Skip to Content

Ransomware in Healthcare

Since we’re going to be breaking down the ransomware threat, there’s one topic I want to make sure we cover up front, which is ransomware in healthcare since I have some pretty strong opinions on the matter.

Let’s put things pretty clear in black and white right here – ransomware is a crime, and the perpetrators are criminals.  The outcome they are looking for is a ransom paid, of course.

Now let’s put our thinking hats on for a second and think about where IT systems are critically important.  There’s lots of places, right?  I mean there’s tons of companies that make lots of money all over the place.

What about an online travel booking company?  People can’t book travel if they are down and they will lose money, and what about their reputation?  Would people ever visit that website again if it was down when they wanted to use it?

While of course it is horrible for that to happen to any business, there’s one thing that is more horrible.

The loss of human life, which can happen when the healthcare sector is a target.

Why is healthcare a target for cybercriminals?

Healthcare organizations are a target for cybercriminals since they are likely to pay the ransom quickly.  If a hospital is hit by a ransomware attack, lives are at risk.  I don’t know if you have had the pleasure of visiting a hospital lately, but everything is computerized these days.

Medical devices are connected to the network to record data to patient charts.  Doctors and nurses have specialized mobile devices to communicate and access records.  Just about everything from patient charts to medication dispensing systems to operating rooms, everything is connected these days.

If you’re looking for a surprisingly decent depiction of this in action, there was an episode of Grey’s Anatomy featuring ransomware that was quite good.

How has ransomware been used to attack hospitals

While I love a good episode of Grey’s, unfortunately this has also happened in real life, many, many times.  One such attack was on the University of Vermont Medical Center.  This attack took well over 30 days to recover form, when staff had been trained for 3-5 day long outages.

One interesting note on this attack is that no ransom was paid, and the medical center did not communicate with the attackers, instead they called the FBI.

Ryuk ransomware has also been known to target hospitals, with large scale attacks against US hospitals in 2020.  We’re definitely going to be covering Ryuk more in depth so stay tuned to that one.

Why are hospitals vulnerable to ransomware?

Look, we know everyone is vulnerable to ransomware, but if you’ve never worked in a healthcare setting (or spent time in one observing things), here are some things that are pretty common.

  • Really old systems, because they work.  Who knows when they were last patched.
  • Really old operating systems on the old systems, because, well, they work and there’s a ton of them.
  • Staff and budget shortages in IT.  It’s a healthcare company, in most cases IT is seen as a cost center, not as an innovative partner.
  • Data retention policies.  Healthcare is a highly regulated industry which means there are a ton of compliance regulations that have to be met, and meeting them isn’t cheap.

Those are just a few things that make healthcare different than some other industries, although as we mentioned, everyone is vulnerable to ransomware.

What can healthcare organizations do to protect themselves from ransomware?

Advice for healthcare isn’t that different than it is for most organizations, but keep in mind personal health information is a huge target for hackers.  Ransom demands and ransom payments are usually high here, due to the exfiltration aspect of a ransomware attack.

Good security hygiene (my favorite basic thing to implement is always the Principle of Least Privilege) is a must in any environment, but especially healthcare due to the sensitive data.

If an account is compromised, it had better not have access to patient data if it isn’t supposed to, or that could lead to a disastrous outcome.

Entire organizations need to be trained in security awareness, and every hospital or healthcare organization should have a Chief Information Security Officer to make sure this happens.

Phishing emails are one of the most common ways for attackers to get in.  There’s a good chance that frazzled healthcare worker just might click if they don’t know any better, there’s a good chance anyone would.  Adequate security awareness is a must everywhere, but we know that this environment is high stress to begin with, and stressed humans make mistakes.

Hospital networks are an easy target for ransomware actors, many expect a payday merely for getting in the door, and in many cases, it can happen that way.  That’s why it is important to not only have security software in place to help detect the bad actors once they are inside, but a solid ransomware recovery strategy to recover from the attack as well.

In 2021, the healthcare sector fell victim to more attacks than any other industry according to the FBI, which is of course not surprising.  It is now more critical than ever for healthcare organizations to put good security and recovery practices into place.