top of page


Keanna Grelicha, Counterintelligence and Cyber (CICYBER) Team; Alyssa Schmidt, Emergency Management, Health, and Hazards (EMH2) Team

Week of Monday, December 20, 2021

Medical Equipment[1]

Ponemon Institute, a research group, conducted a survey in 2021[2] reporting that 43% of healthcare organizations fall victim to ransomware attacks and 22% of those healthcare organizations have experienced an increase in patient mortality rate after the attacks.[3] The rise in cyberattacks almost certainly makes patients and employees vulnerable as attacks are likely to damage equipment from system outages that could likely stop essential medical treatment. It was found that 61% of the organizations in Ponemon Institute’s survey who suffered an attack reported they cannot effectively mitigate the risks associated with cyberattacks during the COVID-19 pandemic if operations or services are down while there is an influx of COVID patients needing emergency medical assistance.[4] Without the proper security and preventative measures like firewalls and response teams to mitigate damages or threats, healthcare organization’s and patient’s data will very likely be at risk of information theft. Patients could very likely experience identity fraud if their sensitive data is stolen from healthcare organizations. Data theft will likely affect the medical center’s reputation and would very likely lead to financial loss if a hacker requests a ransom for the stolen data.

The COVID-19 pandemic impacted the healthcare system’s stability, creating a vulnerability regarding the Internet that hackers used to gather patients’ and healthcare centers’ confidential data to hold as ransom in exchange for money.[5] These attacks became more frequent since the start of the pandemic, likely creating risks for individuals as hospitals held a significant number of patients, especially those diagnosed with COVID-19 related complications.[6] As technology advances and more individuals use electronic devices, attacks to hospitals will very likely increase if security measures are not maintained with new updates. The healthcare sector almost certainly has weak digital frameworks deriving from a lack of cybersecurity as the facilities surveyed by Ponemon Institute allow 88% of personal devices and 83% of medical devices to be connected to the medical center’s network through the Internet.[7] By allowing multiple devices access to the main network, the system almost certainly becomes more vulnerable to attacks because hackers can access it from any connected device. The connection from external devices on the same networks very likely poses security concerns of future data breaches for the central hub. Those additional devices of patients or visitors very likely lack preventive measures such as system patches like software updates to target vulnerabilities to better deter a malicious actor from entering the personal device.[8] A hacker could very likely access the hospital’s network by infiltrating a personal device connected via hospital WiFi. Organizations with sensitive data across their operating systems (OS) almost certainly need strong firewalls and ongoing monitoring of activity in the system to control every device connected that could cause a weak entry point for hackers to exploit.

Mandiant, a cybersecurity firm, released a report regarding FIN12, a cyber group that has committed at least 20% of financial fraud and data theft attacks in 2021.[9] These attacks have very likely impacted, and will very likely continue to impact, the accessibility of patients’ information if the hackers encrypt and steal data that is required to effectively care for a patient like allergies and current prescriptions. Withholding a patient’s information from a hospital could likely impact effective medical care that could likely lead to fatalities if an individual is treated with incorrect medications due to allergies. Equipment damages could also very likely delay or lead to unavailable appointments like chemotherapy for patients with cancer which will almost certainly impact their recovery rates and ability to combat disease. If medical locations are closed, like when the United Kingdom’s National Health Service (NHS) shut down facilities after a 2017 cyberattack, it would very likely pose health risks for those that need emergency care or have ongoing treatments.[10]

During the COVID-19 pandemic, ransomware attacks on hospitals and medical centers increased with phishing campaigns being the most common form of these attacks.[11] A phishing campaign aims to steal information through emails containing malicious files that, when clicked, the hacker can use to access the system.[12] These attacks are likely successful because of a lack of knowledge regarding scams and malicious files in emails, along with social engineering tactics. Social engineering is one form of a scam done to manipulate the target by incorporating malicious URLs and files in an email that looks like a legitimate source from a popular website or company to entice the victim to click on the link and release the malware.[13] If staff and employees are not aware of these types of attacks and social engineering tactics in emails, hackers will very likely keep deploying these methods to scam individuals and access an organization’s server. The hacker will very likely use the malware to shut off system operations in order to steal data, which could very likely escalate to ransom charges for the medical center to retrieve the information.

Hackers are motivated by profit, so a threat actor will likely request a ransom after performing data theft.[14] To commit data theft, hackers will almost certainly encrypt the information which makes the data inaccessible to the organization. Appointments and treatments would very likely be cancelled if data regarding exact medicine dosages and other medical record statistics are inaccessible and controlled by the hackers. The stolen data puts the organization and their patients at risk, very likely resulting in the medical center giving in to the hackers’ ransom demands and bearing a financial burden. Hospitals will very likely pay ransoms to mitigate reputational damages as it will provide the hospital with the data after the payment instead of trying to repair the systems by finding a decoder key. Investigating a decoder key to retrieve the stolen data would very likely take months, further delaying operations and business for an organization. Paying a ransom almost certainly contributes to revenue loss from cancelled appointments and relocation of patients to other centers. After incurring a loss from paying a ransom, organizations could very likely find it difficult to bolster their image by providing compensation to patients who lost data if hospitals do not have the funds to do so.

The University of Vermont Medical Center (UVM) experienced a cyberattack in October 2020 that did not result in a ransom but lost UVM over $50 million USD in revenues.[15] UVM information technology (IT) staff took three weeks to restore the medical center’s OS where hackers breached the server and encrypted organization data requesting a ransom.[16] The hackers' access is almost certainly attributed to UVM’s lack of data security and preventive measures and the lack of safety measures very likely led to the long repair timeline as no measures were previously in place.[17] With the organization’s sensitive data at risk of theft, reputation and financial damages could very likely result from the loss of trust regarding data confidentiality as patients leave to other medical centers. The physical losses include damaged equipment and OS hacked during the breach to extract sensitive data to hold for ransom that very likely impacted daily structures like payments and scheduled treatments.[18] The time the hospital spends repairing equipment and operation system damages will almost certainly have a negative impact on their reputation. Cyberattacks on hospitals impact physical assets that lead to repairing equipment damages from outages and server malfunctions and re-training staff.[19] Future attacks on other healthcare organizations could very likely include outages if the entire system is shut down, damaging connections and mainframes of the equipment dependent on digital networks to operate and share data. Equipment damages could very likely require weeks to repair like with UVM, increasing patients’ health risk if their procedures are not undertaken in the timeframe of their medical condition.

Hospital OS’ hold sensitive data that includes patient information like date of birth, social security numbers in the US, and medical records.[20] Stealing personal data will very likely lead to financial fraud or identity theft as hackers will possess personal information used for fraudulent purposes. Financial fraud against patients will likely add a more significant burden if they already struggle with other payments or debt. Incurring additional debt will likely lead the patient to withdraw from medical services or decrease their number of treatments. The stolen data used for identity theft will likely further impact the patient’s mental state, and stress from dealing with fraud, will very likely put more strain on the body if the patient is already experiencing medical issues.

Agencies, organizations, and companies like the Federal Bureau of Investigation recommend that hospitals avoid paying a ransom because it will only incentivize future attacks.[21] This recommendation could very likely be difficult to follow as the hackers very likely already possess sensitive data that healthcare centers need to retrieve for essential operations. AON, an insurance company, recommends hospitals implement incident response plans, vulnerability testing, ensure restricted access controls, and test business plans.[22] An incident response plan with vulnerability testing and controls will very likely ensure a specific plan of action for cyberattacks against the healthcare industry. This plan will very likely allow for testing on the servers to ensure entry points are secure followed by procedures from the plan that will likely deter an attack using antivirus software. The Association of American Medical Colleges recommends frequent system updates, strong firewalls, and the segmentation of networks.[23] Segmentation divides the network into smaller sections, so if ransomware is detected in one location, that section can be shut down instead of the entire system.[24] With the use of strong firewalls, detection systems, and segmentation, detecting and deterring an attack will almost certainly increase as the malicious activity would remain in one location instead of shutting down the OS as a whole.

The Counterterrorism Group’s (CTG) Counterintelligence and Cyber (CICYBER) Team recommends healthcare centers improve encryption on sensitive data and equipment and create new policies on cybersecurity. Encryption of sensitive data and the online interface of equipment will very likely allow for data to remain private and more difficult to access. This increase in difficulty will likely occur because the hackers will need to obtain a decoder key to access the encrypted data, very likely decreasing the likelihood of data retrieval. The equipment’s OS will very likely remain intact and secure with encryption as hackers will not further disrupt treatments or impact human life. Securing data and implementing new cyber policies like protecting health industry critical infrastructure (CII) will very likely ensure the patient accounts’ security and operations like payment procedures. Medical CII protection policies will almost certainly decrease the success rates of cyberattacks as CII OS will very likely undergo risk assessments, leading to system updates. These preventative measures will almost certainly deter and prevent future cyberattacks from threatening data and human life in the healthcare industry.

CTG recommends possessing sufficient backups of the OS and all sensitive data to ensure medical staff have accessible files even if the originals are encrypted or breached due to an attack. Incorporating a team of experts to continuously monitor the networks and ensure the system is secure of malicious activity will almost certainly help deter attacks. A team of experts will very likely monitor more vulnerabilities and all activities in the network compared to a few personnel. The CICYBER and the Emergency Management, Health, and Hazards (EMH2) Teams will continue to collaborate to monitor the cyber and ransomware attacks on healthcare centers. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H.) Officers will remain vigilant on potential cyber threats made by state or non-state actors to help monitor and report possible future attacks.

The Counterterrorism Group (CTG) is a subdivision of the global consulting firm Paladin 7. CTG has a developed business acumen that proactively identifies and counteracts the threat of terrorism through intelligence and investigative products. Business development resources can now be accessed via the Counter Threat Center (CTC), emerging Fall 2021. The CTG produces W.A.T.C.H resources using daily threat intelligence, also designed to complement CTG specialty reports which utilize analytical and scenario-based planning. Innovation must accommodate political, financial, and cyber threats to maintain a level of business continuity, regardless of unplanned incidents that may take critical systems offline. To find out more about our products and services visit us at


[2] New Ponemon Institute Research Shows Ransomware Attacks on Healthcare Delivery Organizations Can Lead to Increased Mortality Rate, Businesswire, September 2021,

[3] Foreign hacking group targets hospitals, clinics with ransomware attacks, says new report, CBS News, October 2021,

[4] Ibid

[5] The growing threat of ransomware attacks on hospitals, AAMC, July 2021,

[6] Ibid

[7] Covid-19: Cyberattacks on the Healthcare System, Global Risk Insights, June 2021,

[8] Understanding Patches and Software Updates, Cybersecurity and Infrastructure Security Agency, 2021

[9] Foreign hacking group targets hospitals, clinics with ransomware attacks, says new report, CBS News, October 2021,

[10] The Pandemic Revealed The Health Risks of Hospital Ransomware Attacks,The Verge, August 2021,

[11] Hospital Cyberattacks: More Frequent, Severe As Pandemic Continues, WFYI Indianapolis, August 2021,

[12] What is a Phishing Campaign?, Barracuda, 2021,

[13] What is Social Engineering? Examples & Prevention Tips, Webroot, 2021,

[14] Hackers Target Healthcare Industry During COVID-19 Pandemic, AON, 2021,

[15] The growing threat of ransomware attacks on hospitals, AAMC, July 2021,

[16] Ibid

[17] Ibid

[18] Covid-19: Cyberattacks on the Healthcare System, Global Risk Insights, June 2021,

[19] Ibid

[20] Hospitals, businesses see more cyberattacks and hackers during pandemic, The Denver Channel, June 2021,

[21] Hospital Cyber Attacks: More Frequent, Severe As Pandemic Continues, WFYI Indianapolis, August 2021,

[22] Hackers Target Healthcare Industry During COVID-19 Pandemic, AON, 2021,

[23] The growing threat of ransomware attacks on hospitals, AAMC, July 2021,

[24] Ibid



bottom of page