Healthcare Under Siege: Defending Hospitals from Ransomware Threats

Hospitals today are very concerned about ransomware attacks - and rightly so. A recent research report from Comparitech, Ransomware Roundup: 2024 End-of-Year Report (published on January 9th, 2025) found:

• 181 confirmed (and counting) ransomware attacks in the healthcare sector in 2024.
• 25.6 million healthcare records were affected.
• The average ransom demand in the healthcare sector was $5.7 million.
• The average ransom paid was $900,000.
• There were also a further 42 confirmed attacks on healthcare organizations that do not provide direct care, involving 115,640,362 compromised records and an average ransom demand of $16.3 million.

The report also notes that many confirmed reports come through months - and in some cases, years - after the attack, so 2024 figures will continue to rise in the coming months.

In this article, learn more about the recent healthcare ransomware threat actors, attacks, how your hospital can be affected, and what you can do to help prevent your hospital from becoming the next victim.

Who Healthcare Ransomware Threat Actors Are

It’s important for healthcare providers to recognize the size and scope of today’s ransomware threats and threat actors. As John Riggi, Senior Advisor for Cybersecurity and Risk for the American Hospital Association (AHA), shares in Ransomware Attacks on Hospitals Have Changed:

“Most cyber attacks on health care facilities today are not carried out by domestic, individual hackers. Similar to the 9/11 attacks, the vast majority of cyber criminals are operating from the safe haven of adversarial nation states that will not cooperate with or extradite these criminals to the United States. In many situations, these hostile nation states actually facilitate the cyber attacks against the U.S., because it may serve their national interests to do so. From their sheltered “firing positions,” these cyber criminals are remotely launching ransomware attacks against U.S. hospitals, medical research laboratories and other critical infrastructure – creating a direct threat to public health and safety.”

In the US, several groups are responsible for ransomware attacks on US hospitals, including:

• Wizard Spider: This ransomware group, known for their Conti and Ryuk ransomware variants, is believed to be based out of Russia. They have been particularly active in targeting the healthcare sector.
• BlackCat (AlphV) and Black Basta: These organized cybercriminal groups, with roots in Eastern Europe, have been responsible for numerous high-profile ransomware attacks on US healthcare organizations.
• Rhysida Group: This ransomware-as-a-service group, whose exact location has not been publicly disclosed, has been targeting hospitals and other sectors since May 2023. They are known for publishing stolen files online and causing significant disruptions.

In the UK, the following groups have been responsible for ransomware attacks:

• INC Ransom: This Russia-linked group has targeted multiple NHS Trusts, including Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital.
• RansomHub: This group was behind the attack on Wirral University Teaching Hospitals NHS Foundation Trust.
• Other Groups: Various other Russian cybercriminal groups have also been implicated in attacks on major London hospitals.

All these ransomware threat actors exploit vulnerabilities in healthcare systems, using phishing emails, unpatched software vulnerabilities, and weak security practices to gain access and deploy ransomware.

Why Threat Actors Target Healthcare Delivery Organizations

Threat actors target hospitals in the US and UK with ransomware attacks for several key reasons:

• Valuable Data: Hospitals store vast amounts of sensitive patient data, including personally identifiable information (PII) like social security numbers, birth dates, and medical histories. This data is highly valuable for identity theft, insurance fraud, and other illicit activities.
• Critical Operations: The critical nature of healthcare services and serious consequences of disruptions make hospitals more likely to pay ransoms quickly to regain access to their data and restore operations. Disruptions can lead to delayed treatments, canceled appointments, and compromised patient safety.
• Outdated IT Systems: Many healthcare organizations rely on outdated technology and lack robust cybersecurity measures. Legacy systems with unpatched vulnerabilities are particularly susceptible to ransomware attacks.
• Expanded Attack Surface: The rise of telemedicine and remote patient monitoring has increased the attack surface for cybercriminals. These technologies often use insecure Internet connections and devices, making them easier targets.

Anatomy of a Healthcare Ransomware Attack

A healthcare ransomware attack typically follows several key stages:

• Initial Compromise: Attackers gain access to the healthcare network through phishing emails, exploiting software vulnerabilities, using stolen credentials, or by gaining access through vulnerabilities in third-party vendors that are connected to the healthcare provider’s network.
• Establishing Foothold: Once inside, attackers install malware to maintain access and begin reconnaissance to understand the network layout and identify critical systems.
• Lateral Movement: Attackers move laterally across the network, often using legitimate tools and credentials to avoid detection. They target systems that store sensitive data, such as electronic health records (EHR) and financial information.
• Data Exfiltration: Before encrypting files, attackers may steal sensitive data to use for extortion or sell on the dark web. This step is designed to increase pressure on victims to pay the ransom.
• Encryption: Ransomware is deployed, encrypting files and rendering systems unusable. A ransom note is then displayed, demanding payment in exchange for the decryption key.
• Extortion and Ransom Payment: The attackers threaten data availability by demanding a payment before they will decrypt and restore access to system data. Healthcare organizations then face the difficult decision of whether to pay the ransom to restore operations quickly or risk prolonged downtime and data loss. The attackers may also threaten patient confidentiality by threatening to release stolen patient data if the ransom is not paid. For example, in a 2023 ransomware attack on Lehigh Valley Health Network, attackers posted hundreds of patients' nude medical record photos online as an extortion tactic.
• Recovery and Remediation: After the attack, the healthcare organization must restore systems from backups (if available), remove the malware, and strengthen security measures to prevent future attacks.

Understanding these stages helps healthcare facilities implement effective defenses and response strategies to mitigate the impact of ransomware attacks.

Representative US Healthcare Ransomware Attacks

Below are a few examples of 2024 US healthcare ransomware attacks:

• Lurie Children's Hospital Attack (January 2024): The attack forced Epic electronic health record systems and MyChart patient portals offline, and staff were forced to work under downtime procedures and record patient information manually. Access was not restored until May 20, 2024.
• Change Healthcare Attack (February 2024): The massive attack caused significant disruption to healthcare services, including delays in issuing prescriptions to patients. The US Department of Health and Human Services (HHS) reported in October 2024 that approximately 100 million individual data breach notices related to the attack have been sent, making it the largest known data breach of US healthcare records.
• Octapharma Attack (April 2024): The attack disrupted 150 blood plasma donation centers across America.
• Ascension Health Attack (May 2024): The attack impacted electronic health records, caused ambulance diversions, and affected clinical operations across 11 states and Washington, D.C. Clinicians described harrowing lapses that compromised patient care, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes. It was the third largest data breach of the year.
• Florida Department of Health Attack (June 2024): Attackers hacked the state’s Vital Statistics System, which is used to process birth and death certificates. The attack kept some families from receiving burial services for about two weeks.
• One Blood Attack (July 2024): The attack disabled the blood distribution system for more than 250 hospitals in the Southeast United States. The attack led to urgent appeals for blood donations and cancellations of surgeries.
• McLaren Health Care Attack (August 2024): The attack disrupted healthcare delivery at all 13 of its hospitals, surgery, infusion and imaging centers, along with its network of 113,000 medical providers throughout Michigan, Indiana, and Ohio. It took three weeks to restore the systems.
• UMC Health System (September 2024): The attack on the only Level 1 trauma center within 200 miles in Texas resulted in diversion of emergency and non-emergency patients to other local healthcare facilities. Restoration of services took almost three weeks.
• Memorial Hospital and Manor (November 2024): The crippling malware attack on this hospital in Georgia forced the hospital to abandon its computer systems and revert to pen and paper.
• PIH Health (December 2024): The attack affected healthcare appointments and services across hospitals, urgent care centers, doctors' offices, and PIH Health's home health and hospice agency. The nonprofit healthcare network serves three million residents in Los Angeles.

Representative UK Healthcare Ransomware Attacks

Notable healthcare ransomware attacks in the UK in 2024 include:

• NHS Dumfries and Galloway Data Breach (March 2024): This attack led to the theft of three terabytes of data, including confidential patient records. Some of the stolen data included children’s mental health data published online after the attack.
• Synnovis Ransomware Attack (June 2024): Targeted by the Russian cybercriminal group Qilin, this attack disrupted pathology and diagnostic services at major London hospitals. As one of the largest recent NHS data breaches, it affected over 10,000 outpatient appointments and 1,700 elective procedures.
• Alder Hey Children’s NHS Foundation Trust Data Breach (November 2024): The attack, which impacted not only Alder Hey Children’s, but also the Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital, resulted in a significant breach. Data was published online and circulated on social media.
• Wirral University Teaching Hospitals Cyberattack (November 2024): The attack was declared a "major incident," and led to the isolation of affected systems and a reversion to manual processes.

These incidents highlight the ongoing challenges faced by the healthcare sector in maintaining robust cybersecurity measures.

Ransomware Impact on Patient Care

Ransomware attacks can severely impact patient care in the following ways:

• Delayed Treatments: When hospital systems are locked, access to electronic health records (EHRs) and diagnostic tools is often lost. This can delay treatments, surgeries, and other critical medical procedures.
• Increased Mortality Rates: Studies have shown that ransomware attacks can lead to increased in-hospital mortality rates. For example, stroke and cardiac arrest cases can rise significantly during such attacks due to delays in care.
• Patient Diversions: Hospitals affected by ransomware may need to divert patients to other facilities. This can lead to longer travel times, delays in patient care, and also overloads neighboring hosptials, leading to a degradation of care at neighboring facilities as well.
• Compromised Patient Safety: Without access to accurate and up-to-date patient information, healthcare providers may make errors in medication administration, diagnoses, and treatment plans.
• Longer Wait Times: The disruption of hospital operations often results in longer wait times for patients, both in emergency departments and for scheduled appointments.
• Budget Cuts: The costs associated with recovering from a ransomware attack can be substantial, potentially leading to budget cuts that affect patient services and resources.

Ransomware Impact on Healthcare Staff

Ransomware attacks can also have significant impacts on hospital staff. For example, an attack can affect staff in the following ways:

• Operational Disruptions: Staff may lose access to critical systems like electronic health records (EHRs), scheduling systems, and communication tools. This can lead to delays in patient care, rescheduling of surgeries, and difficulties in managing patient information.
• Increased Workload: With digital systems down, staff often must revert to manual processes, which are time-consuming and prone to errors. This increases their workload and stress levels.
• Patient Safety Risks: The inability to access patient records and medical histories can lead to mistakes in treatment, medication errors, and delayed diagnoses, putting patient safety at risk.
• Emotional and Psychological Stress: The pressure to maintain patient care under challenging conditions can lead to burnout, anxiety, and frustration among staff. The fear of future attacks can also contribute to ongoing stress.
• Morale: The hospital's reputation can suffer, leading to a loss of trust among patients and the community. This can impact staff morale and their sense of pride in their workplace.

Ransomware Impact on Healthcare Finances

In addition to the negative impacts on patients and healthcare staff, hospitals who fall victim to a ransomware attack also face significant financial losses.

Financial losses accrue not just from potential ransom payments (and note that the FBI does not support paying ransom in response to an attack). They also accrue due to the high cost of restoring systems, lost revenue from disrupted services, and payments resulting from class-action lawsuits.

For example, based on a December 18, 2024 analysis by Comparitech, on average US healthcare organizations lose $1.9 million per day to downtime from ransomware attacks. Also, according to this report, some of the largest ransomware recovery figures include:

• CommonSpirit Health: $160 million (October 2022 attack)
• Scripts Health: $112.7 million (May 2021 attack)
• Ardent Health Services: $74 million (November 2023)
• Universal Health Services: $67 million (September 2020)
• University of Vermont Health Network: $65 million (October 2020)

These staggering figures underscore the devastating financial impact ransomware attacks can have on healthcare institutions.

How to Protect Against Healthcare Ransomware Attacks

Healthcare delivery organizations can take several steps to protect themselves against ransomware attacks:

• Regular Data Backups: Implement the 3-2-1 backup rule: keep three copies of your data, on two different media, with one copy off-site. Regularly test backups to ensure they can be restored quickly.
• Employee Training: Conduct regular cybersecurity training to educate staff about phishing attacks and safe online practices. Employees should know how to recognize and report suspicious activities.
• Network Segmentation: Divide the network into segments to limit the spread of ransomware. Critical systems should be isolated from less secure areas.
• Patch Management: Keep all systems and software up to date with the latest security patches. This reduces vulnerabilities that ransomware can exploit.
• Endpoint Protection: Use advanced endpoint protection solutions that include antivirus, anti-malware, and intrusion detection systems.
• Access Controls: Implement strict access controls and use multi-factor authentication (MFA) to ensure that only authorized personnel can access sensitive data.
• Incident Response Plan: Develop and regularly update an incident response plan. This plan should include steps for detecting, containing, and recovering from ransomware attacks.
• Regular Audits and Assessments: Conduct regular security audits and risk assessments to identify and address potential vulnerabilities.

By following these steps, healthcare organizations can significantly reduce their risk of falling victim to ransomware attacks and ensure the safety and security of patient data.

How Cylera Helps Protect Hospitals from Ransomware Attacks

While there have been numerous ransomware attacks on healthcare organizations, there are no widely verified cases where a medical device was specifically identified as the initial vector for a ransomware attack. However, medical devices are considered vulnerable points within healthcare networks due to their often-outdated software and lack of robust security measures.

In recognition of the risk medical devices can present to secure, reliable care delivery, on December 18th, 2024 the US Department of Health and Human Services issued an Advisory Bulletin, Protecting Healthcare Operational Technology and Internet of Medical Things Against Cyber Threats. This advisory stressed the importance of safeguarding healthcare IoT and connected medical devices and warned that “threat actors may exploit critical OT and IoMT vulnerabilities to interfere with healthcare services, jeopardize patient information, and threaten patient safety.”

The Cylera platform itself helps protect hospitals from ransomware attacks in the following ways:

• Hardening healthcare IoT and connected medical device defenses
• Facilitating incident response

Hardening Healthcare Ransomware Defenses

Cylera helps harden healthcare IoT ransomware defenses in the following ways:

Asset Discovery and Visibility

Knowing where all your assets are is the first step in hardening your defenses against a ransomware attack. Having a complete asset inventory protects against ransomware by ensuring visibility and control over all connected devices. This enables timely identification and protective management of healthcare IoT and connected medical devices. Cylera’s automated healthcare asset discovery capabilities identify both known and unknown devices. The Cylera platform can quickly alert when an unexpected or unknown device connects to the network. This allows the IT team to quickly assess the device and take appropriate action.

Real-Time Inbound and Outbound Communication Monitoring

Knowing how your assets are communicating (both inbound and outbound) is the second step in hardening your defenses against a ransomware attack. Cylera provides continuous monitoring of all connected devices, including detecting and alerting on unauthorized inbound and outbound communications. This enables IT teams to quickly identify and shut down unauthorized device communication and access.

Real-Time Anomalous Behavior Detection

Ensuring you have a process in place to immediately detect anomalous device behavior is the third step in hardening your defenses against a ransomware attack. Cylera leverages the device models created by its asset discovery and inventory technologies to create device behavioral models and policies. The policies define what necessary, secure device communications look like. They also generate alerts when these communications deviate, as communication deviations could be indicative of a ransomware attack. This capability ensures teams proactively receive alerts from Cylera when medical devices deviate from expected behaviors. This in turn helps prevent unauthorized access and ensure that devices communicate only with approved endpoints.

Network Segmentation

Having a mature network segmentation strategy is another very important step in defending against ransomware attacks. This includes implementing a properly designed network with medical devices segmented onto appropriate subnets. This also includes ensuring network segmentation strategy enforcement continues. Cylera assists organizations with network segmentation in the following ways:

• Initial network segmentation
• Ongoing network segmentation management and enforcement.

Initial Network Segmentation

Proper network segmentation is key to limiting the blast radius during a ransomware attack. However, many healthcare organizations struggle with successfully implementing network segmentation in their environments. Cylera can play a key role in helping healthcare organizations develop an appropriate network segmentation strategy and subnet plan for their connected medical devices. With Cylera device discovery and inventory capabilities, devices are discovered and categorized, and IT teams can clearly see which network subnets contain healthcare IoT and connected medical devices. This visibility helps IT teams ensure medical devices reside only on appropriate subnets.

Ongoing Network Segmentation Enforcement

Once teams have visibility into their assets and network subnet structure and have ensured all medical devices are on the proper subnets, Cylera can then assist with enforcing the network segmentation strategy to further harden the network against healthcare ransomware attacks.

Although the Cylera platform does not do containment/enforcement/quarantining directly, the Cylera platform does help enable containment actions through the platform’s integrations with firewall and network access control (NAC) solutions. Cylera platform integrations with firewall and NAC solutions help enable network segmentation in the following ways:

• The Cylera network segmentation policy generator analyzes the behavior of existing healthcare IoT and connected medical devices on the network. It then generates new or updated network segmentation rules based on device profiles (which include data such as device type, group, and more).
• The Cylera network segmentation policy generation engine can then forward, via built-in integrations, new and updated network segmentation policies to firewalls and NACs.
• After appropriate review/validation, the network segmentation policies can be enabled on the firewall or NAC.
• Once enabled on the firewall or NAC, the new or updated segmentation policies are automatically applied to existing healthcare IoT and connected medical devices, as well as any new devices as they are added to the network.

The Cylera platform can also support assessing the cybersecurity of healthcare IoT devices before allowing them to access and use production resources.

• The Cylera policy generation engine analyzes the behavior of existing healthcare IoT and connected medical devices on the network. It then automatically builds baseline network configuration policies for devices based on the type of device as well as device groups. This baseline network configuration policy is based on items such as ports the device communicates on (such as port 80 or DICOM ports).
• The device baseline network configuration policies created by the Cylera policy generation engine can then be used as a “gold standard” or “gold image” for what a good healthcare IoT or connected medical device configuration looks like for specific device types and groups and within the specific environment in which the device operates. The Cylera policy generation engine can also forward, via built-in integrations, the baseline network configuration policies for devices to firewalls and NACs.
• Firewalls and NACs can use the baseline network configuration policies received from Cylera to immediately assess new connected medical devices against their organization’s medical device configuration “gold standard” to ensure any new connected medical devices do not go into service until they adhere to the organization’s configuration “gold standard.”

Vulnerability and Risk Management

Ransomware attackers are always searching for new attack vectors, and healthcare IoT and connected medical device vulnerabilities are attractive targets. Ransomware threat actors can use AI and automated tools to quickly identify and exploit vulnerable IoT devices. For example, threat actors can assess healthcare IoT and connected medical devices for the following when planning an attack:

• Unpatched Vulnerabilities: Many IoT devices in healthcare settings run outdated software with known vulnerabilities. Attackers want to identify these vulnerabilities so they can exploit them to gain access to the network.
• Weak Security Controls: IoT devices often lack robust security controls, making them easier targets for attackers. Once compromised, attackers can use these devices to spread ransomware throughout the network.
• Unsecured Network Access Points: IoT devices can act as entry points into the healthcare network. Attackers can use these devices to bypass traditional security measures and deploy ransomware.

Cylera helps healthcare organizations identify and remediate vulnerabilities and risks in connected medical devices and IoT systems, ensuring that all devices are up-to-date with the latest security patches.

The Cylera platform uses advanced machine learning to detect vulnerabilities and risks in real-time, including protected health information (PHI), ensuring that potential risks are identified and addressed promptly. Cylera also provides highly accurate risk scoring and prioritization based on vulnerability assessments, indicators of compromise (IOC), device type, and other factors. This helps healthcare organizations focus their mitigation efforts on the most critical threats.

These capabilities improve the security posture of healthcare IoT and connected medical devices and help reduce the attack surface.

Facilitating Ransomware Incident Response

In the event of a breach, Cylera helps hospitals respond to ransomware incidents in the following ways:

• Comprehensive Asset Inventory: During a ransomware attack, a complete asset inventory is critical for incident response. Knowing exactly what devices are on the network and their location helps in isolating affected devices and mitigating malware spread. Cylera’s comprehensive inventory of all healthcare IoT and connected medical devices allows IT departments, in the event of a ransomware attack, to monitor and manage not only IT, but also IoT and connected medical devices effectively - including known and unknown devices - to ensure no device is overlooked.
• Real-Time Monitoring: Cylera provides real-time monitoring and behavioral analysis that enables quick detection and response to unusual activities or anomalies that are indicative of an in-progress ransomware attack, such as if an imaging modality is suddenly communicating with an external entity. This continuous real-time monitoring and proactive detection helps identify in-progress ransomware attacks more quickly and enables IT teams to act faster to contain the blast radius.
• Integrations with Firewall and NAC Solutions: Although Cylera does not do containment itself, the network segmentation policies Cylera generates can be forwarded to popular firewall and NAC solutions via integrations. These solutions can then use the policies from Cylera to facilitate active enforcement and block devices with behavioral anomalies during a ransomware attack.

Together, these capabilities help hospitals respond more effectively to ransomware incidents, minimizing attack impact and spread.

Protect Your Healthcare IoT Assets from Ransomware Attacks with Cylera

In 2024, ransomware attacks resulted in devastating consequences for hospitals in both the US and the UK. They will continue to pose a significant threat to healthcare organizations in 2025 and beyond.

The time to ensure your vital healthcare IoT and connected medical devices are protected from ransomware threats is now.  Learn more about how Cylera can better protect your healthcare organization from attack. Cntact us for a no-obligation, one-on-one demonstration of Cylera’s full capabilities.