By Hannah Baumgartner, Head of Research, Silobreaker
The healthcare industry has become a prime target for ransomware attacks – a type of cyber attack where bad actors use malicious software to encrypt a victim’s data, rendering it inaccessible.
Today’s ransomware attacks often go beyond encryption, incorporating data leaks, system disruption and direct threats to victims and their contacts, with cybercriminals intensifying their focus on healthcare providers.
The increasing reliance on digital systems to store and manage patient data has made healthcare institutions particularly vulnerable to cyber threats.
Hospitals, clinics and medical research centres handle vast amounts of sensitive information, making them attractive targets for cybercriminals seeking financial gain through extortion.
Additionally, the sector’s reliance on interconnected networks, medical IoT devices and cloud-based systems has expanded the attack surface, providing more opportunities for cybercriminals to exploit vulnerabilities.
These attacks are not just a financial burden; they can have life-threatening consequences.
When ransomware cripples hospital networks, it can delay critical medical procedures, disrupt patient care and hinder access to electronic health records.
The stakes are particularly high in healthcare, where a single cybersecurity incident can result in lost lives.
Recent high-profile attacks, such as the 2024 Change Healthcare BlackCat (ALPHV) ransomware attack that severely disrupted medical billing and insurance claims processing, highlight the devastating impact on healthcare operations.
There is a critical need for healthcare organisations to understand evolving threat trends and implement robust cybersecurity measures to protect patient data and maintain operational integrity.
Escalation of ransomware attacks in healthcare
The frequency and severity of ransomware attacks on healthcare institutions have reached unprecedented levels.
In 2024 alone, there were 13 data breaches, each affecting over a million healthcare records, including a monumental breach that compromised the personal data of approximately 100 million individuals.
One of the most damaging attacks was the disruption caused by the Change Healthcare incident in February 2024, which resulted in significant financial and operational fallout for healthcare providers nationwide.
Hannah Baumgaertner
The company’s parent, UnitedHealth Group, confirmed that the cyberattack on its subsidiary led to widespread delays in patient care and reimbursement issues, ultimately highlighting how ransomware can have long-term consequences beyond initial data exposure.
Unfortunately, the attack on Change Healthcare was not an isolated event.
A June 2024 Qilin ransomware attack on the UK pathology laboratory, Synnovis, saw the personal information of patients of Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust being stolen and subsequently leaked online.
Moreover, the attack directly impacted services provided by the NHS trusts, with routine healthcare procedures having to be cancelled or redirected to other providers.
Blood transfusions were particularly affected, prompting NHS Blood and Transplant to issue an urgent appeal for universal blood donors to donate as the ransomware attack prevented hospitals from matching patients’ blood at the same frequency as usual.
Such breaches not only jeopardise sensitive patient information but also disrupt critical medical services, posing significant risks to patient safety.
Why is healthcare a prime target?
Several factors contribute to the healthcare sector’s vulnerability to ransomware attacks.
First, many healthcare organisations, especially smaller practices, often lack the budget and technical resources to implement comprehensive cybersecurity measures, making them easier targets.
Second, patient records contain a wealth of personal and financial information, making them lucrative targets for cybercriminals seeking ransom payments.
Additionally, the critical nature of healthcare services means healthcare providers may feel pressured to pay ransoms quickly to restore operations.
Victims in this sectors might also be more willing to pay up because the cost of recovery is often higher than paying the ransom.
The financial impact of these attacks is profound.
In 2024, the average cost of recovering from a ransomware attack in the healthcare sector was $2.57 million, up from $2.2 million in 2023 according to industry research.
This escalation reflects not only the ransoms paid but also the extensive costs associated with system restoration, data recovery and reputational damage.
Evolving tactics of cybercriminals
Cybercriminals are continually adapting their strategies to exploit vulnerabilities within healthcare systems.
One of the most concerning developments has been the rise of Ransomware-as-a-Service (RaaS), where hackers create and sell ransomware tools to other criminals who may not have the technical skills to develop their own.
This has lowered the barrier to entry for cybercriminals, allowing even unskilled attackers to launch ransomware attacks, leading to an increase in both the number and sophistication of attacks.
The BlackCat (ALPHV) ransomware group, for instance, has been linked to multiple attacks on hospitals, targeting their ability to function efficiently by encrypting critical patient data.
In August 2024 alone, 30 percent of publicly disclosed ransomware attacks targeted the healthcare sector, emphasising the urgent need for enhanced security measures.
Strategies for mitigating ransomware threats
To combat the growing threat of ransomware, healthcare providers must adopt a proactive and multi-layered cybersecurity strategy. One crucial element is backups.
Regular data backups ensure that healthcare providers can restore their systems without having to pay a ransom, thereby minimising operational disruptions.
Implementing multi-factor authentication (MFA) adds an extra layer of security, reducing the risk of unauthorised access through compromised credentials.
Additionally, timely software updates and patching known vulnerabilities prevent attackers from exploiting outdated systems.
Employee training is equally important, as educating staff about falling for fraudulent phishing emails and other common scam tactics can reduce the likelihood of successful breaches initiated through human error.
Finally, leveraging advanced threat intelligence is key.
It enables organisations to stay informed about emerging threats and vulnerabilities, providing insight into the ransomware groups targeting the healthcare sector, which technology vulnerabilities are commonly being used, and even flagging possible data breaches impacting an organisation’s employees or patients.
Combatting ransomware in healthcare
The escalating threat of ransomware in the healthcare sector demands immediate attention and sustained action.
By understanding the factors that make healthcare a prime target and implementing strategic cybersecurity measures, providers can enhance their defences against these malicious attacks.
The fallout from incidents like the Change Healthcare breach serves as a stark reminder of what is at stake.
Protecting patient data and ensuring the continuity of medical services remains an urgent responsibility as the industry faces this rising threat.
