Ransomware in healthcare: Time for CISOs to build resilience and response

Ransomware in healthcare: Time for CISOs to build resilience and response

Will Poole, Head of Incident Response at CYFOR Secure, tells us about the escalating ransomware threat to the UK’s healthcare sector and the vital importance of building resilience and enhancing incident response to combat these cyberattacks.

Will Poole, Head of Incident Response at CYFOR Secure

The UK’s healthcare sector has been under tremendous strain since the pandemic. As hospitals struggle to clear patient backlogs that built up during COVID and cope with broader demographic changes, they must battle another persistent challenge. Ransomware has been on the radar of healthcare organisations (HCOs) since WannaCry caused widespread chaos in 2017. But it continues to imperil patient health and HCOs’ finances. The latest victim was the esteemed King Edward VII’s Hospital in Harley Street.

Ransomware actors continue to act with impunity from distant jurisdictions where they remain unpunished. So, what can healthcare CISOs do to respond? Building resilience and enhancing incident response will be key.

Why is healthcare so exposed?

No two HCOs are the same – even within the NHS. But organisations operating within the sector do often share some key traits which make them a more attractive target for ransomware. The first is the size and makeup of the typical attack surface. There are 1.5 million devices in the NHS alone. These range from home working laptops to legacy operational technology (OT) and modern IoT endpoints. They must all be patched, protected with secure authentication and properly managed. But it takes just one exposed endpoint and an untrained user to give an attacker the advantage.

OT equipment in particular is at risk as it often has a long lifespan and may therefore not support modern software and operating systems, making software updates a challenge. Over 1,200 pieces of diagnostic equipment were infected with WannaCry, according to a Lessons Learned review of NHS England.

That brings us to the second challenge: employees. As with organisations operating in any sector, people are often the biggest security weakness. That’s especially true of home workers, who may be more distracted or just more inclined to disobey security policy when away from the office. Yet when it comes to clinical environments, the pressure of the job combined with an increasing workload could also lead to human error.  

It is errors like these that cybercriminals are hoping to precipitate when they send phishing emails to harvest credentials or covertly install malware. Unfortunately, just a third (35%) of healthcare sector organisations have had cybersecurity training or awareness raising over the past year, according to government figures. The share was much higher in medium (52%) and large-sized businesses (77%).

Finally, consider the risks that come not from within the NHS trust or private healthcare provider itself, but are introduced by a large and growing supply chain. This could mean anything from cleaning companies and contractors to pharmaceuticals firms, academic institutions and software developers. A ransomware attack on UK software supplier Advanced impacted the NHS for weeks after the initial breach, including its key 111 helpline.

More recently, Ireland’s HSE admitted it was impacted by the MOVEit data theft campaign. Here, customers of the popular file transfer software had information stolen by a ransomware group that exploited a zero-day vulnerability in the code.


Add to these risk factors the low tolerance HCOs have for service outages, and the highly monetiseable personal, medical and financial information they hold on patients, and you have a sector that will always come under intense scrutiny from threat actors.

Continuous threat actor improvement

The challenge is that our adversaries continue to innovate, tapping an underground economy said to be worth trillions of pounds annually. The share of recorded attacks on HCOs globally have roughly doubled from 34% in 2021 to 60% today, with double extortion increasingly the norm. Sophos claims data was stolen in 37% of cases where it was also encrypted. Unlike HCO network defenders, one thing threat actors do have is a surfeit of skills. ‘As-a-Service’ offerings readily available on the cybercrime underground have lowered the bar to entry for many budding groups, and initial access brokers (IABs) queue up to offer network access.

Threat actors are also developing increasingly powerful ways to detect and delete backups, to increase their leverage in ransom negotiations. In some cases, these capabilities are built into the malicious code itself. And they are targeting cloud environments in greater numbers, in attacks where data is stolen and then deleted from AWS buckets, rather than encrypted.

The cost of ransomware

The EU security agency ENISA reckons that ransomware now accounts for over half (54%) of threats to the sector. In the UK, HCOs are frequent breach victims. All of this can have a potentially devastating associated cost.

WannaCry disrupted 81 out of 236 trusts in England (34%) and 603 primary care and other NHS organisations, including 595 GP practices. It led to an estimated 19,000 cancelled appointments and operations, with many patients directed to A&E departments further afield. Across the Irish Sea, the Ireland Health Service Executive (HSE) has spent tens of millions of euros managing the fallout from a major 2021 ransomware breach. One report claims that, on average, HCOs of up to US$500 million in revenue lose an estimated 30% of operating income if hit by a serious ransomware attack.

Another potentially serious cost is erosion of patient trust and real-world physical risk to patient safety. Studies show a connection between mortality rates and cyberattacks. One even claims a link between data breaches and heart attack fatalities. Ransomware also forces victim organisations to take critical systems offline in order to avoid the spread of malicious code, which in itself can cause serious risk to safety.

Building a better plan

The best thing healthcare CISOs can do in response is to build resilience now in the likely event that an attack strikes in the future. A comprehensive cybersecurity audit is a good place to start, by documenting internal and external risks, vulnerabilities and threat exposure. It can also check for compliance with industry standards (like ISO 27001) and best practice certifications (like Cyber Essentials Plus). And suggest remediation actions such as training and awareness programmes for staff and breach response plans.

Depending on the results of such an audit, the organisation may need to roll-out risk-based patch management programmes to ensure critical assets receive security updates in time. A continuous cycle of vulnerability and penetration testing will also help to establish where there are holes in security posture that need filling. Exploited vulnerabilities accounted for 29% of healthcare ransomware breaches last year, according to one study.

While this can all help to reduce the chances of a serious breach, CISOs must also acknowledge that such events are inevitable, especially when the attack surface is so broad and stolen credentials are so plentiful. This is where detection and response comes in. Ensure the organisation has effective and continuous logging and monitoring of events – at least at a network level. This can help accelerate incident response to contain threats before they have the chance to make a serious impact.

It can provide a stronger bargaining position for the HCO if negotiation with the threat actors is necessary. Being able to answer critical questions like which systems and data have been impacted, and how attackers got in, alongside maintenance of recent backups, will help to streamline incident response. It will also reduce the chances of a miscalculation in breach disclosure which could impact reputation unnecessarily.

Data was encrypted in 75% of healthcare ransomware attacks over the past year. It’s time to keep calm, work through security best practice and build resilience. You never know when the next attack is around the corner.