The Growing Threat of Ransomware in Health Care: Insights from a Cybersecurity Expert
Cecil P. , a health care executive and Chief Information Security Officer (CISO) at R1 RCM, recently appeared on The Podcast by KevinMD to explore the intensifying ransomware crisis affecting health care systems. In this article, we dive into Cecil’s perspectives on the context of ransomware, its devastating effects, notable incidents like the Change Healthcare attack, and actionable strategies for health care organizations to bolster their defenses.
SUBSCRIBE TO THE PODCAST → https://www.kevinmd.com/podcast
SUBSCRIBE TO THE NEWSLETTER → https://www.kevinmd.com/linkedin
The context of ransomware in health care
Ransomware has emerged as a profoundly disruptive force in health care, with Cecil estimating that seven or eight out of ten Americans have been impacted in some way over the past decade. This pervasive threat dominates conversations among cybersecurity professionals and health care executives, surfacing daily in boardrooms and operational discussions. Cecil shared that during a recent daily call, the term "ransomware" came up five or six times, underscoring its urgency. He contrasts today’s multimillion-dollar ransom demands with earlier, smaller-scale incidents from his time as CISO at DFW International Airport, illustrating the alarming escalation of this crisis.
Understanding ransomware
Ransomware, as Cecil explains, is a form of malware that infiltrates systems through avenues like phishing emails, malicious links, or compromised websites. Once activated—often by an unsuspecting click—it encrypts data, and in modern cases, exfiltrates it, holding it hostage. Attackers then demand payment to restore access or prevent the public release of sensitive information. In health care, the stakes are elevated due to the critical nature of patient data and safety, where disruptions can halt access to lab results or medical histories, directly threatening care delivery.
Why health care is a prime target
Health care organizations are prime targets due to the vast amounts of sensitive data they manage and the urgent need to maintain operations for patient safety. Cecil highlights that this urgency can pressure institutions into paying ransoms, particularly when backups fail or downtime jeopardizes lives. Perpetrators, often based in Eastern Europe or Russia—including groups like BlackCat—exploit these vulnerabilities, capitalizing on the sector’s reliance on uninterrupted system access.
Notable ransomware cases in health care
Cecil points to the Change Healthcare attack as a stark example of ransomware’s toll. Initially reported to have compromised 100 million patient health information (PHI) records, the figure has since risen to 190 million, with costs nearing $2.5 billion. When the attack hit, Cecil’s team at R1 RCM faced "managed chaos," swiftly disconnecting systems to contain the threat. He emphasizes the importance of monitoring "indicators of compromise" to prevent the attack from spreading, a process that required hourly assessments of the "blast radius" to safeguard unaffected systems.
How ransomware spreads
Ransomware often begins with simple actions—an employee clicking a phishing link, an SMS with a deceptive toll payment prompt, or a visit to a hijacked website. Cecil notes that within minutes, the malware can encrypt data or render systems unusable, displaying ransom demands. With countless entry points, health care systems must remain vigilant, as even routine interactions can trigger catastrophic breaches.
Containing and responding to ransomware
When ransomware strikes, rapid containment is critical. Cecil describes disconnecting affected systems and assessing the compromise’s scope to limit its spread. Success hinges on layered defenses—such as email sandboxing, advanced malware protection tools like CrowdStrike, and website monitoring—which can block threats at multiple stages. While many organizations thwart attacks this way, some face the tough choice of paying ransoms when backups are unavailable or patient safety hangs in the balance.
The decision to pay the ransom
Deciding whether to pay a ransom involves weighing backups, data exposure risks, and patient care urgency. Cecil stresses that this choice should involve business leaders, not just cybersecurity teams, and ideally be predetermined. However, real-time pressures—like looming deadlines from attackers threatening to publish data—can shift stances. While most who pay recover their data, Cecil cautions that outcomes are unreliable, as seen in the Change Healthcare case where payment didn’t fully resolve the issue.
Preparedness and prevention
Despite progress, Cecil believes the health care industry lags in proactive ransomware defenses, though recent high-profile breaches have elevated it to a business priority. Layers of protection are essential: email security to inspect links, malware tools to detect threats, and website filters to block malicious sites. For large organizations like R1 RCM, facing billions of weekly attacks, these measures often succeed, yet continuous improvement remains vital.
Advice for smaller practices
For smaller practices lacking robust budgets, Cecil advocates affordable basics: daily, tested backups separated from primary systems and alternative operating plans for outages. Drawing from a conversation with an ER doctor, he underscores the real-world impact—manual workarounds become necessary when systems fail, yet critical data like lab results may remain inaccessible. Preparation, he argues, is non-negotiable for resilience.
Final thoughts
Cecil’s core message is preparedness: health care organizations must invest in security tools, maintain reliable backups, and plan for system downtime. “It’s not a matter of if; it’s a matter of when,” he warns, urging leaders to treat cybersecurity as a business imperative. By acting proactively, the industry can better withstand the ransomware onslaught.