Ransomware in Healthcare: Understanding the Growing Global Cybersecurity Threat
Ransomware is a malicious software that infects a computer and destroys data using complex encryption algorithms. As a result, the encrypted data is lost and attackers demand a ransom to return the data, but without offering guarantees.
Cybercriminals can target various organizations, and the healthcare industry is no exception. This blog post covers cyberattacks in healthcare, the destructive nature of ransomware and how to protect data against it.
Why Ransomware Targets Healthcare Institutions
Ransomware targets healthcare organizations because of the nature of the data they manage and store. Modern hospitals, clinics, laboratories and other healthcare organizations intensively use digital systems to conduct diagnostics, store health records and perform health evaluations. Medical professionals need to access these systems for essential, sometimes lifesaving, operations.
Cybercriminals believe that by targeting healthcare organizations and making data unavailable due to ransomware, the victims have no choice but to pay the ransom to quickly regain access to their data. The stakes are high and patients may die without medical help when digital systems in a hospital do not work.
Health records are valuable data for criminals because they include personal information such as addresses, phone numbers, email addresses, other personal identifiers, insurance information and medical history. Attackers can steal this data before destroying it to use it in personalized attacks. Research and development information (such as vaccine or new remedy development) is also valuable and the cost of losing it can be too high.
In addition, most healthcare organizations allocate the majority of their budgets to medical equipment, and cybersecurity has a lower priority. Additional investments are needed to ensure better cybersecurity and prevent hackers from exploiting existing vulnerabilities to run healthcare cyberattacks.
Moreover, organizations in the healthcare industry are under pressure from regulatory institutions that impose fines for non-compliance. Attackers presume that this financial factor may help them obtain ransomware payments from their victims.
Recent Ransomware Attacks in Healthcare: Global Examples
Below you can see global examples of ransomware attacks on healthcare organizations.
Change Healthcare (February 2024). A ransomware attack by the ALPHV/BlackCat group disrupted claims processing and payment systems, affecting a significant portion of the U.S. healthcare system. The breach exposed sensitive data of potentially a third of all U.S. citizens and incurred costs exceeding $1 billion.
Ascension Healthcare (May 2024). One of the largest nonprofit health systems in the USA, Ascension, faced a ransomware attack that disrupted electronic health records and diagnostic services across its 120 hospitals. The incident led to delays in patient care and significant financial losses.
Rite Aid (June 2024). The pharmacy chain suffered a data breach that compromised the personal information of approximately 2.2 million individuals, including names, addresses and driver’s license numbers. The RansomHub group claimed responsibility. Lawsuits and financial losses are the main negative consequences of this attack.
Synnovis (June 2024). A healthcare ransomware attack by the Qilin group targeted Synnovis, a pathology service provider for the National Health Service (NHS) in the United Kingdom. The ransomware encrypted the organization’s critical data. The breach led to the cancellation of over 1,100 operations and the exposure of nearly 400 GB of sensitive healthcare data, resulting in financial losses of about £32.7 million.
Alder Hey Children’s Hospital (November 2024). The INC Ransom group claimed to have stolen data from the hospital in the United Kingdom, including patient records and procurement information. The hospital is investigating the breach with the National Crime Agency.
MediSecure (Nov 2023). An attack on this electronic prescription provider in Australia exposed the personal and health information of approximately 12.9 million individuals. The breach went undetected until May 2024 and led to MediSecure entering voluntary administration.
University Hospital Center Zagreb (June 2024). The LockBit ransomware group attacked Croatia’s largest medical facility, disrupting operations due to unavailable data and computer systems. The group claimed to have exfiltrated a large number of files, including medical records.
As you can see, ransomware can:
- Encrypt/destroy data and make digital systems unusable.
- Steal data silently.
The Cost of Ransomware in Healthcare
The number of ransomware attacks worldwide increases year by year. In 2024, ransomware groups declared they successfully made 5,461 ransomware attacks, and the attacked organizations confirmed 1,204 ransomware attacks. The majority of attacks were conducted against institutions in Europe and North America. The average ransom demand in 2024 was $3.5 million, and the amount of registered payments to cybercriminals was about $133.5 million.
As for healthcare ransomware attacks, there were 181 confirmed attacks in 2024. According to The HIPAA Journal, the average ransom demand was $5.7 million. Cyber Insurance News reported that 67% of healthcare organizations were targeted by ransomware compared to 60% in 2023.
65% of organizations working in the healthcare sector reported that ransom demands exceeded $1 million, and 35% faced demands of over $5 million. Recovery costs after a ransomware attack also increased: $2.57 million in 2024, up from $2.2 million in 2023 and doubling since 2021.
Common Ransomware Vectors in Medical Environments
It is important to know the common vectors of ransomware attacks in medical environments. This information can help reduce risks and mitigate issues. Most methods are identical to the general approaches used by cybercriminals.
Phishing emails are the most common method of starting ransomware attacks against healthcare organizations. Malicious attachments, Microsoft Office documents with malicious macros and links to malicious websites are widely used to install ransomware in healthcare institutions using end-users’ computers. These emails often impersonate vendors, administrators or even internal departments. Attackers use social engineering practices to induce urgency and create an entry point.
Remote desktop vulnerabilities are another widely used method to infect computers with ransomware. Cyber-criminals exploit vulnerabilities in remote desktop protocols and software to start their attacks. Improper configuration of remote desktop services and weak passwords and security settings can open the way for ransomware in healthcare organizations. Attackers scan for open RDP ports, use brute force or stolen credentials and gain direct access to systems.
Software vulnerabilities. Attackers can use software vulnerabilities in operating systems, applications and other software. Special medical software may have known vulnerabilities and attackers can use them to install ransomware on machines, spread ransomware and destroy data. Zero-day vulnerabilities are the most dangerous, and they are new and unknown to vendors but are used by hackers.
Infected USB drives. A malicious actor can insert an infected USB flash drive into a computer’s USB port in an accessible location inside a medical organization. This can infect a computer with ransomware and spread it over the organization’s network.
Authentication. Weak passwords and stolen credentials are used to log into a system and install ransomware. Cybercriminals can use data from previous breaches to access computers and networks.
Best Practices to Prevent Ransomware in Healthcare
Implement the best practices below to protect your data and prevent ransomware in healthcare organizations. Ransomware protection measures require a multilayered approach:
- Strengthen email security. Configure spam filters and email protection systems to reduce phishing attempts. Educate users to recognize suspicious emails and links. Users should report them to administrators. You can use sandboxes for email attachments.
- Use updated antivirus software. Install the antivirus from an authoritative vendor. Antivirus and antimalware software can detect ransomware quickly and delete malicious files to avoid infection. Modern antivirus systems can analyze suspicious activity in an operating and file system, which can be signs of ransomware. Intrusion prevention systems improve the overall ransomware protection level.
- Install security patches to fix software vulnerabilities. Don’t forget to install security patches on operating systems, Electronic Health Record platforms, PACS/RIS systems and medical devices.
- Ensure network security. Configure the firewall and close unused ports to reduce the surface for potential attacks. Isolate networks to limit ransomware spread in case of infection. Segment networks to isolate medical devices, admin systems and public Wi-Fi. Make sure you configure monitoring for network, disk and processor usage since ransomware usually causes a high load on the network to encrypt data.
- Implement an effective security policy. Configure strong access controls with proper access rights, strong passwords and authentication methods (especially for email). Configure multifactor authentication for critical systems. Consider applying role-based access and the principle of least privilege.
- Educate users. Conduct cybersecurity training tailored to healthcare scenarios. Tell users about the main healthcare ransomware vectors and the first signs of an infection. Users must disconnect an infected computer or any computer with suspicious behavior from the network and shut it down to prevent ransomware from spreading and encrypting data. Use regular phishing tests for users to reinforce vigilance.
- Back up data regularly. Perform regular backups by configuring scheduled and automated backups with specific intervals. Use the 3-2-1 backup rule to store multiple backups in different locations. If ransomware destroys one data copy, you have more chances to restore your data from another healthy copy. Use air-gapped storage, such as hard disk drives disconnected from the source or tape cartridges, since ransomware cannot physically access disconnected media. Configuring backup immutability improves ransomware protection because ransomware cannot modify immutable data.
- Create a recovery plan. Create an incident response plan and a disaster recovery plan. A ransomware response plan should include contact lists, legal and regulatory protocols (e.g., HIPAA breach reporting), recovery and communication strategies.
- Don’t pay the ransom to cyber-criminals. Paying the ransom inspires ransomware creators to launch more attacks to get more money. In case of a ransomware infection, it is recommended that you don’t pay the attackers. Organizations that pay a ransom have no guarantee that the encrypted data will be restored or that stolen data will not be transferred to other persons.
The Role of Backup and Disaster Recovery in Ransomware Defense
Backup and disaster recovery play a critical role in defending against ransomware in healthcare by ensuring that organizations can recover operations and data without paying a ransom. If preventive measures failed to protect the original data against ransomware, you can recover data from a backup.
- Data recovery without paying a ransom. The primary defense against ransomware is the ability to restore clean data from a backup if the original data copy is corrupted. With verified and isolated backups, healthcare organizations can avoid paying attackers and resume services with minimal loss.
- Data protection if ransomware encrypts data. Ransomware encrypts (corrupts) or deletes data. With a data protection solution, healthcare organizations can recover data, including electronic health records, imaging data (PACS), scheduling and billing systems.
- Ensuring business continuity. You can recover data and restore service availability in a short time. This is the fastest method to recover data after a ransomware infection. As a result, you can minimize downtime and financial loss. Every minute of downtime in healthcare can have severe consequences, such as patient care delays, legal/regulatory penalties and reputational damage.
It is important to choose a reliable data protection solution that allows you to implement the best practices to protect against ransomware attacks and allows for fast recovery.
Regulatory Compliance and Data Protection in Healthcare
Regulatory compliance and data protection in healthcare are essential to ensuring patient safety, maintaining trust and avoiding legal and financial penalties. These regulations govern how data is collected, stored, accessed and protected, especially against cybersecurity threats in healthcare like ransomware.
Regulatory compliance matters in healthcare because:
- Healthcare organizations handle protected health information, which includes diagnoses, treatments, medical history and billing information.
- Breaches can lead to patient harm, identity theft and loss of public trust.
- Failure to comply can result in fines, legal action and licensing penalties.
Key healthcare data protection regulations are:
- HIPAA (Health Insurance Portability and Accountability Act) – USA.
- Focus: Protection of protected health information.
- Privacy rule: Regulates access and use of protected health information.
- Security rule: Requires technical, administrative and physical protection.
- Breach notification rule: Mandates timely breach disclosure.
- Penalties: Up to $1.9 million per violation per year.
- GDPR (General Data Protection Regulation) – EU/EEA.
- Focus: Personal data protection, including health data.
- Key Provisions: Informed consent for data use, right to be forgotten, data minimization and encryption.
- Penalties: Up to €20 million or 4% of global annual turnover.
- PIPEDA (Personal Information Protection and Electronic Documents Act)
- Covers how private-sector healthcare providers handle patient data.
- Requires transparency, consent and breach reporting.
- Other notable regulations:
- Australia: My Health Records Act, Privacy Act.
- India: Digital Personal Data Protection Act (DPDP), DISHA (proposed).
- Singapore: Personal Data Protection Act (PDPA).
Regulation and compliance requirements impact core data protection principles in healthcare:
- Confidentiality:
- Only authorized personnel should access PHI.
- Use of role-based access controls and encryption.
- Integrity:
- Ensure PHI is accurate and unaltered.
- Log all access and changes.
- Availability:
- Systems must be resilient and maintain uptime, especially for critical care (EHR, PACS).
- Supported by backups and disaster recovery.
These factors and compliance requirements impact the protection strategy against ransomware in healthcare organizations, including data protection.
Conclusion
Ransomware in healthcare is especially dangerous since it can impact patient health. As the number of ransomware attacks increases, it is highly recommended that healthcare organizations implement preventive measures to protect data. Backup and disaster recovery are essential and help recover data quickly without paying a ransom. Use NAKIVO Backup & Replication to protect data against ransomware with advanced features, including backup immutability, encryption and Site Recovery.
