Healthcare organizations continue to be primary targets for ransomware attacks. Some of the well-publicized attacks from the last few years highlight the severe impact these attacks can have on healthcare organizations and patients.
Major Healthcare Ransomware Attacks
In 2020, Universal Health Services—one of the largest U.S. hospital management companies—faced a large-scale ransomware attack that forced the shutdown of essential IT systems. The organization diverted ambulances to other facilities and canceled surgeries. Ultimately, Universal Health Services reported losing $67 million because of the incident.
In 2021, Scripps Health—a San Diego–based health system—suffered a ransomware attack that affected its business systems for weeks. Disruptions to services led to more than $100 million in lost revenues. The organization paid millions more as a result of class-action lawsuits brought by patients.
More recently, in 2024, UnitedHealth Group’s Change Healthcare electronic clearinghouse was subject to a very large ransomware attack, with far-reaching consequences. The attack cut the link between medical providers and insurance companies, leaving numerous hospitals, pharmacies, and other healthcare organizations unable to transmit patient claims and receive payment for their services. Patients were unable to fill essential prescriptions.
How can your organization prepare for a ransomware attack? The first step is understanding what ransomware is, how it works, and why healthcare organizations are prime targets. You can then begin to develop a more robust cybersecurity strategy that can prevent attacks and reduce potential damage.
What is Ransomware?
Ransomware is malicious software that encrypts data, preventing authorized users from accessing it. Attackers demand ransom in exchange for providing the decryption key. As ransomware attacks have evolved, attackers have often added threats, for example, threatening to steal (and sell) sensitive data or to attack partner organizations.
Ransomware attacks can start with a simple phishing scheme, a network intrusion, or a drive-by download, in which hackers send malware to a device without the user’s knowledge. With phishing, users might be tricked into entering login credentials on a fake website, giving attackers access to the enterprise network. Once the attackers or their malware enter the network, the malware can then spread across systems, encrypting data or otherwise locking users out of systems.
Why Healthcare Is Vulnerable to Ransomware
Healthcare organizations are attractive targets for ransomware gangs and other cybercriminals. Medical and billing records contain highly valuable personal information that hackers can steal and sell. Even if data theft is not part of their plan, attackers know that holding patient data hostage and disrupting operations can spur healthcare organizations to pay ransoms quickly.
Just as important, healthcare IT environments are often particularly vulnerable to attacks. Many organizations have legacy systems that are not well protected against the latest threats. With only modest security investments, organizations often lack the tools and in-house expertise to identify and stop attacks before they do significant damage.
Consequences of Healthcare Ransomware Attacks
At a minimum, ransomware attacks on healthcare organizations can disrupt a range of essential operations, from providing hospital services to processing insurance claims. As malware locks users out of systems and internal IT teams shut down other systems to stop the infection from spreading, staff members must resort to manual processes.
The financial costs of a breach can be devastating. The ransom—which might amount to millions of dollars—is just the beginning. Attacked organizations often need to recover data and restore systems, conduct thorough investigations, and implement additional security measures. They might need to pay regulatory fines, and they could face lawsuits from patients harmed as a result of the attack. Hospitals and other providers could lose revenues from canceled procedures, and face longer-term revenue losses from a damaged reputation. According to a recent IBM report, the average cost of a single breach for a healthcare organization is nearly $11 million.
Meanwhile, ransomware attacks could put patient lives at risk. If patients are unable to communicate with providers, fill prescriptions, have procedures, or receive emergency care, they could suffer immediate consequences to their health.
Preparing for Ransomware Attacks
How can your organization best prevent attacks? First, train your staff members to identify phishing attempts and consistently employ security best practices so they do not inadvertently put your organization at risk. Second, prioritize keeping systems and software patched and up to date to avoid leaving any possible vulnerabilities for hackers.
Make sure you regularly back up data, and keep that data isolated from other systems. If you are attacked, you can reduce the urgent need to pay ransoms for liberating data when you have another complete copy of data available.
Responding to Active Ransomware Infections
Developing an incident response plan, with well-defined roles and responsibilities, is key. To mitigate the damage of a ransomware attack, you need to act fast. As soon as your organization is aware that an attack is occurring, your IT team must isolate infected systems to prevent the spread of malware across your network. Then your team can either failover to redundant systems or—once the threat has been contained—restore systems and data from clean backups.
Meanwhile, you should consult law enforcement and cybersecurity experts. Law enforcement officials can start pursuing attackers and warn other organizations. Cybersecurity experts can help you determine how the attack occurred and start devising plans for addressing vulnerabilities.
Should Ransoms be Paid?
Many healthcare organizations and other businesses are reluctant to pay ransoms. Clearly, the high costs of the ransom are enough to give an organization some pause. But paying a ransom also rewards criminal behavior. If other criminals see that ransomware can be a lucrative racket, they are likely to launch their own attacks.
Governments and law enforcement agencies, such as the FBI, advise against making ransom payments. In November 2023, members of the International Counter Ransomware Initiative—representing 48 countries, the European Union, and Interpol—signed a joint policy statement saying that governments should not pay ransomware extortion demands. The United States was among the signatories, though the U.S. federal government has not outright banned companies from paying ransoms.
Still, many organizations see paying as the fastest way to restore access to data and systems. Healthcare organizations understand the serious impact that disruptions can have on their operations and patient safety. They may be more likely than other types of organizations to simply meet attackers’ demands. Nevertheless, it's never certain that the attackers will follow through with their promise of restoring data once the ransom is paid.
Long-Term Ransomware Defense
As the frequency and complexity of ransomware attacks continue to increase, many healthcare organizations will need to make larger, longer-term changes. They must prioritize cybersecurity, investing in modern IT solutions and new security capabilities—including access controls, network monitoring, and network segmentation. They should also consider hiring dedicated cybersecurity staff and supplementing that staff with outside partners that have access to the latest threat intelligence, tools, and best practices.
Strengthening backup and business continuity strategies will be crucial. With multiple copies of data and means to restore system availability using redundant systems, organizations can minimize disruptions and reduce the need to pay ransoms.
Addressing Ongoing Ransomware Threats
Healthcare organizations will remain a top target for cybercriminals. And ransomware attacks will continue to have the potential to severely disrupt operations and impact patient care. With new variants and tactics constantly emerging, healthcare organizations must start strengthening their cybersecurity strategy now.
Learn how Cloudticity can help your organizationbetter defend against ransomware and other cybersecurity threats. Reach out for a free consultation today.