Two healthcare institutions, Frederick Health and New York Blood Center Enterprises (NYBCe), are grappling with disruptions from separate ransomware attacks they faced this past week.
Frederick Health posted an update to its website on Jan. 27 noting that it “recently identified a ransomware event” and is working to contain it with third-party cybersecurity experts to get its systems back online.
Though most of its facilities remain open and are still providing patient care, Frederick Health reported that its Village Laboratory is closed and that patients may experience some operational delays.
New York Blood Center Enterprises, a nonprofit made up of a collection of independent blood centers, first identified suspicious activity affecting its IT systems on Jan. 26. On Jan. 29, it alerted the public that it took its systems offline in an effort to contain the threat, which was attributed to a ransomware attack. NYBCe is working to restore its systems; however, it remains unclear when it will be fully operational again. The organization expects processing times for blood donations at its centers and offsite blood drives may take longer than usual.
Neither institutions has released any information regarding who breached them or if any information was stolen; no ransomware groups have yet to take responsibility for the attacks.
A Never-Ending List
Ransomware attacks have become a harsh reality in healthcare. Unlike other industrial sectors that face similar threats, it’s not just reputational damage or financial strain — in the medical field it’s patients’ lives at stake.
According to a 2024 Microsoft study, nearly 400 US healthcare organizations were infected with ransomware, with the average reported payment as high as $4.4 million. The downtime these facilities experience while getting back on their feet can cost up to $900,000.
Healthcare institutions offer a plethora of information and data types, ranging from medical records to financial details, and a variety of personally identifiable information.
“Many healthcare organizations operate with limited cybersecurity funding and staffing, prioritizing patient care over IT security investments,” Heath Renfrow, co-founder of Fenix24, tells Dark Reading. “The vast number of endpoints, third-party vendors, and interconnected systems create a broad attack surface, while the inability to routinely take systems offline for maintenance exacerbates vulnerabilities.”
And when threat actors do decide to breach these healthcare organizations’ networks, they steal this information, holding it for ransom while knowing that their efforts will pay off because these healthcare systems have everything to lose. For them, these malicious events only add to the intensity of the life-and-death situations they experience every day.
Ultimately, this is why the reported ransom payments are often so high, since healthcare institutions have a known track record for their willingness to pay bad actors whatever’s necessary in order to get their patients the care they need.
Strategizing Against Wayward Morals
Combating the ransomware scourge has tested lots of organizations and security professionals. The ransomware groups have shown themselves adept at evolving their use of technology to circumvent new fixes; their business models are constantly evolving with affiliates, commissions, and even referral programs.
“Some ransomware groups claim to have ethical boundaries, stating they won’t target hospitals, but history has shown that these promises are often empty, with critical care facilities still falling victim,” Renfrow says. “On the other side, healthcare organizations have an ethical duty to protect patient data and ensure operational resilience. However, constrained budgets and competing priorities often force tough decisions between investing in cybersecurity and funding direct patient care.”
But changes must be made to cybersecurity practices in the healthcare industry if patient care is going to prevail in the long run.
In May 2024, the Advanced Research Projects Agency for Health (ARPA-H), a funding agency created by the Biden administration, committed $50 million to help create software for making hospitals more cyber resilient.
The program, called Universal Patching and Remediation for Autonomous Defense (Upgrade), is focused on areas such as vulnerability management, auto-detection, defense, and more, and seeks to bring together hospital IT staff, equipment managers, and cybersecurity experts to uncover cybersecurity vulnerabilities.
And even the Department of Health and Human Services (HHS) saw the importance of bolstering healthcare cybersecurity programs after a United Healthcare subsidiary was targeted by the BlackCat ransomware group early last year, leading to disarray and outages in what was one of the worst breaches the healthcare sector has ever seen.
As for what healthcare institutions themselves can do, Renfrow says that “immutable backups with guaranteed return-to-operations (RTO) must be their top priority — not just assumed, but tested and proven” as this “ensures that when — not if — an attack happens, healthcare organizations can restore operations immediately, without disruption, without ransom.”
“In today’s world,” he says, “true resilience is the only security guarantee.”
