Wipfli logo

The Lac du Flambeau Business Development Corporation


Hospitals and health systems: Cybersecurity, ransomware and how to prepare

Sep 16, 2021

The healthcare industry has increasingly become a target for cyberattacks, hackers and ransomware. The average hospital data breach costs $7.13 million and it takes longer to recover.

There are two reasons why healthcare attracts so many cybercriminals:

  1. The vast array of personal data: Hospitals and healthcare facilities store a lot of personally-identifiable information on patients. This data allows criminals to use it in a variety of crimes for financial purposes, like stealing a person’s credit, or for medical identity theft to gain access to prescription drugs.
  2. Softer targets: Historically, hospitals, clinics and other healthcare facilities have lagged behind other industries in cybersecurity. They don’t have robust budgets or staff and usually operate within tight margins. There are also many nonprofits in the sector, which also do not have the budgets seen within better-funded organizations.

Some of these challenges will not have easy fixes, but there is one clear thing everyone can do to greatly reduce their risk: Teach your teams how to avoid inviting bad actors into your information systems by identifying different types of threats.

Ransomware threats are rising

There are different kinds of attacks leadership should keep in mind. For example, insider threats can occur when workers in the building feed information to outsiders. But these days, ransomware is becoming more common and getting the most attention.

Ransomware is a pretty simple concept. This is a malicious program that searches for files and encrypts them with an encryption key only the attacker has. Once encrypted, only the attacker can access those files. For the hospital to regain access, it must pay the attacker a ransom for the encryption key. Once the key is received, you can decrypt the files.

Ransomware attacks are different in how the threat vector is exploited.

A common method involves social engineering attacks. The attacker targets a hospital’s employees with emails or text messages that appear to come from legitimate senders. If these are convincing enough, a user could click on a malicious link or divulge their user ID and passwords. If the exploitation is successful, the attacker can then encrypt files or target other systems. Also at this point, the attacker can increase their privileges and reach deeper within the environment to extend the ransomware.

Another threat vector is with system vulnerabilities. This can enable an attacker to gain privileged access. If an attacker can exploit the vulnerability to do this, it usually gives them broad access to other systems and data.

Once the attacker gains control within the system and encrypts the files, they will demand a ransom. Facilities are forced with a decision: pay and hope to get the encryption key in return. Or don’t pay and be locked out of their files.

How to react if you experience a ransomware incident

If you get hit with a ransomware attack, do you know what do?

First, hospitals and healthcare systems should avoid paying the ransom, if at all possible. It will come down to a business decision by leadership — and depending on circumstances — you may have no choice but to pay. But just because you pay does not mean the attackers will provide the keys. Also beware that trying to negotiate down the ransom price could backfire.

If your systems are backed up, begin investigating if data is intact and if files are retrievable. If backups are corrupted or otherwise infected, or the recovery time is too long, an organization may choose to pay the ransom.

If you are hit with a ransomware attack, here are some immediate questions to ask:

  • Who needs to be part of a response team (not just IT)?
  • Is it possible to identify where the attack started?
  • Who outside of the organization can help respond and recover?
  • Do you have cyber insurance?
  • Is it possible to isolate the attack?
  • How do you recover? Are there backups in place?
  • When and how will you alert patients/customers about the attack?
  • Do you have to contact regulators?
  • Do you pay the ransom? What are your criteria for making the decision?

How to develop the right plan for your organization

If a ransomware attack hits, you can prevent downtime and avoid interruption of service if you plan accordingly. Let’s look at steps you should take right now:

  • Back up your systems.
  • Test your backups.
  • Isolate your backups from the rest of your environment and make sure they require separate credentials.
  • Train your end users regularly against social engineering attacks, especially since these have become harder to recognize.
  • Train your response team (internal and external) on how to react if a ransomware attack occurs.
  • Form an incident response team to execute your plan:
    • IT (internal and external)
    • Security
    • Communications
    • Legal
    • Other leaders
  • Regularly test your systems for vulnerabilities, and fix what you find.
  • Have a robust patching and software update process.
  • Isolate your systems to reduce your exposure. Think not only about separate network segments, but also unique user ID/password credentials to manage them.
  • Sandboxing of critical systems with critical alerts can notify teams if unexpected traffic is detected.
  • Lock down risky protocols like RDP and SMB.
  • Perform risk assessment to identify high-risk areas frequented by staffers, vendors and anyone else with access to your systems.
  • Deploy malware detection and prevention systems and network intrusion prevention systems.

How Wipfli can help

Wipfli can support your hospital or health system by advising best practices to follow to guard against cyberattacks. Our experts can develop a plan specifically for your IT systems to prevent attacks with the aim of keeping you online and fully operational.

Contact us to schedule a consultation. During our talks, we will examine your concerns, and you can hear about solutions Wipfli can deliver for your group.


Paul J. Johnson, CPA
View Profile