Ransomware Attacks in Healthcare: How to Respond

4 minute read

April 2024

Healthcare organizations are common targets for cyber and ransomware attacks. Because organizations in this industry deal with large quantities of Personally Identifiable Information (PII) and Protected Health Information (PHI), two very sensitive forms of user data, hackers see their systems as particularly profitable avenues for attacks. Ransomware attacks in healthcare are a particular problem: In 2022, two in three healthcare facilities reported a ransomware attack. 

Add to the disproportionately high attack risk a particularly strict regulatory environment, and risk managers working in the healthcare industry are fighting an uphill battle. The two most important information security regulations facing healthcare organizations are HIPAA and HITECH. While HIPAA sets parameters for storing and processing data to prevent patient information from being disclosed without their consent, HITECH promotes the adoption and use of secure health information technology. Both regulations include a broad definition of a third party as any “business associate, meaning it’s important for healthcare organizations to manage cybersecurity risk both internally and in their third-party ecosystems.  

As discussed above, ransomware attacks are a problem endemic to healthcare organizations and their supply chains. Luckily, the Cybersecurity and Infrastructure Security Agency (CISA) has outlined the process of detecting, containing, and eradicating a ransomware threat. Key steps to respond to a ransomware incident include: 

Detection and Analysis 

Before you can properly restore functionality at your organization after a ransomware incident, you first have to root out the systems impacted by the attack and take them off the network to prevent the spread of the malware itself. While it’s crucial that you identify everywhere that’s been encrypted by the attack, systems that enable critical operations demand the most efficient isolation.  

Once you’ve isolated the impacted systems, you can begin working to bring them back online. Systems necessary to maintain patient health and safety, generate revenue, or carry out critical functions should be prioritized at this juncture. Other systems, especially those that appear unimpacted or that aren’t crucial to basic operations can be addressed once the organization’s functionality has been reestablished. 

At this point, your team should also begin searching for threats in your enterprise systems and cloud providers. Newly created active directory accounts with escalated privileges, the Cobalt Strike client, signs of remote monitoring and management software and unexpected Powershell execution are all common threats that appear in organizations’ systems after an attack. 


Reporting and Notification 

Having documented the impact of the ransomware attack, the next step is to contact any relevant stakeholders, internal or external, to notify them of the incident and explain the extent of its impact. Internal IT, managed service providers and cyber insurance providers are all relevant stakeholders in this context. One key to handling this step responsibly is to have all stakeholders agree upon an incident communications plan before you’ve detected an issue. 

On top of making reports to your personnel and partners, you will also have to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA), the local FBI field office, or the FBI Internet Crime Complaint Center (IC3). You also  and possiblymight need to request help managing the evolving threat. Additionally, once you’ve done your due diligence to contact stakeholders and regulatory authorities, it’s a good idea to engage your communications and public relations personnel to ensure accurate and proper information is shared across the organization and with the public. This means, if you do have negative news to share, you can get ahead of it and ensure smooth communications with impacted customers. 

Containment and Eradication 

With the incident documented and reported, you should move on to the most crucial step: removing the ransomware software from your systems and network. Often, this means taking a system image of a sample of affected devices, then working with federal law enforcement to research available decryptors and possible next steps. 

At this point, you’ll have collected a large volume of breach data. Using this data as a guide, you should begin to contain systems—like virtual private networks (VPNs), remote access servers and single sign-on (SSO) services—that may be used for unauthorized access in the future, usually by turning them off.  

Containment established, you can search for backdoors that may enable incidents in the future. Some of these will be outside-in threats, meaning exploitations of external vulnerabilities and authenticated access to external systems. Others will be inside-out threats, meaning hackers have implanted malware in your internal network to enable access in the future. 

Finally, IT personnel should work to rebuild critical services based on priority and issue password resets for all affected systems. You can declare the ransomware incident over once you’ve met the criteria for incident cessation. 

Recovery and Post-Incident Activity 

Having contained the incident, you can finally reconnect your systems and restore your data from encrypted backups. This is also a good time to document lessons learned from the incident and share them with your industry peers, and to implement new controls. 


Healthcare organizations face an outsized ransomware challenge, but with a strong cybersecurity program and a third-party risk management platform, it’s easier than ever to stay on top of ransomware risk at your organization and throughout your third-party ecosystem. By tracking the effectiveness of your own cybersecurity controls and those of your third parties, you can achieve visibility into your risk ecosystem and prepare more effectively for the threats facing the healthcare industry today. 

Get started on your journey to a more resilient, data-driven, and proactive risk management process with the ProcessUnity platform. Don’t hesitate – schedule a demo today. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.