main types of ransomware?

There are several main types of ransomware that have been used in attacks on healthcare organizations:

  • Locker ransomware – This type of ransomware locks users out of their devices or files but does not encrypt the data. Instead, it simply restricts access until the ransom is paid.
  • Encrypting ransomware – This type of ransomware encrypts files on infected systems so they cannot be accessed. Two major variants seen in healthcare attacks are CryptoLocker and CryptoWall.
  • Doxware – This threatens to publish sensitive stolen data online unless the ransom is paid. This can include personal/medical information from patient records.
  • Ransomware-as-a-Service (RaaS) – This allows cybercriminals to subscribe to ransomware kits on the dark web that enable custom attacks without needing coding expertise.

How are ransomware attacks initiated in healthcare?

There are several common infection methods used by ransomware against healthcare providers:

  • Phishing emails – Malicious email attachments or links can install ransomware when opened by users. Email impersonation tactics are used to trick users.
  • Drive-by downloads – Visiting compromised websites can trigger automatic ransomware downloads.
  • Remote desktop protocol (RDP) access – Brute force attacks on internet-facing RDP servers allows network access for ransomware deployment.
  • Software vulnerabilities – Exploiting unpatched software/OS vulnerabilities allows ransomware execution.
  • Insider threats – Malicious or compromised users initiating attacks from inside the network, either intentionally or not.

Poor cybersecurity practices, like lacking updated endpoint protection, make healthcare organizations vulnerable to these infection tactics.

What are some notable healthcare ransomware attacks?

Some major ransomware incidents impacting healthcare include:

  • 2021 – Ireland’s national healthcare system, the HSE, suffers a Conti ransomware attack causing widespread care disruptions. Over $100 million is spent recovering.
  • 2020 – A wave of Ryuk and Sodinokibi ransomware attacks hit hospitals amidst the COVID-19 pandemic, disrupting patient care at facilities across the U.S.
  • 2017 – WannaCry ransomware spreads globally, forcing the UK’s NHS to divert ambulances and cancel appointments as 16 hospitals are hit.
  • 2016 – Hollywood Presbyterian Medical Center pays $17,000 in Bitcoin to decrypt files after a Locky ransomware attack.
  • 2021 – a Kronos ransomware attack affects workforce management software used by healthcare providers, causing care delays.

These examples highlight how ransomware can directly impair hospital operations and patient treatment.

How do ransomware payments work?

If ransomware successfully encrypts files, payment is demanded from the victim to receive a decryption key. Payments typically occur via:

  • Cryptocurrencies like Bitcoin – Harder to track and seize payments
  • Ransomware payment sites – Facilitate negotiations and payments
  • Prepaid gift cards – More anonymous payment method

The average ransom payment in 2021 was around $200,000. Hospitals and large organizations usually pay higher ransoms, sometimes over $1 million.

Should healthcare organizations pay ransomware demands?

This is a complex issue without consensus. Potential advantages of paying include:

  • Faster restoration of computer systems and patient records
  • Avoiding reputation damage or lawsuits over data loss
  • Preventing lengthy outage of critical healthcare services

However, paying ransoms also has risks:

  • No guarantee files will be recovered
  • Payment funds and encourages more attacks
  • May be considered illegal/unethical
  • Data may still leak despite payment

Ultimately, the decision depends on the specific circumstances of an incident. But in general, payment should be an absolute last resort.

What HIPAA requirements apply to ransomware response?

Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers must:

  • Conduct risk analyses of their environments
  • Implement policies and safeguards to manage identified risks
  • Report data breach incidents to HHS and affected patients

A ransomware attack that impacts protected health information (PHI) is considered a HIPAA data breach unless the organization can demonstrate there is a “low probability” PHI was compromised. Otherwise, standard HIPAA breach notification duties apply.

What are the consequences of ransomware for healthcare organizations?

Ransomware can severely disrupt operations and finances:

  • Patient treatment delays, appointment cancellations, ER diversions
  • Medical errors and adverse outcomes due to lack of access to records
  • Revenue/productivity losses from downtime
  • Permanent loss of medical data if backups are impacted
  • Remediation, recovery, and legal costs
  • Reputational damage and loss of patient trust

This underscores the importance of ransomware prevention, resilience, and response planning for healthcare providers.

How can healthcare organizations prevent ransomware infections?

Key ransomware prevention measures include:

  • Staff cybersecurity training – Reduce human error risks through security awareness education.
  • Network segmentation – Limit lateral movement after breaches via subnetting, VLANs, and access controls.
  • Patch management – Promptly apply software patches to fix vulnerabilities exploit by ransomware.
  • Endpoint protection – Deploy advanced anti-malware tools on hosts to block and detect ransomware.
  • Restrict administrator privileges – Limit users to only essential system/application permissions.
  • Backup regularly – Maintain recent copies of critical data and systems for recovery.

A defense-in-depth approach across technological and human aspects is required to minimize attack surface.

How can healthcare providers improve ransomware resilience?

Steps to boost ransomware resilience include:

  • Implementing RBAC to limit access and restrict lateral movement
  • Having layered backups and “air-gapped” offline storage
  • Developing incident response playbooks and workflows
  • Building capacity to shift operations across facilities
  • Increasing infrastructure and application redundancy
  • Isolating and segmenting critical systems
  • Securing public-facing services like RDP with MFA

This enables maintaining continuity of operations during attacks and rapid system restoration afterwards.

What should be included in a ransomware response plan?

An effective ransomware response plan should cover:

  • Incident response team roles and responsibilities
  • Escalation procedures for reporting incidents
  • Guidance on containing infections to limit spread
  • Continuity plans for affected operations and systems
  • Cyber insurance policy incident response provisions
  • Public relations strategy for dealing with media
  • Compliance with breach notification laws and regulations
  • Procedures for assessing data/system integrity post-attack
  • Cybersecurity improvement roadmap based on response learnings

Plans should be frequently updated through tabletop exercises that simulate ransomware response scenarios.

Should ransom payments be covered by cyber insurance?

Increasingly, cyber insurance policies expressly exclude coverage of ransom payments under “sanctions clauses” due to concerns over funding criminal activity. Some insurers may pay ransoms at their discretion, but this is becoming less common.

However, policies usually cover costs for:

  • Forensic investigation of incidents
  • Malware removal and remediation
  • Hiring specialist incident response firms
  • Restoring data from backups
  • Crisis management/PR services
  • Legal assistance
  • Regulatory compliance fees

Careful policy review is needed to understand exactly what response costs are covered.

How can healthcare security be improved to stop ransomware?

Fundamentally improving healthcare’s security posture involves:

  • Increasing cybersecurity staffing and budgets commensurate with risks
  • Implementing cybersecurity frameworks like NIST CSF to standardize practices
  • Developing comprehensive data security architectures and controls
  • Improving third-party/supply chain cyber risk management
  • Performing regular penetration testing and addressing vulnerabilities
  • Using technologies like deception to detect threats inside networks
  • Centralizing logging/monitoring to enable rapid incident alerting

This transforms cybersecurity from an afterthought into an organization-wide strategic priority.

What government resources help healthcare organizations combat ransomware?

Key government initiatives and resources include:

  • HHS Office of Civil Rights (OCR) – Guidance on HIPAA compliance during cyberattacks
  • NIST Cybersecurity Framework – Standards for cyber risk management programs
  • CISA/FBI alerts – Timely ransomware threat intelligence updates
  • DOJ Cyber-Digital Task Force – Reports on ransomware prosecution strategies
  • HHS ARA Program – Cyber preparedness resources for healthcare

Close public-private cooperation is vital in the fight against ransomware in healthcare.


Ransomware poses severe risks to healthcare organizations that can undermine patient care and safety. Combating this threat requires comprehensive preparedness and defense across technological, policy, training, and staffing domains. While challenges persist, continued awareness building, information sharing, and tapping government/industry resources will help strengthen healthcare’s ransomware resilience over time. Healthcare CIOs, CISOs, and other leaders play pivotal roles in spearheading these continuous security improvements.