US hospitals targeted by ransomware

shutterstock 538856332

Multiple hospitals across the US are being targeted by ransomware attacks as officials warned last night that healthcare organisations need to beef up their cyber security defences.

Healthcare organisations are successfully upgrading their outdated operating systems in order to meet modern day cyber security requirements, a new report from Forescout has revealed. However, it also found that there are still tangible vulnerabilities within their networks that have the potential to cause catastrophic damage and additional strain on critical services.

The company’s Connected Medical Device Security report has analysed detailed information from the 3.3 million devices contained within the Forescout Device Cloud.

The number of soon-to-be unsupported versions of Windows devices found in its sample of healthcare networks has decreased to 32%, the findings reveal. Last year, that number was 71%, indicating that the industry is taking steps in the right direction to meet current cyber security standards.

The percentage of devices running entirely unsupported operating systems, however, – including Windows XP and Windows Server 2003 – has remained unchanged at 0.4%. While this number is small, these devices tend to be some of the most critical within healthcare organisations, highlighting that the risk posed by legacy operating systems still remains.

“WannaCry crippled the NHS back in 2017 and outdated systems played a huge role in that, so it’s great to see that healthcare organisations are making the necessary improvements to their IT in order to keep their networks safe,” explained Rich Orange, Regional Director, UK&I at Forescout.

“That said, many are still struggling to protect and secure every connected thing on the network. It only takes one connected device to fall victim to a bad actor and ultimately take down an entire system, and that scenario doesn’t bear thinking about with the current pressure on healthcare services.”

The report also found that network segmentation within healthcare organisations is on the rise, with a sharp decrease in deployments running only one VLAN, while there is an increase in deployments with more than 25 VLANs.

However, computers, printers and even personal devices such as smartphones were often present in the same VLAN as healthcare equipment such as patient monitors and X-Ray machines. For every VLAN with at least one healthcare device, 60% of organisations also had non-healthcare devices on the same segment. 90% of VLANs have a mix of healthcare devices and IT devices.

“To avoid an attack that could have the same impact as that of WannaCry, organisations need to have full situational awareness of their network. This, coupled with effective segmentation to stop attackers moving laterally through the network, will help prevent something as important as medical data being exploited or critical public services being taken offline,” concludes Orange.


Faiz Shuja, Co-Founder & CEO, SIRP Labs:

“Since the start of the pandemic we have repeatedly seen cyber criminals launching attacks against hospitals. Today’s advisory from the FBI simply underlines the serious nature of this threat. Ryuk ransomware is a particular favourite method of attack and, sadly, at least one death has resulted from the disruption this causes to essential medical services.

When ransomware strikes, Hospital Security Operations Centres (SOCs) have mere minutes to respond. Swift identification of threats and a capacity to respond rapidly are vital. For this reason we recommend organisations pursue a risk-based approach to their cybersecurity. The aim is to provide security analysts with context about the nature and severity of alerts so they can quickly make informed judgments and minimise the potential for services disruption.” 


Charles Carmakal, SVP and CTO of Mandiant:

“Ransomware attacks on our healthcare system may be the most dangerous cyber security threat we’ve ever seen in the United States. UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers. Patients may experience prolonged wait time to receive critical care. Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.

“UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career. We are releasing a significant amount of information about UNC1878 to help organizations defend their networks.”



To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922

Subscribe to our newsletter

Don't miss new updates on your email