Data Protection Tool

Five Important Ways Ransomware Hurts Hospitals

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT



Ransomware is a form of malware that literally holds your data ransom. It will lock you out of your files by encrypting them, and you cannot gain access until you pay the hackers for the decryption keys. Of course, even paying them as instructed does not ensure that you will get the decryption keys as promised.

For a hospital, a ransomware attack can be particularly devastating. This malicious software is designed to spread across an entire hospital network, halting many essential functions of the facility.

In recent months, ransomware attacks on hospitals have ramped up significantly. In September, hackers launched the worst-ever attack on a U.S. hospital system. More recently, U.S. authorities have warned of additional “imminent” attacks against hospitals across the country.

What makes ransomware especially dangerous for healthcare systems?

Ransomware can cause millions of dollars in financial losses for businesses in any industry. But in healthcare, an attack can literally be life-threatening.

In this post, we look at the specific ways in which ransomware disrupts hospitals and endangers the health of patients.

How Does Ransomware Work?

To understand how ransomware affects hospitals, it helps to first understand how ransomware works in general.

Like most attacks, ransomware typically hits healthcare systems through email. Users will see the emails disguised as invoices, receipts and other communications that seem legitimate. Clicking on a link or opening an attachment starts the infection process (or uses a multi-step phishing scheme to steal users’ credentials and lay the groundwork for a future attack).

More sophisticated attacks also take advantage of unsecure remote access connections that healthcare systems use to access data across multiple facilities. Ransomware can take advantage of these weak access points and deliver malware without any user interaction. Similarly, any outdated or unsecure systems at a hospital heighten the risk of being exploited by hackers for a ransomware attack.

Types of Ransomware

While all ransomware has the same general goal, there are a few types of ransomware that hackers will use when attacking hospitals and other organizations.

Crypto malware: This type of ransomware encrypts the hard drive and then demands payment to unencrypt it before a deadline. This is one of the most common types of ransomware affecting hospitals and other healthcare facilities.

Lockers: This ransomware infects the operating system, locking a user out of their system so they cannot access files or applications.

Scareware: Scareware is a less intrusive form of malware. It tells a user that it is an antivirus software or cleaning tool and that it has found an issue with the computer. It requests a payment to “fix” the issue.

Doxware: This type of ransomware is also known as leakware, because it threatens to leak sensitive files to the public if a ransom is not paid. This type of ransomware can be particularly troubling for hospitals, because that kind of leak not only causes access issues, but it would also be a direct HIPAA violation. The leak may trigger federal fines and penalties as a result.

Ransomware as a Service or RaaS: A hacker hosts this malware. Essentially, criminals hire other criminals to distribute the ransomware, and the hosting criminal gets a share of the ransom when it is paid.

These types of ransomware can be devastating to hospitals, but some cause more issues than others.

How Ransomware Attacks Affect Hospital Systems

Ransomware used in hospitals will often cause a slowdown and then a complete shutdown of systems. It typically infects operating systems across the network, not just one particular file or program. Hospitals may have issues with the following systems because of a ransomware attack.

  • Operating systems as a whole
  • Patient records and data
  • Software that manages data and records
  • Network operations

The type of ransomware used will determine how much access the hospital will continue to have after an attack.

Devastating Effects: How ransomware hurts hospitals

Anyone who has spent any time in a hospital can tell you that hospitals rely heavily on electronic patient records and record-keeping to keep operations running smoothly. With a huge number of people in and out of a large facility, knowing every issue with every patient is simply impossible without good records. That also means that when access to records is compromised, the hospital might not be able to function properly.

Here are examples of what can go wrong:

Unavailable Patient Records

Patient records are vital in a hospital setting. And since even patients themselves can be unreliable when it comes to recalling their own healthcare histories, failing to have previous records can result in bad healthcare decisions.

For example, inaccurate or missing records could result in mixing medications or providing diagnoses or even services that would not make sense if the treating healthcare professional had complete records.

Switching to Paper Documents

Because of the huge amount of paperwork involved in each file, hospitals generally function by using electronic files. When a ransomware attack occurs, they often switch to paper files, but using them is slow, clunky and not nearly as efficient.

Paper files increase the workload for the staff, slowing down operations—and for a hospital, slower operations mean slower patient care, which can be deadly.

Stopping Services and Shutting Doors

Ransomware attacks have caused the temporary closure and permanent closure of some healthcare facilities. While a permanent closure obviously results in untold lost services and revenues, even shutting down for a day or two could result in huge losses.

The losses result not only because of the lack of patient care for that time and operational downtime, but also because of the long-term issues with patient confidence. If patients know about the ransomware attack, they may question whether their data and other records are safe in the hospital’s care. Further, if a patient cannot trust a hospital with records, they might also be concerned about the level of care they are getting there as well.

Turning Patients Away

Forcing a hospital to pause patient care or even close their doors can result in impaired patient care. That type of delay can be a huge problem for patients in general. But, in emergency situations, that delay can be even more serious.

A woman in Germany in October 2020 died as a result of a cyberattack. She was on her way to a hospital in Dusseldorf for a life-threatening condition. However, the hospital could not admit her because it was experiencing a ransomware attack. She was sent to a hospital roughly 20 miles away, but she died on the way to the nearby hospital. This is the first known patient death that is directly attributed to a ransomware attack.

Legal Implications of a Ransomware Attack

Hospitals and other healthcare facilities have a legal obligation to ensure that patient records are safe. Exposing documents can be a violation of federal law that may result in significant fines and penalties.

Situations where patients must be turned away from services can also result in private causes of action against the hospital as well. For example, if a patient cannot get care fast enough because of a cyberattack, and that delay causes harm, it could open the facility to legal exposure. Ultimately, that type of fact pattern could end up costing the facility millions of dollars, especially if it directly affects more than a few patients.

Exposing patient payment records can cause an additional set of issues that affects patient privacy as well.

Ultimately, a ransomware attack can cause much bigger problems than not having access to patient files for a short amount of time. The best way to address these issues is to ensure that an attack does not happen in the first place or that you have mechanisms in place to recover quickly after an attack, as we illustrate further below.

Recent Ransomware Attacks on Healthcare Facilities

For some hospitals, a severe ransomware attack can literally force them to permanently shut their doors. In December 2019, Wood Ranch Medical Clinic in Simi Valley, California, had to do just that. It lost all of its patient records earlier in 2019, and they were unable to restore the records. As a result, it chose to simply shut down.

The same thing happened to a Brookside ENT and Hearing Center in Battle Creek, Michigan. They had a ransomware attack in April 2019. The hackers demanded $6,500 for the release of all of their records. The ENT operation chose not to pay the hackers, and all of their system files, appointment records and patient information were destroyed. The founders decided to retire early after the attack because the records could not be restored.

It is difficult to say whether the information would have been destroyed regardless of whether Brookside would have paid the hackers. There are situations where the hackers essentially choose to destroy the data regardless of whether they get their ransom.

Not every ransomware attack results in a forced closure, however. In September 2019, Campbell County Health in Gillette, Wyoming, suspended patient admissions and canceled surgeries for two days because of a ransomware attack. The same type of suspended service situation happened to three DCH Health System locations in Tuscaloosa, Alabama, in October 2019. The facilities were shut down for a period of 10 days.

The Importance of Backup Systems

In the historic attack against Universal Health Services (UHS) in September, the health system lost its computer network, blocking access to records across over 400 facilities in the United States and Great Britain.

Thankfully, however, this large attack was minimized because UHS had good backup systems in place – a crucial line of defense against ransomware.

While hospitals cannot always prevent malware attacks, they can ensure that their backup systems will assist if an attack occurs. Backup systems like the Datto SIRIS can help hospitals recover faster after an attack. Features like Rapid Rollback help organizations to undo widespread file changes and effectively remove the infection by rolling back to a clean recovery point.

Additionally, Datto’s built-in ransomware protection helps to provide early detection of an infection, so that action can be taken before the entire network is affected.

In today’s fast-paced healthcare environments, these backup solutions are essential for maintaining continuity and uninterrupted patient care.

Learn More

Learn more about protecting your healthcare organization from a ransomware attack with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email

Get the Ultimate Employee Cybersecurity Handbook
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles