Table of Contents

Ransomware Protection
A Guide to Ransomware for Hospitals and Healthcare Providers

Introduction: What is Ransomware

Ransomware is malicious software that encrypts or removes access to computer files until a ransom payment is made.

In an incredibly short amount of time ransomware has grown from fringe cyber attack to widespread epidemic. Researchers at Symantec saw an average of over 4,000 ransomware attacks per day in Q1 2016 – a staggering 300% increase over the attacks they saw in 20151. An estimated $325 million in ransom payments has been generated by just one type of ransomware alone, CryptoWall 3.02, and with the success of several high-profile attacks on hospitals, criminals are increasingly targeting healthcare providers.

A Hospital Held Hostage:

Healthcare providers are 4.5X more likely to be hit by CryptoWall than companies in other industries3.

And when attacks do happen, the damage can be devastating. The loss of access to patient records alone can result in critical services being suspended and communication grinding to a halt. There have even been cases where entire hospitals have been crippled for days. We'll take a closer look at one of these attacks later on in Section 1.

To help you improve your protection from this rapidly growing threat we'll walk you through what a ransomware attack looks like and what you should do if you've been hit. We'll also share preventative tips to help you avoid ransomware in the first place, but first, let's look at the rise of healthcare ransomware in more detail.

  1. Ransomware Attacks Quadrupled in Q1 2016 (FedScoop)
  2. Lucrative Ransomware Attacks: Analysis of the CyptoWall Version 3 Threat (CyberThreat Alliance)
  3. 2015 Industry Drill-Down Report: Healthcare (Raytheon|Websense)

Hate ransomware? So do we.

Want to stop the ransomware epidemic from damaging your company? Find out how Barkly's runtime malware defense software blocks ransomware at execition by recognizing malicious behavior.

Learn how

How Ransomware Can Affect Your Organization

Timeline of ransomware attacks on healthcare, 2016

Ransomware has been around since 1989, but has ramped up in recent years due to its widespread success. Attackers are continuously developing different types of ransomware families and variants that help them avoid detection by staying one step ahead of traditional security software.

362,000 new crypto-ransomware variants were spotted in 2015. That's an average of nearly 1,000 new variants every day4.

So ransomware is a growing problem, but just how often have healthcare providers been attacked?


A look into ransomware's biggest and baddest attack

Hollywood Presbyterian Medical Center, a hospital in Southern California, was hit with ransomware in February of 2016. The attack quickly picked up national news coverage due to the head-turning size of the ransom demand, originally misreported as $3.6 million. While the real amount ended up being $17,000, it is still one of the largest ransoms ever paid as result of a ransomware attack.

A Hospital Held Hostage:

The attack on Hollywood Presbyterian Medical Center shows the full extent of disruption ransomware can cause.


Downtime is the real problem for healthcare providers hit by ransomware

To calculate the true cost of ransomware you have to take into account that the cost of downtime can far outweigh the cost of the ransom itself. Hollywood Presbyterian Hospital experienced over a week of downtime and disruption to services that were critical for keeping the hospital up and running.

Estimating the cost of ransomware's impact on healthcare providers

Unplanned downtime at healthcare organization costs an average of $7,900 a minute per incident5. According to a report from The AC Group, it takes physicians double the time to perform admin tasks manually when their EHR system is down.

With their network of computers down, Hollywood Presbyterian was unable to perform numerous services. The hospital suffered estimated losses of over $100,000 per day from disruption to CT scans alone6.

With attackers viewing healthcare providers as reliable targets, it has become increasingly important to understand how ransomware works, how it can be responded to, and how it can be avoided in the first place.

the-cost-of-ransomware-in-healthcare.gif Sources:
  1. 2016 Internet Security Threat Report (Symantec)
  2. 2013 Cost of Data Center Outages (Ponemon Institute)
  3. Next Wave of Ransomware Could Demand $Millions (VentureBeat)

Anatomy of a Ransomware Attack & What to Do if You Get Hit

Ransomware is different than other viruses. Alerting users of its presence is part of its routine. Once on a machine, it relies on speed more than stealth. As we break down the infection process on the next page, keep in mind it can often be completed in a matter of minutes or even seconds.

85% of IT pros have been or expect to be hit with ransomware.7.

93% of phishing emails are now delivering ransomware8.

Anatomy of a ransomware attack

The process of being infected with ransomware:



The infection typically happens in one of two ways: by clicking on a link or attachment in an email or via an exploit kit released by a compromised website. Ransomware authors will often leverage encryption and other techniques to make their programs slip past antivirus security undetected.

Searching and Spreading

Once on a machine, ransomware searches the system for files to encrypt. Some ransomware target specific file types (for example: .docx, .xlsx, etc.). Some can also spread to mapped network drives, which puts other computers and systems connected to "patient zero" at risk.


In many cases, encryption can occur in minutes or even seconds. Our malware researchers clocked the ransomware Chimera at just 18 seconds9. Files are rendered inaccessible and typically renamed with a new file extension that can sometimes signal which type of ransomware you're dealing with.

Ransom Message Displayed

Unlike a lot of other viruses and malware that attempt to live quietly on your system while collecting information, ransomware announces its presence loud and clear. Once encryption is complete, a ransom or lock screen is displayed informing the user they have X amount of time to pay a fine (typically in the form of Bitcoin) in exchange for a decryption key. After that deadline the ransom will go up or the files will be destroyed.

The Countdown Begins

So what do you do now?

Will antivirus stop ransomware?

Not necessarily. Antivirus uses signature-based detection, which only spots ransomware that has been seen before and documented. Nearly 1,000 new ransomware variants are created everyday, making it incredibly difficult for antivirus to keep up. New endpoint security solutions detect new ransomware by looking at its behavior.

During the ransomware attack on the New Jersey Spine Center, electronic health records and backup files were encrypted and the phone system was unusable. Their antivirus detected the ransomware, but only after the ransomware was already installed on their system.

What to do if you get hit

Unfortunately, unless you've taken preventative measures and invested in an effective backup strategy that allows you to recover your data, then your options are going to be extremely limited. You may have to decide whether you can live without the data or whether you need to pay. Regardless of what you choose, in the immediate aftermath of an attack you will also need to be prepared to act quickly to contain, assess, and prevent further infection. Here are five important steps to take as soon as you've been notified of a ransomware attack:

  1. Disconnect the computer from the network
  2. Disable shared drives
  3. Talk to patient zero
  4. Alert the rest of your users
  5. Update and run your security software

Once you've assessed the situation and taken initial steps to avoid additional infection you'll have to ask yourself a series of questions to determine what to do next.

Can you restore encrypted data from backup?

  • Did you have backups for all the machines affected?
  • How often were backups running? Every day? Every hour? Every week?
  • Have you tested recovering from backup to see how long it takes and make sure it reliably works?
  • Did you take measures to ensure your backups were separated from local machines to reduce the risk of them getting encrypted as well?

By asking yourself these questions now and making preparations accordingly you can make sure restoring from backup is actually a viable option when you need it most. For example, Marin Medical Practice Concepts paid the ransom, but lost 2 weeks worth of backup data11 due to faulty backup.

If restoring isn't an option, should you pay the ransom?

  • Had you conducted any kind of assessment to determine the value of your data prior to the attack?
  • Can you calculate the value of the data that was encrypted/lost so you can weigh that against the ransom demand amount?
  • Can you quickly calculate the cost of any downtime associated with the attack?

By running through a mock scenario and answering these questions ahead of time, you'll be much more prepared to make the tough call of whether to pay or not.

That said, it is important to note the FBI’s most current recommendation is to not pay the ransom. FBI Cyber Division Assistant Director, James Trainor, has a few notes when it comes to the consequences of paying a ransom:

  • It offers an incentive for other criminals to get involved in this type of illegal activity.
  • An organization might inadvertently be funding other illicit activity associated with criminals.
  • It doesn't guarantee that an organization will get its data back.
Case in point

In May 2016, Kansas Heart Hospital paid an initial ransom only to have cybercriminals refuse to unlock all the data and demand more money instead12.

What about regulations and HIPAA compliance?

On June 12, 2016, The HHS Office of Civil Rights (OCR) released a fact sheet on Ransomware & HIPAA. They stated that the “The presence of ransomware (or any malware) on a covered entity's or business associate's computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”13

Now that we've gone over effective ransomware triage, let's look at six areas to focus on to better prepare yourself for a ransomware attack and, better yet, avoid one in the first place.

Bonus ChecklistAre you prepared for ransomware?

See how ready you actually are to prevent or recover from a ransomware attack with this free checklist. Plus, you'll receive your own copy of the full Handbook.

Download now
  1. Surviving Ransomware: Lessons from IT Pros Who Didn't Pay (Barkly)
  2. PhishMe
  3. How Fast Does Ransomware Encrypt Files? Faster Than You Think (Barkly)
  4. Surviving Ransomware: Lessons from IT Pros Who Didn't Pay (Barkly)
  5. Two providers forced to pay up in ransomware attacks (HealthcareITNews)
  6. Ransomware attackers collect ransom from Kansas hospital, don’t unlock all the data, then demand more money (Healthcare Info Security)
  7. Hacker Attacks in Healthcare: What's Changed in 2016 So Far? (Healthcare Info Security)

6 Things to Do Now to Protect Your Company from Ransomware

Ransomware has compromised many healthcare organizations by preventing access to encrypted patient information, directly impacting the business and patient safety. Backup and restore is critical, but far short of a panacea since restoring risks losing recent updates, which also compromises patient safety. Preventing ransomware is infinitely better than having to recover from it. Backup and restore is just one of several safeguards in a holistic, multi-layered approach needed to effectively mitigate risk of ransomware.”

David Houlding, Healthcare Privacy and Security Lead at Intel Corporation

An ounce of prevention is worth a pound of cure

6 out of 10 victim organizations said they made changes to their security strategy after a ransomware attack.

63% added security technology that blocks malware and restricts access.

47% added security awareness training.

8% improved their backup strategy14.

Security Software

You likely already have antivirus protection. It's been an important part of protecting against known viruses and malware for years. But as we covered in Section 2, antivirus alone can’t be expected to keep up with the 1,000 new types of ransomware that show up every day. Effective security comes in layers, and to stop modern and zero-day attacks that haven't been seen before, you need to consider additional endpoint security software. To learn more about your options, see our IT Pro's Guide to Endpoint Protection.

Patch Management/Updates

In their report titled, The Current State of Healthcare Endpoint Security15, Duo Security looked at their healthcare customers and compared them to the rest of their users. What they found was healthcare providers are much more likely to be running outdated software and using applications with known vulnerabilities than organizations in other industries.

To reduce your risk of attack, consider automating your updating process by adding a patch management solution as part of your security stack.

Healthcare endpoints are...

2x more likely to have flash installed than industry average

3x more likely to have Java installed

Nearly 4x more likely to use outdated versions of Internet Explorer


The HIPAA Privacy and Security rules require covered entities to train all workforce members on privacy and security policies and procedures. There are a variety of resources that can help you fulfill this requirement.

You can find a list of security awareness compliance requirements at

For an example of what security awareness training looks like, see this course outline from the Department of Health and Human Services.


It's a good idea for you to talk to your IT Manager or MSP about your current backup solution, or reevaluate it yourself by reviewing the following:

  1. Your recovery point objective (RPO): How often your backups are created.
  2. Your recovery time objective (RTO): The time it takes to get your computer up and running after backup is restored.
  3. Where your backups are stored: Remember, local backups and backups accessible via network shares are at risk of being encrypted, too.

Identity & Access Management

Another key protection is practicing the principle of least privilege – ensuring that user access and privileges are limited to the bare minimum they absolutely need. Identity and access management solutions enable you to manage permissions and see what users are accessing at all times.

Where this can get difficult is if you have fixed computer terminals in your waiting rooms, examination rooms, or operating rooms. People may not always sign out. This practice leaves you vulnerable. If you were to suffer a ransomware or other type of malware-based attack, it’s important to know who was accessing the data in order to see the potential reach of the problem.

Disaster Recovery Plan

You may already have a disaster recovery plan in place to comply with HIPAA Regulations, but does it include how to respond when there's a ransomware attack?

As a healthcare provider, you need to be prepared to deal with any potential disruption to patient treatment and services as quickly and effectively as possible. That means having a detailed and practiced plan in place.

  1. Surviving Ransomware: Lessons from IT Pros Who Didn't Pay (Barkly)
  2. The Current State of Healthcare Endpoint Security (Duo Security)

Conclusion: Take Practical Steps to Protect Your Organization

Ransomware isn't just a problem that's happening somewhere else to someone else – it's an immediate and growing problem affecting the healthcare industry. Recent attacks show disruption caused by ransomware can be widespread and crippling. The good news is, there are concrete things you can do to protect your organization. By updating your endpoint security and investing in training and preventative measures like patch management, you'll have a good foundation for avoiding attacks in the first place.

In providing you with more information about ransomware and how it works, we hope you’ve picked up a few actionable tips and takeaways you can put into practice.

Bonus ChecklistAre you prepared for ransomware?

See how ready you actually are to prevent or recover from a ransomware attack with this free checklist. Plus, you'll receive your own copy of the full Handbook.

Download now

Appendix: Additional Tools & Resources

If you've been hit with ransomware...

Contact your local FBI field office here: and report the incident to the Bureau's Internet Crime Complaint Center:

Check to see if there is a decryption tool available you can use to recover your encrypted files here:

If you're looking for security training tips for employees...

The US Department of Health and Human Services provides a variety of pdfs on information systems security awareness and privacy awareness training here:

You can also find expert training advice in our eBook, The Realist's Guide to Cybersecurity Awareness:

If you want a comprehensive view on privacy & security in healthcare...

Another good resource for healthcare providers is Run by the Office of the National Coordinator for Health Information Technology, the website offers a variety of tools including a security risk assessment tool and privacy and security training games:

Block attacks that get by antivirus
Stop ransomware now