Hospitals Are Ready-Made for Ransomware
Healthcare systems should prepare for a ransomware attack with the assumption - and the urgency - that they are already being targeted
The harsh reality is we should expect more ransomware attacks against hospitals and health systems in the future. The culprits are highly organized bad actors after a treasure trove of data that lives in healthcare environments, much of which is critical to patient care. They know that when lives are at stake, their targets will pay up to protect them.
There is another contributor to the current rise in ransomware and healthcare breaches in general: the way hospital technology environments are designed, connected and communicate with each other. Traditionally, a more siloed approach to securing different parts of a hospital or health system has been the norm. It’s just the way hospitals have been built and expanded. In addition, the rise of electronic health records (EHRs) – which share data across hospitals, clinics and devices – has led to increased attacks against hospitals.
Following these recent ransomware attacks, security industry leaders and even a cadre of expert volunteers quickly provided guidance on how to protect patients and their data. Overlooked in some of these good intentions is the unique nature of the healthcare IT environment, which is not segmented like other industries – meaning it is significantly harder to contain a breach to a single system or location. Moreover, these disparate entities are connected and often not segmented so that an intruder can move laterally with ease. Yet no security tools have existed to allow the security team to track that lateral movement, as the environments aren’t communicating with each other from a security standpoint. This “visibility gap” has always existed in healthcare, and now attackers are leveraging it to launch ransomware attacks with alarming frequency.
Get the PDF of this paper delivered to your inbox.

- The immediate availability of clinical technology is often a matter of life and death, which is why ransomware can exert a disproportionate impact within a healthcare organization as opposed to financial services or other industries.
- Networked medical devices and clinical endpoints should be identified across the environment and properly catalogued, particularly noting important information such as operating system, patch revision level, dependencies and MDS2 information from the medical manufacturers that details the security features available on the device.
- That said, efforts should also be made to identify which devices have been certified by their manufacturers as being compatible with vulnerability scanning, so that more in-depth, active scans can also be run (or devices should be scanned in safe conditions where they present no medical risk).
- This is especially true given the timeline of most modern ransomware attacks: while early ransomware attacks started encrypting assets as soon as they gained access, modern attackers will compromise assets and use that access to determine the most important assets to encrypt that will maximize payment.
- As new malware variants, attack vectors and techniques emerge on a daily basis, the likelihood that ransomware will be detected by protective technology from the onset of a malware campaign is decreasing day by day.