Ransomware attacks on hospitals are increasing in frequency and severity. Hospitals are faced with significant financial consequences beyond ransom payments. Meanwhile, by blocking access to essential patient data and forcing the shutdown of systems, these attacks directly threaten patient health and safety. Hospitals need to take action now to improve their cybersecurity and prevent future attacks.
Ransomware attacks pose a very serious and growing threat to hospitals. Cyber attackers are increasingly targeting hospitals and other healthcare organizations because they know that disrupting critical workflows and holding patient data hostage will compel many organizations to pay exorbitant sums. Attackers also know that stealing patient data could yield additional financial gains if they sell that information to other criminals.
The principle of ransomware is fairly simple: Cyber attackers prevent an organization from accessing its own systems or data. The attackers might also threaten to steal or destroy data. They then demand a ransom (usually in cryptocurrency) to restore access or to halt data theft or destruction.
Hackers have multiple techniques for carrying out attacks. To gain access to the hospital’s IT environment, they might conduct a network intrusion attack or a phishing scheme. Once they have gained access, they execute malware that encrypts sensitive data or locks authorized users out of systems. If the ransom is paid, the attackers provide the encryption key or unlock systems.
Of course, not all attackers make good on their promise: Even if they receive the ransom, they might still carry out their threatened actions. They could sell stolen data, which might contain a full array of personal and financial information from patients.
Numerous hospitals have experienced these attacks. In early 2024, for example, Lurie Children’s Hospital in Chicago suffered a cyberattack that forced the organization to shut down its internet-connected systems—including phones, email, and electronic health record (EHR) systems. The attack may have been a ransomware attack: A post from a ransomware gang advertised a price of approximately $3.4 million to gain exclusive access to the hospital’s data. Like other hospitals that fear damaging their reputation by paying ransoms, Lurie Children’s has not confirmed whether it paid the sum.
Ransomware attacks can have a direct, immediate, and significant impact on patient health and safety. When hospital staff members are locked out of medical record systems, they might need to cancel appointments, surgeries, and other procedures. Patients might be unable to get the medications they need.
When Ardent Health Services was hit with a ransomware attack in late 2023, the organization was forced to turn away patients. Ardent diverted ambulances and emergency room patients away from some of its 30 hospitals, including Lovelace Health System hospitals, and rescheduled some elective patient procedures. The Ardent attack shows that even large hospital systems can be victims, and those attacks can affect numerous patients.
For those patients, disruptions are more than an inconvenience: Patients can suffer real physical harm when they are unable to receive needed care in a timely manner.
Hospitals, meanwhile, can suffer significant financial repercussions from a ransomware attack. First, they might need to pay several million dollars in ransom to regain access to systems and data. Refusing to pay could be an option for hospitals that have redundant systems or sufficient data backups, but even those hospitals could still face a range of other financial losses.
Depending on the condition of systems and data once the immediate crisis passes, hospitals might need to spend millions more to remediate damage and rebuild IT systems. They will also need to contact patients whose records were exposed and potentially pay for identity protection services. Many organizations will subsequently invest in additional cybersecurity solutions.
When hospitals cancel procedures or turn away patients because of system outages, they also lose revenue. Revenue losses could persist if patients are slow to reschedule or reluctant to choose services at a hospital following a well-publicized attack.
Finally, hospitals could be subject to significant regulatory fines and legal liabilities. Patients could sue a hospital if records are stolen or if they experience health issues resulting from interrupted care.
To prevent attacks and reduce potential damage, many hospitals need to rethink existing security strategies and consider implementing new solutions.
Ransomware attacks are crimes—but law enforcement agencies often have limited capabilities for bringing cyber criminals to justice. In many cases, cyber criminals live in other countries. Even if law enforcement agencies can identify suspects, they might be unable to arrest and extradite them.
However, law enforcement can use tools to thwart attempts at extracting ransom. For example, they can freeze the cryptocurrency accounts linked to known hackers, as Europol did in early 2024. Europol’s recent success not only highlights a successful strategy for foiling attackers; it also shows the value of international cooperation. Law enforcement teams from 10 countries worked together on that case.
Hospitals must work with other organizations to stop ransomware and other attacks. They should share intelligence with other hospitals about any threats they detect or experience. And they should partner with technology companies, which can often provide information on emerging threats, new tools, and best practices.
Governments can also help healthcare organizations prevent attacks and mitigate damage—especially those hospitals in rural areas that might have limited resources. U.S. hospitals have recently asked the government for help implementing cybersecurity measures that could prevent hacking.
Following the 2024 attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse, the American Medical Association (AMA) and American Hospital Association (AHA) also urged the government to provide advanced payments to providers, who were otherwise unable to receive payments from insurers. Hospitals asked Congress to loosen statutory constraints that might restrict the flow of funds and to modify regulations that could streamline payment from payers.
Whether they receive money from the government or other sources, many hospitals need to step up investment in cybersecurity. Protecting systems from disruptions and safeguarding sensitive patient data must be a top strategic and budgetary priority. Hospitals need to invest in new security solutions, and they need to hire more security specialists. In many cases, hospitals will benefit from partnering with external experts, who can provide the most up-to-date information, tools, and practices, specifically focused on healthcare.
As ransomware attacks on hospitals continue to rise, the time to strengthen security is now. If your organization is attacked, you could face tremendous financial losses and be forced to curtail vital services for patients, putting lives at risk. While preventing a major incident might require a new strategy and new investments, there could be a much greater price to pay for failing to act.
Learn how Cloudticity can help your hospital strengthen your security strategy. Reach out for a free consultation today.