Ransomware Threats to Hospital Critical Infrastructure: 2021-2023 Threat Assessment

Overview

Healthcare and public health sector ransomware attacks have emerged as a critical national security concern. According to a joint advisory from CISA, FBI, and NSA issued February 13, 2022, ransomware attacks impacted 14 of the 16 US critical infrastructure sectors in 2021, with the healthcare sector experiencing disproportionate impact. The healthcare and public health sector "was hit especially hard by ransomware in 2021," containing "most of the largest healthcare data breaches of the year."

Hospitals operate as critical infrastructure under DHS designation, yet face unique vulnerability due to legacy operational technology (OT) systems that were never designed with cybersecurity as a priority. As noted in October 2021 analysis, "attacks on critical infrastructure have grown from moderate risk to major headline-grabbing news and attackers' capabilities have also continued to develop."

Key Threats

Ransomware Deployment Against Hospital Systems

Ransomware represents the dominant threat vector against hospital infrastructure. The attacks exploit both digital vulnerabilities and human attack surface through phishing campaigns. According to analysis from July 2021, "Ransomware is the threat of 2021. It's impacting everything from large enterprises, hospitals, to other aspects of our critical infrastructure."

The healthcare sector's vulnerability stems from multiple factors:

1. Inadequate Security Frameworks: While HIPAA requirements map to the "Protect" section of NIST Cybersecurity Framework, healthcare organizations lack mandates for comprehensive coverage across all five CSF sections (Identify, Protect, Detect, Respond, Recover). As of July 2020, only three critical infrastructure sectors (energy, government, nuclear) had regulations mapping security requirements to all CSF sections.

2. Interconnected Infrastructure Risk: Healthcare networks increasingly interconnect with other critical sectors—pharmaceuticals, medical device suppliers, utilities, and telecommunications—creating cascading attack vectors. An expert quoted in July 2020 analysis noted that "risks could be exacerbated because of the interconnected nature of the sectors."

3. Operational Technology Vulnerabilities: Critical infrastructure operators "have made little progress in protecting their networks 12 years after the discovery of Stuxnet," per Black Hat USA 2022 keynote by journalist Kim Zetter (August 12, 2022). The discovery of Stuxnet in 2010 exposed OT network vulnerabilities that remain largely unaddressed in healthcare settings.

4. Projected IoT Expansion: An estimated 20.5 billion network-connected devices were projected to be incorporated into critical infrastructure architectures by 2020, dramatically increasing attack surface without corresponding security improvements.

Notable Incidents

Methodist Hospital (Henderson, Kentucky) - March 2016

The FBI investigated a ransomware attack against Methodist Hospital in Henderson. This incident demonstrated early healthcare sector targeting, following similar attacks on Hollywood Presbyterian Medical Center in Los Angeles (which paid approximately $17,000 in ransom) and German hospitals in February 2016.

Eskenazi Health (Indianapolis) - August 2021

A ransomware attack on Eskenazi Health, a 315-bed hospital with community health centers throughout Indianapolis, began between 3:30-4:00 a.m. on a Wednesday morning in August 2021. By 8 a.m., the health system was turning ambulances away and diverting patients to other hospitals. The attack impacted all of Eskenazi Health's locations—hospital, inpatient facilities, and community health centers. The organization shut down systems to contain malware spread, including email systems, forcing manual patient record management.

Brno University Hospital (Czech Republic) - March 2020

The second-largest hospital in Czech Republic experienced a cyberattack requiring operational rescheduling, patient relocation, and delays in COVID-19 test results. This incident preceded April 2020 warnings from Czech authorities to international allies regarding "imminent, large scale attacks on hospitals."

Irish Health Service - 2021

Referenced in December 2021 analysis as one of multiple critical infrastructure sectors disabled by ransomware during 2021, alongside Colonial Pipeline and meat-processing giant JBS.

Broader 2021 Threat Data

CISA, FBI, and NSA documented ransomware attacks against healthcare specifically as part of the 14 critical infrastructure sectors targeted in 2021, with "ransomware tactics and techniques continued to evolve," demonstrating "threat actors' growing technological sophistication and an increased ransomware threat to organizations globally."

Recommendations

Immediate Mitigations

1. Implement Comprehensive NIST CSF Coverage: Extend beyond HIPAA-mandated "Protect" controls to establish Identify, Detect, Respond, and Recover capabilities aligned with NIST Cybersecurity Framework all five functions.

2. Segment Operational Technology (OT) Networks: Isolate critical clinical systems (electronic health records, diagnostic equipment, life support) from standard IT infrastructure. Create air-gapped backup systems for patient data and critical operations.

3. Deploy Multi-Factor Authentication: Require MFA on all external-facing systems and administrative accounts, particularly for remote access gateways that represent primary ransomware entry vectors.

4. Establish Phishing Resistance Programs: Given ransomware relies on phishing, implement security awareness training with specific focus on healthcare personnel, combined with email filtering and sandboxing technologies.

5. Develop Incident Response and Business Continuity Plans: Establish procedures enabling hospitals to maintain emergency services and patient care during ransomware attacks, including manual operations capability, patient diversion protocols, and recovery timelines.

Strategic Actions

1. Mandate Cross-Sector Security Coordination: Healthcare organizations must coordinate with pharmaceutical suppliers, medical device manufacturers, utilities, and telecom providers to map and secure interconnected dependencies that enable cascading attacks.

2. Regulatory Enhancement: Advocate for federal mandates requiring healthcare facilities to achieve full NIST CSF alignment across all five functions, matching requirements applied to energy, government, and nuclear sectors.

3. Supply Chain Risk Management: Assess third-party healthcare IT vendors and medical device manufacturers for security maturity; establish contractual cybersecurity requirements and continuous monitoring.

4. Backup and Recovery Infrastructure: Maintain immutable, offline backups of critical patient data and system configurations; test recovery procedures quarterly to ensure RTO/RPO targets support patient care continuity.

5. Information Sharing: Participate in CISA healthcare sector information sharing forums and healthcare-specific threat intelligence communities to receive timely alerts on emerging ransomware campaigns targeting hospitals.

Source: CyberBriefing intelligence synthesis from 20 years of historical threat data.