Ransomware attacks on hospitals are increasing in frequency and severity. Hospitals are faced with significant financial consequences beyond ransom payments. Meanwhile, by blocking access to essential patient data and forcing the shutdown of systems, these attacks directly threaten patient health and safety. Hospitals need to take action now to improve their cybersecurity and prevent future attacks.
The Growing Threat of Ransomware
Ransomware attacks pose a very serious and growing threat to hospitals. Cyber attackers are increasingly targeting hospitals and other healthcare organizations because they know that disrupting critical workflows and holding patient data hostage will compel many organizations to pay exorbitant sums. Attackers also know that stealing patient data could yield additional financial gains if they sell that information to other criminals.
The principle of ransomware is fairly simple: Cyber attackers prevent an organization from accessing its own systems or data. The attackers might also threaten to steal or destroy data. They then demand a ransom (usually in cryptocurrency) to restore access or to halt data theft or destruction.
Hackers have multiple techniques for carrying out attacks. To gain access to the hospital’s IT environment, they might conduct a network intrusion attack or a phishing scheme. Once they have gained access, they execute malware that encrypts sensitive data or locks authorized users out of systems. If the ransom is paid, the attackers provide the encryption key or unlock systems.
Of course, not all attackers make good on their promise: Even if they receive the ransom, they might still carry out their threatened actions. They could sell stolen data, which might contain a full array of personal and financial information from patients.
Numerous hospitals have experienced these attacks. In early 2024, for example, Lurie Children’s Hospital in Chicago suffered a cyberattack that forced the organization to shut down its internet-connected systems—including phones, email, and electronic health record (EHR) systems. The attack may have been a ransomware attack: A post from a ransomware gang advertised a price of approximately $3.4 million to gain exclusive access to the hospital’s data. Like other hospitals that fear damaging their reputation by paying ransoms, Lurie Children’s has not confirmed whether it paid the sum.
Impact on Patient Care
Ransomware attacks can have a direct, immediate, and significant impact on patient health and safety. When hospital staff members are locked out of medical record systems, they might need to cancel appointments, surgeries, and other procedures. Patients might be unable to get the medications they need.
When Ardent Health Services was hit with a ransomware attack in late 2023, the organization was forced to turn away patients. Ardent diverted ambulances and emergency room patients away from some of its 30 hospitals, including Lovelace Health System hospitals, and rescheduled some elective patient procedures. The Ardent attack shows that even large hospital systems can be victims, and those attacks can affect numerous patients.
For those patients, disruptions are more than an inconvenience: Patients can suffer real physical harm when they are unable to receive needed care in a timely manner.
Financial Costs
Hospitals, meanwhile, can suffer significant financial repercussions from a ransomware attack. First, they might need to pay several million dollars in ransom to regain access to systems and data. Refusing to pay could be an option for hospitals that have redundant systems or sufficient data backups, but even those hospitals could still face a range of other financial losses.
Depending on the condition of systems and data once the immediate crisis passes, hospitals might need to spend millions more to remediate damage and rebuild IT systems. They will also need to contact patients whose records were exposed and potentially pay for identity protection services. Many organizations will subsequently invest in additional cybersecurity solutions.
When hospitals cancel procedures or turn away patients because of system outages, they also lose revenue. Revenue losses could persist if patients are slow to reschedule or reluctant to choose services at a hospital following a well-publicized attack.
Finally, hospitals could be subject to significant regulatory fines and legal liabilities. Patients could sue a hospital if records are stolen or if they experience health issues resulting from interrupted care.
Preventing Future Attacks
To prevent attacks and reduce potential damage, many hospitals need to rethink existing security strategies and consider implementing new solutions.
- Employee Cybersecurity Training: Hospitals must educate employees about how to identify and help prevent attacks. Phishing remains a key method for gaining access to hospital systems. Attackers might dupe employees into clicking a link in an email or text, and then enter their credentials into a fake website. Enabling employees to spot and report suspicious requests can help shut down an avenue for attack.
- Strong Endpoint Protection: Ensure that mobile devices and laptops do not become vectors for malware. Implement anti-malware solutions on endpoints and ensure employee devices are protected with a strong password and MFA.
- Network Segmentation: Hospitals should make sure they have adequate network segmentation policies in place, which can help prevent attackers from gaining access to patient records and critical systems even if they manage to log into some apps.
- Access Controls: Hospitals should allow only a limited number of authorized individuals to access certain systems.
- Backups and Incident Response Planning: Hospitals must be able to shut down systems that are being attacked and failover to backup systems, so the business can continue running during security events.
- Security Audits and Penetration Testing: As attacks continue to evolve and IT environments grow, hospitals must be sure that their IT environments continue to remain well guarded.
Role of Law Enforcement
Ransomware attacks are crimes—but law enforcement agencies often have limited capabilities for bringing cyber criminals to justice. In many cases, cyber criminals live in other countries. Even if law enforcement agencies can identify suspects, they might be unable to arrest and extradite them.
However, law enforcement can use tools to thwart attempts at extracting ransom. For example, they can freeze the cryptocurrency accounts linked to known hackers, as Europol did in early 2024. Europol’s recent success not only highlights a successful strategy for foiling attackers; it also shows the value of international cooperation. Law enforcement teams from 10 countries worked together on that case.
Public-Private Partnerships
Hospitals must work with other organizations to stop ransomware and other attacks. They should share intelligence with other hospitals about any threats they detect or experience. And they should partner with technology companies, which can often provide information on emerging threats, new tools, and best practices.
Governments can also help healthcare organizations prevent attacks and mitigate damage—especially those hospitals in rural areas that might have limited resources. U.S. hospitals have recently asked the government for help implementing cybersecurity measures that could prevent hacking.
Following the 2024 attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse, the American Medical Association (AMA) and American Hospital Association (AHA) also urged the government to provide advanced payments to providers, who were otherwise unable to receive payments from insurers. Hospitals asked Congress to loosen statutory constraints that might restrict the flow of funds and to modify regulations that could streamline payment from payers.
The Need for Greater Investment
Whether they receive money from the government or other sources, many hospitals need to step up investment in cybersecurity. Protecting systems from disruptions and safeguarding sensitive patient data must be a top strategic and budgetary priority. Hospitals need to invest in new security solutions, and they need to hire more security specialists. In many cases, hospitals will benefit from partnering with external experts, who can provide the most up-to-date information, tools, and practices, specifically focused on healthcare.
Start Strengthening Security Now
As ransomware attacks on hospitals continue to rise, the time to strengthen security is now. If your organization is attacked, you could face tremendous financial losses and be forced to curtail vital services for patients, putting lives at risk. While preventing a major incident might require a new strategy and new investments, there could be a much greater price to pay for failing to act.
Learn how Cloudticity can help your hospital strengthen your security strategy. Reach out for a free consultation today.
