Hospitals Under Ransomware Attack Can Only See Critical Patients

Hospital Ransomware Featured

It’s no surprise that hospitals are under constant cyber-attack. Criminals want to breach these critical places because they know their demands will be better met. We saw a wave of ransomware attacks in 2017 that targeted hospitals, shutting down their systems until their ransom was paid.

Unfortunately, such attacks aren’t a thing of the past. Recently, we’ve seen a wave of new attacks against a hospital that left it unable to take in any patients that aren’t in a critical condition.

What Happened?

Hospital Ransomware Bed

Earlier this week, ransomware tore through ten hospitals in total. Three of these hospitals were in Alabama, and seven were in Australia.

In Alabama, the affected hospitals were the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center. The breach was so bad, the hospitals could not operate unless the patients were in desperate need of medical care.

Any ambulances responding to calls had to redirect patients to different hospitals, which added time between the 911 call and getting into the emergency room.

Those already within the ER of the affected hospitals had an uncertain future. If they managed to stabilize, they could be moved to another hospital to make room for emergencies.

DCH went on record with the following: “A criminal is limiting our ability to use our computer systems in exchange for an as-yet-unknown payment. Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Meanwhile, the seven hospitals in Australia were also performing similar patient transfers. There is no news yet on whether these two attacks are connected, but it’s a reminder on how hospitals come under attack from cyber-criminals.

Why Do Ransomware Developers Target Hospitals?

Hospital Ransomware Locked

It may seem cold-blooded for ransomware developers to put lives at risk, and you wouldn’t be wrong. In fact, the fact that ransomware can endanger lives is why malware distributors target hospitals in the first place.

One of the biggest problems ransomware developers have is getting their payout. These days, people are wiser to the effects of ransomware and can even revert their PC back to normal using specialist advice. Even if the ransomware can’t be removed, the victim may be unwilling to pay if all they’re losing are video game save files and their browser bookmarks.

As such, a ransomware developer needs to hit sensitive data centers to force the victims to pay up ASAP. This includes hospitals, who are known for paying the ransom to get things back on track.

How Can Hackers Break into Hospital Systems So Easily?

Hospital Ransomware Security

The problem is, the sensitive nature of hospitals means that they’re less likely to make changes to their systems. For them, if it works, it works; making an upgrade may introduce new bugs into the system, which could cost lives.

Some hospitals still run Windows XP for this reason. Unfortunately, while their critical software runs well, the operating system’s core security is heavily flawed. This makes it hard for hospitals to keep themselves protected.

Holding Lives at Ransom

Hospital-based cyber-attacks are cruel, but it’s that edge that hackers depend on for a huge payout. Combined with the weak security that hospitals typically have, you can see why the healthcare system is a big target for cybercriminals.

Do you think hospitals should upgrade their systems for security? Or is the existing groundwork too fragile to disturb? Let us know below.

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.


  1. “Do you think hospitals should upgrade their systems for security?”
    Of course hospitals must upgrade their security. Maybe they should hire some of these ransomware creators.

    Having said that, there is one overarching problem that we have created for ourselves. WE HAVE BECOME TOO DEPENDENT ON TECHNOLOGY! Not just the hospitals but in general. It has gotten to the point where we have lost the ability to perform even simple tasks without resorting to technology.

  2. As a software developer who went through a ransomware attack in the spring of 2017, I think you missed the mark a bit. Erie County Medical Center in Bflo, NY was infected and is well documented. The whole idea of hospitals paying ASAP is ludicrous. They should have a disaster plan and if not … expletive!

    You’d think that a hospital would want to free itself ASAP and pay the ransom but the question is why? It’s not like you pay and poof the infection is gone. These systems have to be cleaned, patched, or upgraded. Medical records have this really neat requirement … HIPAA compliance. The data, where ever stored, should be alright. It’s the medium used to access the data is the problem. Kill the existing network and create an ad-hoc temporary replacement.

    It’s not the 1990s anymore so the idea an all-in-one system just doesn’t exist. The admin should be applying and testing patches to their networks, PC, and medical devices/machines. You know … do their job. Yes, it is true that XP is still being used but only because if you want to use the “machine that goes bing”, it only supports Winblows XP. Also, hospitals also have connections with other entities, like medical transcription service, medical building, medical schools, … that have access.

    Bottom line, I’d favor the ease with the number of vulnerabilities than the fact that its a hospital with sick people.

    1. HIPAA compliance is only as strong as HIPAA enforcement.

      As a programmer working on Health Department software, I always faced the “destroy before reading” aspect of HIPAA. Any live data to be used in program testing had to be de-personalized. Any printed output related to testing, such as reports, program listings, program dumps, had to go into a “burn bag”. All that was well and good because it insured security on the development side.

      HOWEVER, the story is much different on the user side. Hospitals have hundreds, if not thousands, of terminals in use at any time. Most of those terminals have patient data displayed on them for anyone to see and access. Just as different departments within a hospital do not exist in a vacuum but are digitally interconnected, so do hospitals not exist in a vacuum but are digitally interconnected with other hospitals and medical databases. The larger that network of connections, the higher the probability of a compromise or three. Add to that the attempts and offers by Microsoft, Google and even Facebook to create centralized databases for ALL medical data, in the pursuit of convenience, and you wind up with HIPAA and its provisions being made totally irrelevant.

      Saying that “admins….should do their job” may make for a good sound bite but it is semantically meaningless. Something a politician would say. Instead of spewing such dreck, provide some concrete solutions.

      Convenience and security/privacy are mutually exclusive. To access a Type 4 virological facility, one must go through a series of security checks. It is highly inconvenient but it is highly secure. Such a setup, in a hospital setting, where ever second may count, is totally undesirable. Where speed (convenience) is of paramount importance, security takes a far distant back seat. Considering the number of interconnections hospital have, it is a question whether medical data can ever be made secure.

  3. why would hospital rely on so much (computer) technology in the first place?? that is where the whole problem starts…

    1. “why would hospital rely on so much (computer) technology in the first place??”
      Why would any business rely on so much computer technology? Why do you rely on computer technology? To make things easier, faster and more efficient.

      Would you like to go to a hospital with life-threatening injuries and have the staff process test and scan results by hand when every second counts?

Comments are closed.