Ransomware Attacks in Healthcare

Ransomware attacks in healthcare are now a fact of life. Ransomware is one of the most serious threats facing the healthcare industry and electronic Protected Health Information (ePHI) is highly sought after by cybercriminals. Not only is ransomware being used to extort money from healthcare organizations, prior to encryption ePHI is often stolen.

Healthcare organizations have the difficult task of processing huge amounts of sensitive data and ensuring data is stored and transmitted securely, while also satisfying user demands for rapid access in a secure, flexible, and efficient way. Protecting against ransomware attacks in healthcare can therefore be a major challenge.

The healthcare industry has been extensively targeted by ransomware gangs over past years, but the COVID-19 pandemic has triggered a major increase in attacks. While some threat actors have said they will not attack healthcare organizations on the frontline in the fight against COVID-19, they number in the few. Many other gangs have increased their attacks, and are hitting healthcare providers, testing facilities, and medical research firms hard. The ransomware payload is delivered via phishing and spear phishing campaigns, attacks on RDPs, and the exploitation of vulnerabilities in operating systems, VPNs, and other software.

The threat was so great that Interpol released an urgent briefing advising all healthcare providers around the globe to be on high alert as the industry was being extensively targeted: Microsoft has also issued warnings following the increase in manual ransomware attacks, and the DHS’ Cybersecurity Infrastructure and Security Agency (CISA), the HHS, and the Federal Burau of Investigation have all issued guidance.

In 2019, Emsisoft estimated 764 healthcare providers in the United States were impacted by ransomware and, since 2016, the HHS estimates at least $160 million has been spent recovering from ransomware attacks. The impact of an attack can be severe, and not just financially. A healthcare ransomware attack can place human lives at risk and almost certainly disrupts day-to-day healthcare business operations.

Ransomware Attacks in Healthcare Often Involve Data Theft

In the past, ransomware attacks in healthcare were most commonly delivered via mass spam email campaigns. These campaigns aimed to infect as many organizations as possible and typically used a smash and grab approach. The campaigns were largely automated; and, during the deployment of the ransomware payload, attackers tended not access networks or steal data.

Over the past couple of years there has been a marked change in tactics, techniques, and procedures. It is now more common for cybercriminals to deploy ransomware payloads several months after gaining network access. These manual attacks see attackers gain access to a system, move laterally and compromise the entire network, steal sensitive data, and only then deploy the ransomware payload.

The threat actors behind the ransomware variants Maze, REvil (Sodinokibi), NetWalker, Lockbit, Nefilim, Sekhmet, and others are now using this tactic. When the ransom demand is issued – which tends to be far higher in value than automated ransomware attacks – a threat is made to publish the stolen data to encourage victims to pay. What we are now seeing is threat actors monetizing data and auctioning it off to the highest bidder if the ransom payment is not made. There have even been cases in which patients whose data has been stolen have been issued with ransom demands and threats to publish their health data if they do not pay up.

Cost of a Healthcare Ransomware Attack

In February, Comparitech published an analysis of 172 ransomware attacks in healthcare that had been reported in the past three years. In total, these attacks had affected at least 1,446 healthcare clinics and hospitals, and exposed the personal and protected health information of more than 6.6 million patients.

The ransom demands in those attacks ranged from $1,600 to $14 million. Many healthcare organizations decided not to pay and either recover files from backups or accept data loss. Even when a ransom is paid, it only represents a fraction of the total cost of an attack. The downtime from an attack can be several days – or weeks, or months – and an attack can have a major impact on reputations or cause long term brand damage.

In addition to the ransom or cost of recovering data, consultants and forensic investigators need to be hired, patients must be notified, credit monitoring and identity theft protection services offered, and significant investment in new security measures is often required.

Healthcare organizations can also face class action lawsuits over ransomware attacks and financial penalties if HIPAA violations are discovered by regulators during an investigation into the attack. Comparitech calculated the cost of the 172 attacks to be in the region of $157,896,000 to $240,800,000.

Healthcare Ransomware Attacks Can be Catastrophic

Healthcare ransomware attacks can have a huge financial impact and cause major disruption to the business; so much so that recovery may not even be possible. In 2019, two ransomware attacks on healthcare providers proved to be too much and the organizations took the decision to permanently close their doors.

Wood Ranch Medical in Simi Valley, CA, experienced a ransomware attack in August 2019. The practice had backed up records locally, but they too were encrypted – preventing file recovery. Since there was no guarantee that payment of the ransom would allow the practice to recover the encrypted files, the decision was taken to wind down the business, which was permanently closed its doors in December 2019.

Earlier in the year, another healthcare provider was forced to close. Brookside ENT and Hearing Center in Battle Creek experienced an attack in which patient data was stolen. When the practice owners refused to pay the ransom, the attackers permanently deleted the stolen data. The cost and time of rebuilding the practice from scratch was simply too much, and the practice owners decided to permanently close.

In these and several other ransomware attacks, patient data was permanently lost. Anyone who had not obtained a copy of their records prior to the attack will have lost a major part of their health history. These attacks also have a major impact on patient safety. A study conducted by researchers at the Owen Graduate School of Management at Vanderbilt University delved into the impact ransomware attacks had on patient mortality rates. They found hospitals had experienced up to 36 more deaths per 10,000 heart attacks following a data breach such as a ransomware attack, with electrocardiograms for heart attack patients delayed by an average of 2.7 minutes after such an attack.

HIPAA Compliance Can Help Protect Against Ransomware Attacks

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires healthcare organizations, their business associates, and subcontractors to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. Technical safeguards will improve resilience to attacks by making it harder to breach perimeter defenses. Risk analyses are required to identify all threats and vulnerabilities to networks and ePHI, and identified risks must then be managed and reduced to an acceptable level.

HIPAA requires encryption for stored data, or alternative and equivalent measures to prevent unauthorized data access. Encrypting patient data will help to ensure it cannot be monetized by hackers in the event of a manual ransomware attack. HIPAA also calls for data to be backed up to ensure ePHI is always available, even in the event of a ransomware attack.

The safeguards demanded by HIPAA will help improve resilience to healthcare ransomware attacks and will also ensure recovery is possible without having to resort to paying a ransom.

HIPAA Compliant Hosting and Ransomware Prevention and Recovery

One of the quickest and most effective ways to defend against ransomware is to partner with a reputable cloud hosting provider, ensuring that the provider is both HIPAA compliant and HITECH approved. HIPAA compliant hosting companies have invested millions of dollars designing and creating cloud platforms that are reliable, resilient, and heavily focused on healthcare compliance.

Dedicated and shared platforms are available; and, importantly, they give the peace of mind that the service being onboarded is already compliant with the technical, physical, and administrative safeguards required by the U.S. Department of Health and Human Services (HHS).

Choosing a HIPAA compliant hosting provider may not guarantee ransomware protection, but it does create a protective environment that makes ransomware attacks less likely to occur and will prevent a HIPAA breach in the event of an attack. Since data is encrypted, any attempted data theft will not give attackers access to exploitable ePHI. As a result, the attack may not be reportable, as the attackers would only be able to access encrypted data.

Additional protections are put in place that protect operating systems, hardware, and storage. Those measures include the capability to failover technical services to a secondary location; so that, in the event of a damaging ransomware event, business can continue as usual and engineers will be able to rebuild infected servers in the shortest possible timeframe.

Disaster Recovery and Business Continuity Planning Accelerates Recovery

Hosting providers implement multiple layers of technology to protect against ransomware and software-defined security is implemented to protect ePHI. This includes access controls such as file permissions, group policies, active directory user accounts, group memberships, user restrictions, and limiting elevated admin accounts. Everything associated with password policies and authentication should be reviewed. Introducing detailed logging of all access requests and user activities is mandatory.

Implementing a robust backup strategy will give healthcare organizations a fallback option in the event a server or network is compromised. In nearly all ransomware attacks, data stored on an infected server must be recovered from a backup, as decryption keys are not always provided by cybercriminals after a ransom has been paid. Backups are the only way of recovering data in the event of an attack unless a ransom demand is paid, and paying a ransom is no guarantee valid decryption keys will be provided.

A planned strategy for disaster recovery and business continuity can be implemented to specifically cover a ransomware attack. Disaster recovery is a technical solution that enables healthcare organizations to failover core business services to an alternative location. Typically, that location is on servers in another data center or in the public cloud.

Restoring multiple systems from backups can be a slow process. Disaster Recovery as a Service (DRaaS) can potentially get healthcare teams back up and running in a matter of minutes, providing healthcare professionals with the platform they need while technical teams restore the primary site from backups.

Protect the Network

The network is the ecosystem that connects all healthcare devices and it is possible to add protective measures to help prevent network ransomware attacks. Threat protection software can be deployed to scan the network for threats, inbound and outbound emails can be monitored, web URLs can be intelligently checked for phishing, and downloads can be automatically scanned for viruses, rootkits, ransomware, and malicious code.

Physical protection measures can also protect against network ransomware attacks by limiting who has access to physical servers. Protections are in place at cloud hosting providers’ monitored data centers and similar measures should be applied on-premises – such as locking all server rooms and cabinets. This approach helps guarantee malicious insiders such as disgruntled employees cannot install malicious code or change security settings.

Using a site-to-site VPN will allow remote workers to connect to data centers and resources securely. A VPN allows secure to access the network, and all traffic is encrypted and encapsulated by TLS cipher suites.

Many ransomware attacks in healthcare start with a phishing email, so it is essential for an advanced spam filtering solution to be implemented that is capable of detecting malicious code, known malware, and zero-day threats. Signature based detection methods will detect known ransomware variants, while machine learning and sandboxing can help to identify previously unseen threats. Rules should also be set to block malicious macro activity in weaponized Microsoft Office files, which are often delivered via email.

Manual ransomware attacks in healthcare often start with an attack on RDPs – legitimate tools used for remote access. RDP endpoints should be locked down and protected with strong passwords, multifactor authentication, and network-level authentication configurations. RDP access should only be possible using a VPN, and access to listening ports should be limited using firewalls. If RDP access is not essential, RDP ports should be blocked.

Drive-by malware attacks are also common. Malicious websites are created for the purpose of malware distribution and legitimate websites are hacked and used to host malicious code. A web filtering solution will provide protection against drive-by downloads by blocking access to known malicious websites.

Exploitation of vulnerabilities is also common, so it is essential for vulnerability scans to be performed regularly in order to identify potential weaknesses, and for patches and software updates to be implemented as soon as they are released.

Networks should also be monitored for signs of a potential compromise. Ransomware gangs often gain access to networks several weeks or months before ransomware is deployed, during which time they conduct reconnaissance and steal data. Closely monitoring the network for suspicious activity will help identify and block an attack in progress before files are encrypted.

Improve Resilience to Ransomware Attacks in Healthcare with Security Awareness Training

Technology can only protect against technical vulnerabilities. The security of a healthcare organization is only as good as the first line of defense – employees. Restricting user permissions to install and run unsanctioned software programs and applications will only offer limited help.

Staff training is the most important safeguard to protect against ransomware. Employees are frequently targeted with social engineering traps like phishing. An employee may inadvertently click on a fake email which will download a ransomware payload. Staff training is essential, as not all employees are computer experts. Through training, employees can be empowered to assist in the defense of their organization from hackers and will learn how to recognize phishing and other email-based threats.

The workforce must receive training on how to use remote working facilities and be taught remote working best practices. This may include training on cloud servers, HIPAA compliant collaboration tools, and bespoke applications hosted on-premises.

Training will help to prevent email-based attacks from succeeding, and teaching cybersecurity best practices will help to eradicate risky practices that could potentially result in a ransomware download. Training will not prevent all ransomware attacks in healthcare, but it will improve defenses against one of the most commonly used attack vectors.


To conclude, there are several measures healthcare organizations can take to prevent ransomware attacks. Ensuring devices have adequate antivirus and antimalware software, and that laptops and servers containing ePHI are encrypted is essential. All network traffic should be encrypted in transit, and employees must be trained regularly.

Implementing the safeguards discussed in this article will put healthcare organizations in the best possible standing to withstand and repel ransomware attacks. Hackers will always target weak security and public-facing infrastructure. Utilizing HIPAA compliant cloud services from an experienced provider will help you create a secure network that is extremely difficult for threat actors to breach.

Recent Ransomware Attacks in Healthcare

Listed below are some of the ransomware attacks in healthcare that have been covered by HIPAA Journal since 2016. In some cases, such as when a ransomware attack is experienced by a business associate, dozens or even hundreds of healthcare organizations are affected.

As previously mentioned, least 764 healthcare organizations suffered ransomware attacks in 2019, so this list is far from exhaustive; but it does highlight the extent to which the healthcare industry has been targeted with ransomware.

2020 Healthcare Ransomware Attacks

2019 Healthcare Ransomware Attacks

2018 Healthcare Ransomware Attacks

2017 Healthcare Ransomware Attacks

  • Wager Evans Dental – Read More
  • Columbus Surgery Center, LLC and Eye Physicians P.C. – Read More
  • Hackensack Sleep and Pulmonary Center – Read More
  • East Central Kansas Area Agency on Aging – Read More
  • Arkansas Oral Facial Surgery Center – Read More
  • FirstHealth of the Carolinas – Read More
  • Salina Family Healthcare – Read More
  • St. Mark’s Surgical Center – Read More
  • Erie County Medical Center – Read More
  • Cove Family and Sports Medicine and Krichev Family Medicine – Read More
  • Namaste Health Care – Read More
  • Medical Oncology Hematology Consultants – Read More
  • Los Angeles Pacific Alliance Medical Center – Read More
  • Highmark BlueCross BlueShield of Delaware – Read More
  • CCRM Minneapolis, P.C. – Read More
  • Northwest Rheumatology of Tuscon – Read More
  • Plastic Surgery Associates of South Dakota – Read More
  • Women’s Health Care Group of Pennsylvania – Read More
  • Seton Healthcare Family Hospital Network – Read More
  • Brandywine Pediatrics, P.A.- Read More
  • WellCare – Read More
  • Peachtree Neurological Clinic – Read More
  • VHS-ICM Employee Health and Wellness – Read More
  • GI Care for Kids Endoscopy Center – Read More
  • Cleveland Medical Associates – Read More
  • Heritage Valley Health System – Read More
  • Princeton Community Hospital – Read More
  • Family Tree Health Clinic – Read More
  • Airway Oxygen Inc – Read More
  • Dallas Senior Living Community, Walnut Place – Read More
  • Greenway Health – Read More
  • Atlantic Digestive Specialists – Read More
  • Cardiology Center of Acadiana – Read More
  • Ashland Women’s Health – Read More
  • ABCD Pediatrics – Read More
  • Estill County Chiropractic – Read More
  • Urology Austin – Read More
  • Metropolitan Urology Group – Read More
  • The Susan M. Hughes Center – Read More

2016 Healthcare Ransomware Attacks

In July 2016, the HHS’ Office for Civil rights confirmed that ransomware attacks are usually reportable data breaches. Prior to the guidance being issued many healthcare organizations were not reporting ransomware attacks to the HHS, nor were patients being notified in many cases.