Ransomware: A Growing Threat to the Health Care Industry

A hospital employee sits at her desk working. Suddenly the screen goes blank and a message is displayed: “You’ve been hacked,” followed by instructions regarding how to pay a “ransom.” She checks, and all of her patient files are encrypted and cannot be read. Within minutes, this message appears on all the devices connected to the hospital’s network and locks all employees out of critical files necessary to treat patients or perform any administrative services. The hospital is essentially shut down. No patient records are accessible.

In July of 2012, the Surgeons of Lake County Florida revealed that they had been the victims of such a malicious attack on their entire organization’s critical data files.1 Without these files, the physicians could not operate their business or perform patient surgeries. The files also contained the personal information of many patients—including detailed electronic health records (EHRs). They were among the early victims of ransomware in the health care community. In 2015, an estimated 1,000 instances of ransomware took place each day. The federal government reports that in the first nine months of 2016, there were approximately 4,000 daily occurrences of ransomware in the United States.2 Considering that a stunning 88 percent of all ransomware attacks were directed at the health care community between April and June of 2016 (the most recent period for which data exists), there is no more important industry to educate and protect.3

It is ultimately the board’s responsibility to ensure that their organization understands the risk and is prepared to not only prevent it, but respond if the worst-case scenario does occur.


Ransomware is defined as malicious software or downloads that breach the perimeter of a computer’s security, install themselves and encrypt valuable files needed for sometimes even basic use of the computer. The ransomware often spreads to other machines connected to its network and infects them as well. Shortly after, the hacker will reach out to the network’s administrator and demand payment for the return of important files. The demand is often made in Bitcoin, a digital currency that is created and held electronically. The Bitcoin transaction makes the hacker extremely difficult to trace, and because patient lives can be at risk, time is of the essence in restoring access.4

There are two primary types of ransomware:

Lockerware: Hackers will lock the network’s users out of all files necessary to operate the computer and render it useless. A message may pop up on the screen indicating that you’ve been hacked and how to pay. This type accounted for approximately 36 percent of all ransomware in 2015.5 A downside to this type of ransomware is that it does not allow the ransom to be paid via the internet in Bitcoins—the most untraceable type of currency—because the computer cannot function on even a basic level.

Cryptoware: Unlike Lockerware, Cryptoware allows the computer to still be usable, but the data is not accessible to users. This ransomware can include a timer that gives the victim only a limited amount of time to pay, although negotiating for more time to pay may be an option.6 Because ransomware is a volume business, the hacker may be making enough money to not care about extending timers. Symantec reports that 64 percent of attacks in 2015 were of this type, and it seems to be the more preferred technique of sophisticated hackers because it allows the ransom to be paid online via the infected computer.5

With either type of hack, employees no longer have access to any patient records, causing significant disruptions in patient care with the potential for adverse impacts. Like any other emergency situation, hospitals must be prepared to transition to paper-based “offline” care without impacting the quality of care provided. According to PC Magazine, total lockout or file encryption happens very quickly—often within three minutes of initial infection.6


With an estimated 1,000 variants of ransomware released each day, it is quickly becoming a major threat to the American health care system and the millions of patients it treats.5 From December 2015 to May 2016, the United States led the world with over 50 percent of the total detections of ransomware.7 In comparison, the second closest country was Italy, comprising only 13 percent of detections.7 Health care providers are 200 percent more likely to suffer data breaches than other industries.8 With medical data being at least 10 times more valuable than other data selling on the black market of the Dark Web, it is not surprising these ransomware attacks continue with increasing frequency.9

Considering these statistics, it is a bit surprising that 69 percent of Americans trust hospitals and health care organizations to keep their data safe, more than any other industry including banks and government entities.9 At the same time, consumers are becoming more aware of the risk. According to the American Hospital Association’s 2017 Environmental Scan, 62 percent of consumers prefer device security more than ease of use.20 The cost to hospitals is significant: the Ponemon Institute estimates that the unplanned downtime costs health care organizations $7,900 per minute that data is unavailable for use.10


Another significant cost is the potential loss of reputation for the hospital or health system under attack. Under the Health Insurance Portability and Accountability Act (HIPAA) regulations, ransomware infection constitutes a security incident. In addition, it is almost always a reportable data breach as defined by HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).11 Once the data is encrypted, it triggers an acquisition of data under HIPAA, which requires disclosure to any and all affected consumers.11 Notifying every person affected by the breach can be difficult, expensive and time consuming, leading to frustration and possible delays in care for affected patients and families.


In order to best protect an organization’s network from ransomware, it is recommended that hospitals and health systems have layers of security on the front end with all features enabled but understand that breaches can still happen. It only takes one employee mistaking a phishing email as legitimate to breach a network. Popular types of phishing emails include those that appear to contain resumes for consideration—these are often forwarded to human resources and opened by someone with administrative access.12

Fake billing, shipping and invoicing emails are also used to target employees.12 For this reason and to prevent the unauthorized installation of programs, it is also recommended that local administrative rights be removed from all computers for which it is not essential. At the same time, it should be noted that not all ransomware requires administrative rights to install and simply gaining access to the computer is sometimes enough for infection. Training staff to spot phishing attacks and suspicious emails is critical to the health of a network. Often the fake emails or websites look very convincing or know enough about the individual targeted to mine their data.5

The Ponemon Institute estimates that training staff yields a 50 times return on investment by preventing future attacks.10 Within the health care industry, breaches caused by human error accounted for 40 percent of the total breaches in 2016, up from 28 percent in 2015.13 It is also recommended that organizations hire a “white hat hacker” to actively look for system vulnerabilities that can be fixed before they are exploited.

Regular backups of all data on the network is highly recommended and is the most effective way to avoid paying the ransom. Backups not only prevent data loss, but also allow the restoration of the system without paying a ransom, which decreases the incentive for hackers to target the network again. Backups should be disconnected from the network after every data delivery to prevent hackers from accessing it.


Despite firewalls, well-trained employees and other security tactics, breaches will continue. This is particularly true because of the significant increase in the “Internet of Things.” As the number of devices used increases and electronic health records become more interconnected, there are more opportunities to be hacked.

A recent report predicted that ransomware attacks against the health care industry will at least double by 2018.17 In 2015, health care record theft was up 1,100 percent over the previous year—one in every third person had their records breached in 2015.18 The FBI estimates that ransomware cost the American economy $1 billion in 2016.19

It’s clear that ransomware is not going away. In addition to help from law enforcement, the health care industry must be alert to new threats through the use of sophisticated network security, comprehensive employee training and the use of very regular, working backups.

Content for this article was contributed by Bob Gregg, CEO, ID Experts, www2.idexpertscorp.com.


Hospital and health system boards can proactively prevent cybercrime and prepare for potential breaches by taking the following steps:

  • Provide the resources necessary to ensure the proper security systems are in place on the network
  • Train staff to watch for phishing attacks, suspicious emails and other potential signs of a real or attempted hack
  • Consider hiring an expert to hack your network and look for vulnerabilities
  • Ensure a regular back-up system is in place with the appropriate safety protocols
  • Make sure staff are appropriately trained to provide care “offline” if necessary
  • Ensure the appropriate leaders and IT experts within the organization have reviewed the National Cyber Incident Response Plan, a recent report from the U.S. Computer Emergency Readiness Team, Department of Homeland Security. The plan provides for a national response to cyber incidents, including those that threaten public health and safety. More information and a copy of the plan are available at www.us-cert.gov.

Sources and More Information

  1. Shaw, Gienna. EHR Hackers Encrypt Files, Demand Ransom. Fierce Healthcare. August 13, 2012.
  2. How to Protect Your Networks from Ransomware. United States Government Interagency Guidance Document. www.justice.gov/criminal-ccips/ le/872771/download.
  3. Green, Max. Hospitals Are Hit with 88% of All Ransomware Attacks. Becker’s Health IT & CIO Review. July 27, 2016.
  4. Marinos, Kokkinos. Are Bitcoin Transactions Traceable? Cointelegraph. https://cointelegraph.com.
  5. Internet Security Threat Report. Symantec. Volume 21, April 2016.
  6. Heater, Brian. The Growing Threat of Ransomware. PC Magazine. April 13, 2016.
  7. Malware Protection Center: Ransomware. Microsoft. www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx.
  8. Gonzalez, Zuly. Why Ransomware Gangs Love the Healthcare Industry. Light Point Security. August 2, 2016.
  9. Cerulus, Laurens. Hackers Hold the Health Care Sector Ransom. Politico. November 29, 2016.
  10. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Ponemon Institute, LLC. Sponsored by ID Experts. May 2016.
  11. Landi, Heather. HHS OCR Issues Guidance on Ransomware Attacks and HIPPA Breaches. Healthcare Informatics. July 12, 2016.
  12. Korolov, Maria. 93% of Phishing Emails are Now Ransomware. CSO. June, 1, 2016. CSOonline.com.
  13. Ransomware Attacks are Soaring, Says Beazley in Data Breach Report. Insurance Journal. October 26, 2016.
  14. Mathews, Lee. Ransomware Creators Feel Bad, Release Master Key So Victims Can Decrypt. Geek.com. May 19, 2016.
  15. Davis, Jessica. Ransomware: See the 14 Hospitals Attacked So Far in 2016. Healthcare IT News. October 5, 2016.
  16. 2015 Travelers Business Risk Index. Travelers. May 2015. www.travelers.com.
  17. Leventhal, Rajiv. Experian: Healthcare Orgs Will Continue to be Heavily Targeted by Hackers in 2017. Healthcare Informatics. November 30, 2016.
  18. Ash, Michael. Ransomware and Health Care: There’s More at Risk Than Just Money. Security Intelligence. August 8, 2016.
  19. Palmer, Danny. The Cost of Ransomware Attacks: $1 Billion This Year. ZD Net. September 8, 2016. www.zdnet.com.
  20. AHA 2017 Environmental Scan. American Hospital Association. www.aha.org.