Treating Ransomware in the Healthcare Sector

Written by

Ransomware is a serious problem across all industries, but increasingly the healthcare sector has become a primary focus for cybercriminals who are keen to capitalize on this sector’s need to run a 24/7/365 operation.

For the healthcare industry, there’s more to lose than just money; patient safety and company reputation are also at risk. As a result, malware infections are the biggest information security concern amongst healthcare providers, as revealed by KPMG.

Experts are predicting that the healthcare sector will continue to remain a prime target for ransomware attacks, with the sophistication and volume of these incidents increasing. Evidence for this can be seen in a recent Freedom of Information (FoI) request, which revealed that 88 NHS trusts out of 260 across England, Scotland and Wales were the victim of ransomware attacks in just an 18 month period.

While these threats are concerning, there are simple yet crucial steps that organizations can take to reduce the risk and impact of attacks.

Keep up to date

Keeping up to date with the latest developments in cybersecurity is an important starting point. Half of the battle is knowing what to look out for.

It’s critical to keep your anti-virus software up to date as, in most cases, it should detect and contain the majority of threats. Failing to do this will leave you exposed as a vulnerable target for cybercriminals.

Communicate risks

Communicate security risks clearly throughout the organization, whether that is a general hospital or a small practice. It only takes one employee to open an infected email and the whole operation is affected. If staff are able to recognize a suspicious email as a threat, the whole security incident can be avoided in the first instance.

Have clear policies in place for risk management, and make sure your team understands the recommended procedures to follow in the case of a breach. Regular cyber security training is essential and should be rolled out throughout every level of the organization.

Planning and testing

We usually recommend that organizations plan for impacts and test for scenarios. Impact-based planning works on the assumption that even though there are an infinite number of possible disasters, the number of potential consequences at operational level are much smaller. With scenario-based planning, users are asked to anticipate the implications of a disastrous event and then create a solution ahead of time.

Having said that, there are certain threats that do necessitate having a specific response plan in place and ransomware is an example of this. Evidence highlights that the healthcare sector is a prime target for ransomware attacks, therefore full scale disaster recovery testing should be carried out where possible.

Where this isn’t feasible, and as a minimum, organizations should run exercises such as a tabletop test. This involves organizations responding to a simulated disruption by walking through their recovery plans, outlining their responses and actions.

In a hospital the welfare of patients makes this process even more critical, therefore plans should be regularly reviewed, updated and tested to ensure that in the event of an incident they can be executed as seamlessly as possible with minimum impact to everyone concerned.

I would advise making a ransomware attack the focus of your next test. This will enable you to see how your team would cope and will help you to create a step-by-step book of how to deal with an attack in the future.


If you are hit with a ransomware attack, you have two options: either recover the information from a previous backup, or pay the ransom. However, even if you pay the ransom, there is no guarantee that you will actually get your data back, so the only way to stay fully protected is to have historic copies of your data.

When recovering from ransomware, the main objectives are to minimize the amount of data loss and to limit the amount of IT downtime the business experiences. However, traditional disaster recovery services are not optimized for cyber threats. Replication software will immediately copy the ransomware from production IT systems to the offsite replica. Replication software will also often have a limited number of historic versions to recover from so by the time an infection has been identified, the window for recovery may have passed.

Therefore, recovering from ransomware can be a lengthy process that requires reverting to backups. The problem with this approach is that it involves sifting through historic versions of backups in order to locate clean data. By partnering with a recovery specialist, healthcare organizations can significantly reduce this process, which will ultimately ensure a faster recovery and greater peace-of-mind.

Unfortunately, it’s likely that the sophistication of ransomware attacks is only likely to grow, and therefore healthcare organizations should take the view that an infection will take place rather than might and should be sure to implement sound mitigation steps to reduce the impact of such an attack.

What’s hot on Infosecurity Magazine?