Skip to content

The Incoming Threat: Why Healthcare Organizations Must Defend Against Ransomware

The Incoming Threat: Why Healthcare Organizations Must Defend Against Ransomware


Healthcare providers — it’s time to take ransomware seriously.

  • Daily attacks are increasing. They increased 50% year-over-year in the third quarter of 2020.
  • Ransoms are rising. They rose from $5,000 in 2018 to $200,000 in 2020.
  • More providers are paying. Payouts more than doubled in 2020.

Worst of all — patient care is being disrupted. 

In 2020, the first patient died due to a ransomware attack. The patient was in urgent care. A ransomware attack shut down their healthcare provider. The patient had to be transferred. The closest hospital was 20 miles away. The patient died in transit.  

Ransomware is a real threat to providers and patients, and it is growing more severe.

This article is Part 1 of a three-part series on ransomware for healthcare providers.

In this article, we will explore:

  • Why criminals target healthcare providers with ransomware.
  • Why the current approach to combating ransomware does not work.
  • The first steps healthcare providers must take to better defend themselves.

Let’s begin.

Easy dollars: Why criminals target healthcare providers

First things first.

It is tempting to blame the rise of healthcare ransomware attacks on COVID-19 and believe this threat will subside when the pandemic eventually fades away. 

There is some truth to this perspective.

Criminals did increase their ransomware attacks against healthcare providers when the pandemic struck and overwhelmed the medical system. And these attacks may die down a bit when the pandemic subsides, and providers are less overwhelmed.

But the ransomware threat will not go away. And it did not begin with COVID-19.

Hospitals were already a primary — and growing — target for ransomware attacks before the pandemic. Attacks against providers already rose 350 percent in the fourth quarter of 2019 alone.

Ultimately, criminals target healthcare providers for deeper reasons than the pandemic.

Providers have fundamental vulnerabilities that make them easy targets for ransomware attacks, and the pandemic only made these vulnerabilities worse.

Most healthcare providers are fundamentally vulnerable to ransomware because they:

  • Focus on patient care, not on cybersecurity. Most healthcare leaders are former clinicians and do not make cybersecurity a top priority.
  • Use outdated, compliance-driven security. Most providers build security to meet requirements that have not yet evolved to address ransomware.
  • Have poor visibility and IT hygiene. Most providers do not know what assets are in their environment and leave many of those assets with known exploits.
  • Are willing to pay. Because providers cannot compromise patient care or evict attackers, they often just pay ransoms quickly to restore their operations.

These fundamental vulnerabilities existed before COVID-19 and will remain after COVID-19.

In sum: Healthcare providers cannot wait out the pandemic and hope the current wave of ransomware attacks will eventually end. They must take a proactive approach to ransomware and develop defenses before they are struck.

Unfortunately, very few healthcare providers take this approach.

Too little, too late: Why current responses to ransomware fail

To date, many healthcare providers have taken a reactive approach to ransomware.

They have attempted to upgrade their defenses in only one of two scenarios.


  • They heard a wave of ransomware attacks were imminent. They received a warning from researchers that attacks were coming and scrambled to respond.


  • They already suffered a ransomware attack. They were forced to pay and then decided to build the defenses they needed after the incident.

In both scenarios, healthcare providers took the wrong approach.  

Ransomware moves very fast, and it’s impossible to build defenses reactively.

Anecdotally, we have seen ransomware compromise a provider in less than one hour.

In one instance, we saw a criminal exploit a single unmanaged piece of biomedical equipment. The criminal then moved laterally and infected more than 8,000 other endpoints with ransomware — all in approximately 45 minutes.

This is a typical ransomware attack.

This is what you must build defenses against.

And this is why you must already have those defenses in place before criminals strike.

Here’s how you can begin to do just that.

First steps: Begin to build your defense against ransomware

To defend against ransomware before an attack strikes, healthcare providers must:

  1. Make ransomware a priority. Ransomware has become a critical factor in patient care. It must be addressed to maintain core operations.
  2. Extend security beyond compliance. Criminals evolve faster than regulations. Providers must not rely on regulations to protect them.
  3. Establish complete visibility and IT hygiene. Doing so reduces the chance of a breach and makes it possible to detect attacks and remediate them.
  4. Develop a strong negotiating position. Providers must feel confident they can evict criminals and resolve attacks quickly — without having to pay. 

Consider these the bare minimum steps providers must take to defend themselves.

In Part 2 of this series, we will outline a practical framework that explains what capabilities providers must develop to defend themselves against ransomware.

If you require immediate, guided assistance developing your defenses against ransomware, reach out today and schedule a free consultation and gap analysis.

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.