For healthcare orgs, disaster recovery means making sure docs can save lives during ransomware infection

When IT disasters strike, it can become a matter of life and death for healthcare organizations – and criminals know it.

We’re not exaggerating the risks: In 2024 a successful ransomware attack on a Texas trauma hospital saw it turn away ambulances - and that was just one of hundreds of known ransomware infections at US hospitals.

Then there was the Change Healthcare intrusion that paralyzed claims and payment systems for weeks across hundreds of thousands of medical clinics, hospitals, and pharmacies in the US. That disaster left many Americans unable to acquire prescription medicine as usual.

"Healthcare organizations have a uniquely high-stakes environment when it comes to disaster recovery due to the sensitivity of data and the life-or-death nature of their services," said Sherrod DeGrippo, Microsoft's director of threat intelligence strategy.

"Unfortunately, threat actors know this well and take advantage of this reality," she added. "Healthcare organizations are often specifically targeted by ransomware actors because of their unique requirements and patient risks."

Healthcare organizations are often targeted by ransomware actors because of their unique requirements and patient risks

Those distinct risks healthcare providers face mean they are more likely to pay ransoms quickly, rather than attempt ransomware recovery.

Ty Greenhalgh, industry principal of healthcare at infrastructure resilience outfit Claroty and also an ambassador for a US Department of Health and Human Services task force on cybersecurity in healthcare, has an example that illustrates why healthcare orgs pay up.

"Somebody comes in for a stroke. You can't tell whether it's ischemic or hemorrhagic, one's a bleed, one's a clot," Greenhalgh explained to The Register. “You don't know what medicine to give, and you got an hour before this person's not walking, let alone dying. When you are hit with ransom and your systems are out, you are more likely to pay."

Crims target data to protect their own health

Taylor Lehmann, a director for Google Cloud's Office of the CISO, thinks criminal gangs understand that putting patients' lives at risk will draw unwelcome attention.

“If you do that enough, the FBI and law enforcement are going to come after you," Lehmann said. "Threat actors make more money when law enforcement doesn't come after them and shut them down."

Criminals’ behavior is therefore changing. “We're not seeing quite as much targeting of critical healthcare systems with the goal of shutting them down and then extracting a ransom payment," Lehmann told The Register. "The threat has become more focused on acquiring data and extorting the organization."

"Threat actors will continue to make more money by not necessarily taking organizations down, but extorting them seems to compel payment just as easily," he added.

The best DR medicines

Healthcare orgs seeking to inoculate themselves against IT disasters should start with plans to continue service delivery even if systems go down.

"Clinical staff need clear protocols for working offline, like manual charting or printed medication schedules," Microsoft’s DeGrippo said. "In healthcare, disaster recovery is really about both technical resilience and patient care continuity."

On the technical side, she recommends paying special attention to legacy devices for which assistance may be harder to find. DeGrippo also thinks Internet-of-Things devices and operational technology systems deserve special attention.

"Recovery plans need to include ways to safely isolate or restore those," DeGrippo added.

Google’s Lehmann thinks healthcare orgs should start by identifying critical assets and understanding all their dependencies. He recommends ”first mitigating threats to resilience, and then threats to total system loss.”

To preserve availability of some healthcare hardware, buying multiple systems is likely necessary.

"The only viable plan for many of the systems is just to have two of them," Lehmann said. "Many of them are set up a specific way, a lot of them are out of support or end-of-life, so they can't be replaced or the vendor can't swoop in and add a new one without disrupting clinical flow."

Not only do orgs need a plan, but they also need to practice it.

Lehmann suggests tabletop exercises that simulate losses to key systems, including calling up vendors and seeing how quickly they can reproduce the system. "Measure the timelines it takes for them to do so and get ahead of what the costs might be in the event that those things happen." ®