Healthcare Under Siege: Defending Hospitals from IoT Ransomware Attacks

IoT ransomware attacks targeting connected medical devices are growing in sophistication. These attacks don't just compromise data; they threaten patient lives. When attackers disable critical medical equipment, patients suffer. Every healthcare CISO must prioritize IoT security to maintain operations, ensure compliance, and protect patients.

Traditional security fails against these specialized threats. Medical devices create perfect targets: outdated firmware, default passwords, minimal security controls. Threat actors know this. They actively hunt for these vulnerabilities. By implementing robust device discovery, network segmentation, and continuous monitoring, you can dramatically strengthen your defenses. Regulators and stakeholders demand this protection. Patients deserve it.

How Ransomware Is Impacting Healthcare IoT

Hospitals today are very concerned about ransomware attacks - and rightly so. A recent research report from Comparitech, Ransomware Roundup: 2024 End-of-Year Report (published on January 9th, 2025) found:

• 181 confirmed (and counting) ransomware attacks in the healthcare sector in 2024.
• 25.6 million healthcare records were affected.
• The average ransom demand in the healthcare sector was $5.7 million.
• The average ransom paid was $900,000.
• There were also a further 42 confirmed attacks on healthcare organizations that do not provide direct care, involving 115,640,362 compromised records and an average ransom demand of $16.3 million.

The report also notes that many confirmed reports come through months - and in some cases, years - after the attack, so 2024 figures will continue to rise in the coming months.

In this article, learn more about the recent healthcare ransomware threat actors, attacks, how your hospital can be affected, and what you can do to help prevent your hospital from becoming the next victim.

Who Healthcare Ransomware Threat Actors Are

It’s important for healthcare providers to recognize the size and scope of today’s ransomware threats and threat actors. As John Riggi, Senior Advisor for Cybersecurity and Risk for the American Hospital Association (AHA), shares in Ransomware Attacks on Hospitals Have Changed:

“Most cyber attacks on health care facilities today are not carried out by domestic, individual hackers. Similar to the 9/11 attacks, the vast majority of cyber criminals are operating from the safe haven of adversarial nation states that will not cooperate with or extradite these criminals to the United States. In many situations, these hostile nation states actually facilitate the cyber attacks against the U.S., because it may serve their national interests to do so. From their sheltered “firing positions,” these cyber criminals are remotely launching ransomware attacks against U.S. hospitals, medical research laboratories and other critical infrastructure – creating a direct threat to public health and safety.”

In the US, several groups are responsible for ransomware attacks on US hospitals, including:

• Wizard Spider: This ransomware group, known for their Conti and Ryuk ransomware variants, is believed to be based out of Russia. They have been particularly active in targeting the healthcare sector.
• BlackCat (AlphV) and Black Basta: These organized cybercriminal groups, with roots in Eastern Europe, have been responsible for numerous high-profile ransomware attacks on US healthcare organizations.
• Rhysida Group: This ransomware-as-a-service group, whose exact location has not been publicly disclosed, has been targeting hospitals and other sectors since May 2023. They are known for publishing stolen files online and causing significant disruptions.

In the UK, the following groups have been responsible for ransomware attacks:

• INC Ransom: This Russia-linked group has targeted multiple NHS Trusts, including Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital.
• RansomHub: This group was behind the attack on Wirral University Teaching Hospitals NHS Foundation Trust.
• Other Groups: Various other Russian cybercriminal groups have also been implicated in attacks on major London hospitals.

All these ransomware threat actors exploit vulnerabilities in healthcare systems, using phishing emails, unpatched software vulnerabilities, and weak security practices to gain access and deploy ransomware.

Why Is Healthcare IoT a Prime Ransomware Target?

Threat actors target hospitals in the US and UK with ransomware attacks for several key reasons:

Valuable Data

Hospitals store vast amounts of sensitive patient data, including personally identifiable information (PII) like social security numbers, birth dates, and medical histories. This data is highly valuable for identity theft, insurance fraud, and other illicit activities.

Critical Operations

The critical nature of healthcare services and serious consequences of disruptions make hospitals more likely to pay ransoms quickly to regain access to their data and restore operations. Disruptions can lead to delayed treatments, canceled appointments, and compromised patient safety.

Outdated IT Systems

Many healthcare organizations rely on outdated technology and lack robust cybersecurity measures. Legacy systems with unpatched vulnerabilities are particularly susceptible to ransomware attacks.

Expanded Attack Surface

The rise of telemedicine and remote patient monitoring has increased the attack surface for cybercriminals. These technologies often use insecure Internet connections and devices, making them easier targets.

Stages of a Healthcare Ransomware Attack

A healthcare ransomware attack typically follows several key stages:

Initial Compromise

Attackers may target vulnerable IoT medical devices as their entry point into healthcare networks. Infusion pumps, patient monitors, and imaging systems often run outdated firmware with known security flaws that attackers actively exploit. Many medical devices ship with default passwords that never get changed, creating easy access points.

Establishing Foothold

Once inside, attackers install malware to maintain access and begin reconnaissance to understand the network layout and identify critical systems.

Lateral Movement

Attackers move laterally across the network, often using legitimate tools and credentials to avoid detection. They target systems that store sensitive data, such as electronic health records (EHR) and financial information.

Data Exfiltration

Before encrypting files, attackers may steal sensitive data to use for extortion or sell on the dark web. This step is designed to increase pressure on victims to pay the ransom.

Encryption

Ransomware is deployed, encrypting files and rendering systems unusable. A ransom note is then displayed, demanding payment in exchange for the decryption key.

Extortion and Ransom Payment

The attackers threaten data availability by demanding a payment before they will decrypt and restore access to system data. Healthcare organizations then face the difficult decision of whether to pay the ransom to restore operations quickly or risk prolonged downtime and data loss. The attackers may also threaten patient confidentiality by threatening to release stolen patient data if the ransom is not paid.

Recovery and Remediation

After the attack, the healthcare organization must restore systems from backups (if available), remove the malware, and strengthen security measures to prevent future attacks.

Understanding these stages helps healthcare facilities implement effective defenses and response strategies to mitigate the impact of ransomware attacks.

Anatomy of an IoT Ransomware Attack in Healthcare: Case Study

BlackCat/ALPHV ransomware group struck Lehigh Valley Health Network (LVHN) in February 2023, deliberately targeting their medical imaging infrastructure. The attackers performed a ransomware attack on medical devices by bypassing general IT systems and going straight for the most sensitive targets—radiology servers housing diagnostic patient images. They compromised PACS (Picture Archiving and Communication Systems) servers containing thousands of MRIs, CT scans, and X-rays.

This attack showcased an evolution in healthcare IoT ransomware. BlackCat first stole sensitive medical images, then encrypted the files. When LVHN refused payment, the group published patients' sensitive medical images online. PACS systems proved particularly vulnerable because they run legacy operating systems, connect to multiple clinical networks, and typically follow extended replacement cycles. This combination creates an ideal entry point for sophisticated attacks on healthcare IoT infrastructure.

The Impact of Healthcare IoT Ransomware Attacks

Ransomware targeting healthcare IoT devices devastates hospital operations. Connected devices form the backbone of modern patient care. When attackers compromise these systems, the damage spreads rapidly. Patients face delayed treatments and increased risks while staff scramble to implement manual processes. Financial losses mount by the hour.

These impacts hit three critical areas simultaneously: direct patient care, staff operations, and organizational finances.

Patient Care

Ransomware attacks can severely impact patient care in the following ways:

• Delayed Treatments: When hospital systems are locked, access to electronic health records (EHRs) and diagnostic tools is often lost. This can delay treatments, surgeries, and other critical medical procedures.
• Increased Mortality Rates: Studies have shown that ransomware attacks can lead to increased in-hospital mortality rates. For example, stroke and cardiac arrest cases can rise significantly during such attacks due to delays in care.
• Patient Diversions: Hospitals affected by ransomware may need to divert patients to other facilities. This can lead to longer travel times, delays in patient care, and also overloads neighboring hosptials, leading to a degradation of care at neighboring facilities as well.
• Compromised Patient Safety: Without access to accurate and up-to-date patient information, healthcare providers may make errors in medication administration, diagnoses, and treatment plans.
• Longer Wait Times: The disruption of hospital operations often results in longer wait times for patients, both in emergency departments and for scheduled appointments.
• Budget Cuts: The costs associated with recovering from a ransomware attack can be substantial, potentially leading to budget cuts that affect patient services and resources.

Healthcare Staff

Ransomware attacks can also have significant impacts on hospital staff. For example, an attack can affect staff in the following ways:

• Operational Disruptions: Staff may lose access to critical systems like electronic health records (EHRs), scheduling systems, and communication tools. This can lead to delays in patient care, rescheduling of surgeries, and difficulties in managing patient information.
• Increased Workload: With digital systems down, staff often must revert to manual processes, which are time-consuming and prone to errors. This increases their workload and stress levels.
• Patient Safety Risks: The inability to access patient records and medical histories can lead to mistakes in treatment, medication errors, and delayed diagnoses, putting patient safety at risk.
• Emotional and Psychological Stress: The pressure to maintain patient care under challenging conditions can lead to burnout, anxiety, and frustration among staff. The fear of future attacks can also contribute to ongoing stress.
• Morale: The hospital's reputation can suffer, leading to a loss of trust among patients and the community. This can impact staff morale and their sense of pride in their workplace.

Healthcare Finances

In addition to the negative impacts on patients and healthcare staff, hospitals who fall victim to a ransomware attack also face significant financial losses.

Financial losses accrue not just from potential ransom payments (and note that the FBI does not support paying ransom in response to an attack). They also accrue due to the high cost of restoring systems, lost revenue from disrupted services, and payments resulting from class-action lawsuits.

For example, based on a December 18, 2024 analysis by Comparitech, on average US healthcare organizations lose $1.9 million per day to downtime from ransomware attacks. Also, according to this report, some of the largest ransomware recovery figures include:

• CommonSpirit Health: $160 million (October 2022 attack)
• Scripts Health: $112.7 million (May 2021 attack)
• Ardent Health Services: $74 million (November 2023)
• Universal Health Services: $67 million (September 2020)
• University of Vermont Health Network: $65 million (October 2020)

These staggering figures underscore the devastating financial impact ransomware attacks can have on healthcare institutions.

How to Protect Against IoT Ransomware Attacks in Healthcare

Healthcare delivery organizations can take several steps to protect themselves against ransomware attacks:

1. Regularly Back Up Your Data

Medical device data requires specialized backup strategies. Implement the 3-2-1 rule: three copies, two media types, one offsite. Unlike standard IT systems, patient-critical equipment often contains proprietary configurations that need targeted backup procedures. Work with vendors to capture this data correctly. Most importantly, test your restoration process quarterly with clinical systems to verify recoverability under pressure.

2. Conduct Employee Training

Teach clinical staff to recognize security threats in their daily workflow. What does a compromised infusion pump look like? When should they report suspicious behavior on a diagnostic workstation? Specialized scenarios that include medical context resonate better with healthcare professionals. Remember that for clinicians, security isn't abstract—it's a patient safety concern. Clear reporting channels encourage frontline staff to flag potential issues before they escalate.

3. Segment Your Network

Isolate critical care equipment on dedicated network segments. Your infusion pumps have no business talking directly to internet-facing systems. Healthcare-aware firewalls should filter traffic between segments, understanding medical protocols like HL7 and DICOM. Proper segmentation contains ransomware outbreaks, preventing a compromised radiology workstation from infecting patient monitoring systems across the facility.

4. Stay Current with Patch Management

Medical device updates follow different rules than standard IT patching. Clinical considerations sometimes trump immediate security fixes. Build relationships with device manufacturers for timely security updates. When patches can't be applied immediately, compensating controls become essential. Your documentation of these decisions satisfies regulatory requirements while maintaining a realistic approach to clinical technology management.

5. Use Advanced Endpoint Protection

Traditional security software rarely works on specialized medical equipment. Instead, focus on network-based monitoring solutions designed specifically for clinical environments. These systems can detect unusual behavior patterns without requiring agents on the devices themselves. Look for protection tools that understand normal medical device communication and can spot anomalies without disrupting patient care.

6. Limit Access to Controls

Who can access your medical device interfaces? Role-based controls should reflect clinical responsibilities, with multi-factor authentication for critical systems. Shared maintenance passwords create unnecessary risk. When vendors need temporary access, provide time-limited credentials that automatically expire. Your access management strategy should balance security with clinical workflow needs during emergencies.

7. Develop an Incident Response Plan

What happens if ransomware hits your imaging network? Your plan should balance cybersecurity with patient safety. Instead of immediately disconnecting affected systems, sometimes isolation is the safer approach. Regular practice sessions build muscle memory for your team. The best plans include representatives from both technical and clinical departments working together during incident response.

8. Conduct Regular Audits and Assessments

Security gaps hide in complex clinical environments. Regular assessments reveal vulnerabilities before attackers find them. When evaluating new medical devices, security testing should occur before clinical deployment. Your third-party vendors deserve the same scrutiny, especially those connecting to critical systems. Documentation of these efforts not only improves security but also demonstrates regulatory compliance to auditors.
These layered protections significantly reduce your vulnerability to medical device ransomware while supporting your core mission of patient care.

How Cylera Helps Protect Hospitals from IoT Ransomware Attacks

Cylera helps harden healthcare IoT ransomware defenses in the following ways:

• Asset Discovery and Visibility
• Real-Time Inbound and Outbound Communication Monitoring
• Real-Time Anomalous Behavior Detection
• Vulnerability and Risk Management
• Network Segmentation
• Facilitating Ransomware Incident Response

The time to ensure your vital healthcare IoT and connected medical devices are protected from ransomware threats is now.  Learn more about how Cylera can better protect your healthcare organization from attack. Contact us for a no-obligation, one-on-one demonstration of Cylera’s full capabilities.