Ransomware has become an existential threat to healthcare delivery. Attacks have forced hospitals to divert ambulances, cancel elective procedures, revert to paper records, and in documented cases, have been associated with patient harm. The healthcare sector accounts for a disproportionate share of ransomware incidents globally, and the severity of attacks has increased as criminal groups have refined their tactics and identified healthcare as a sector where operational pressure creates leverage.
Why Healthcare Is Disproportionately Targeted
Data Value and Regulatory Pressure
Patient records are among the most valuable data types on criminal markets. They contain the information needed for identity fraud, medical insurance fraud, and targeted social engineering. Unlike payment card data, which can be cancelled, health record data has lasting value. This makes healthcare data worth exfiltrating as well as encrypting — a tactic known as double extortion, where attackers threaten to publish stolen data if ransom is not paid.
Operational Criticality
A retailer that loses access to its point-of-sale system loses revenue. A hospital that loses access to its EHR risks patient safety. Ransomware operators understand this asymmetry. When clinical workflows depend on digital systems for medication management, diagnostic results, and patient identification, the pressure to restore operations quickly is enormous. Attackers time campaigns to coincide with periods of peak operational stress.
Patching and Technology Debt
Healthcare organisations operate under constraints that slow security improvements. Legacy clinical applications may only run on specific, outdated operating systems. Medical devices run proprietary firmware that vendors do not update. Procurement cycles are long. IT teams are stretched across large, complex environments. These factors mean that known vulnerabilities remain exploitable for months or years after patches are available.
Anatomy of a Ransomware Attack
Modern ransomware attacks are rarely the spontaneous automated campaigns of a decade ago. They are typically multi-stage operations that unfold over days or weeks.
Initial access is most commonly achieved through phishing emails that harvest credentials or deliver malware, exploitation of vulnerabilities in internet-facing systems (VPN concentrators, remote desktop gateways, web applications), or purchase of access credentials on criminal markets from initial access brokers.
Persistence and reconnaissance follow. Attackers establish persistent access — through additional malware, creation of rogue accounts, or modification of legitimate tooling — and spend time mapping the environment, identifying high-value targets, locating backup systems, and escalating privileges.
Lateral movement extends the attacker's foothold. Using credential theft tools, exploitation of unpatched systems, and abuse of administrative tools, attackers spread through the network.
Exfiltration extracts sensitive data to attacker-controlled infrastructure. This underpins the double extortion threat.
Deployment occurs when attackers are confident they control enough of the environment to cause maximum impact. Ransomware is deployed simultaneously across as many systems as possible, maximising disruption and leverage.
Notable Healthcare Incidents
The 2020 attack on Universal Health Services (UHS) took down IT systems across hundreds of US hospitals, forcing staff to use paper records and manual processes for weeks. The 2021 attack on Ireland's Health Service Executive (HSE) caused months of disruption across the national health system, affecting cancer treatment scheduling, outpatient appointments, and COVID-19 vaccination programmes. In 2024, the Change Healthcare attack disrupted prescription processing across the United States, demonstrating how attacks on healthcare intermediaries can cascade across the entire sector.
These incidents share common threads: extended dwell times before detection, rapid lateral spread once attackers acted, and recovery periods measured in weeks to months rather than hours.
Prevention
Network Segmentation
Flat networks allow ransomware to spread freely once an initial compromise is achieved. Segmenting networks — separating clinical systems, administrative systems, medical devices, and guest networks — limits the blast radius of an attack. Traffic between segments should be filtered and monitored.
Patch Management
A disciplined patch management programme reduces the number of exploitable vulnerabilities. For systems that cannot be patched (legacy clinical applications, medical devices), compensating controls such as network isolation, enhanced monitoring, and host-based firewall rules are necessary.
Multi-Factor Authentication
MFA on all remote access, email, and privileged accounts closes one of the most common initial access vectors. Most ransomware groups actively seek environments without MFA on VPN or remote desktop services.
Endpoint Detection and Response
EDR tools on workstations and servers can detect and contain ransomware activity — including lateral movement and credential theft — before encryption occurs. This requires tuned rules, active monitoring, and rapid response capability.
Offline, Tested Backups
The most fundamental ransomware mitigation is the ability to restore from clean backups. Backups must be immutable or air-gapped so that attackers who compromise the environment cannot also destroy the backups. Critically, backups must be tested — the ability to restore critical systems within a defined recovery time objective must be verified regularly, not assumed.
Email Security
Advanced email filtering, anti-phishing controls, and regular phishing simulation exercises reduce the success rate of phishing campaigns. DMARC, DKIM, and SPF reduce the effectiveness of email spoofing.
Incident Response When You Are Hit
When ransomware is detected, the immediate priority is containment. Affected systems should be isolated from the network to prevent further spread — ideally through automated network isolation capabilities in the EDR tool, but manually if necessary. Shutdown of systems is generally preferable to leaving them running while connected to the network.
The incident response team should be activated immediately. This includes internal IT and security leadership, legal counsel, a forensic investigation firm (engaged in advance under a retainer if possible), and communications leads. HIPAA notification obligations begin from the point at which a breach is discovered — not from the point at which its scope is understood — so legal and compliance involvement from the outset is essential.
Forensic investigation is necessary to understand the scope of the compromise, identify the initial access vector, determine what data was accessed or exfiltrated, and ensure that the attacker's persistence mechanisms have been fully removed before recovery begins. Recovering onto a network that still contains attacker access is a critical mistake that leads to re-infection.
The Ransom Payment Decision
The decision whether to pay a ransom is legally, ethically, and practically complex. Paying does not guarantee data recovery — decryptors provided by attackers are often slow, incomplete, or buggy. Payment funds criminal operations and encourages further attacks. In some jurisdictions and for attacks attributed to sanctioned actors, payment may create legal liability.
Organisations that have maintained tested, offline backups of critical systems are in a far stronger position to decline payment and recover independently. Those without adequate backups face a difficult calculation. Legal counsel with ransomware experience should be involved in this decision, and law enforcement notification is generally advisable regardless of the payment decision.
Recovery
Recovery from a ransomware attack must be systematic. Critical clinical systems should be restored first, according to a pre-defined priority order established in the business continuity plan. Each system should be verified clean before being restored to the network. Credentials should be reset across the environment. The initial access vector should be closed before any systems are brought back online.
Post-recovery, a thorough lessons-learned process should identify what controls failed and what improvements are needed. This is also the point at which regulatory notifications, patient notifications, and communications with OCR are typically finalised.
FZ Consulting LLP supports healthcare organisations through ransomware preparedness assessments, incident response planning, and post-incident recovery engagements. Contact our team to improve your resilience before a crisis occurs.