Ransomware Protection & Response Guide

Protect your healthcare practice from ransomware attacks with prevention strategies and a step-by-step response playbook.

The Ransomware Threat to Healthcare

Ransomware attacks against healthcare organizations increased 94% in 2025. The average ransom demand for healthcare targets is $1.27 million, and the total cost of recovery (including downtime, lost revenue, and remediation) averages $4.82 million. For a small practice, a single ransomware attack can be devastating — even fatal to the business.

How Ransomware Attacks Work

Phase 1: Initial Access

Attackers gain entry through:

• Phishing emails (68% of healthcare ransomware attacks start here)
• Exploited vulnerabilities in unpatched software
• Compromised remote access (VPN, RDP, remote desktop)
• Supply chain compromise through infected vendor software

Phase 2: Lateral Movement

Once inside, attackers:

• Harvest credentials from memory and Active Directory
• Map the network to identify critical systems
• Move between systems to maximize their reach
• Identify and attempt to delete or encrypt backups

Phase 3: Data Exfiltration

Modern ransomware gangs practice "double extortion":

• Steal sensitive data before encrypting
• Threaten to publish patient records if ransom isn't paid
• This means backups alone won't protect you from exposure

Phase 4: Encryption

The ransomware activates:

• All accessible files are encrypted
• Ransom note appears demanding cryptocurrency payment
• Systems become unusable — EHR, billing, scheduling, email
• Patient care is disrupted

Prevention Checklist

Email Security

• Deploy advanced email filtering with sandbox analysis
• Implement DMARC, DKIM, and SPF records
• Block dangerous attachment types (.exe, .js, .vbs, .scr)
• Enable link rewriting and URL scanning
• Conduct monthly phishing simulations

Endpoint Protection

• Deploy endpoint detection and response (EDR) on all devices
• Enable automatic OS and software updates
• Restrict administrative privileges (least privilege)
• Disable macros in Microsoft Office by default
• Block PowerShell execution for non-admin users

Network Security

• Segment clinical networks from administrative and guest networks
• Restrict Remote Desktop Protocol (RDP) — disable if not needed
• Require VPN with MFA for all remote access
• Deploy intrusion detection/prevention systems (IDS/IPS)
• Monitor DNS queries for known malicious domains

Backup Strategy (The 3-2-1 Rule)

• Maintain at least 3 copies of critical data
• Store on 2 different media types (cloud + local)
• Keep 1 copy offline (air-gapped, disconnected from network)
• Test backup restoration monthly
• Encrypt all backup data

Staff Training

• Quarterly cybersecurity awareness training
• Phishing recognition and reporting procedures
• Social engineering awareness
• USB and removable media policies
• Incident reporting procedures

Ransomware Response Playbook

Hour 0-1: Detection and Containment

1. Isolate affected systems — disconnect from network immediately (unplug Ethernet, disable WiFi)
2. Do NOT power off — this preserves forensic evidence
3. Alert your incident response team (or designate one now)
4. Document everything — timestamps, affected systems, ransom note details
5. Do NOT pay the ransom yet — this is a business decision for later
6. Preserve the ransom note — take photos, save screenshots

Hour 1-4: Assessment

1. Determine scope — which systems are affected?
2. Identify the ransomware variant — use the ransom note, encrypted file extension, or upload a sample to ID Ransomware (id-ransomware.malwarehunterteam.com)
3. Check for free decryptors at nomoreransom.org
4. Assess data exfiltration — were files stolen before encryption?
5. Evaluate backup integrity — are your backups intact and unencrypted?

Hour 4-24: Notification and Response

1. Contact law enforcement — FBI (ic3.gov) and/or local field office
2. Notify your cyber insurance carrier (if applicable)
3. Engage a forensic investigation firm (your insurer may have preferred vendors)
4. Assess HIPAA breach notification requirements — if ePHI was accessed or exfiltrated, the 60-day notification clock starts
5. Communicate with staff — provide clear instructions on what to do and not do

Day 1-7: Recovery

1. Rebuild from clean backups — do NOT restore from backups connected during the attack
2. Reset ALL passwords across the organization
3. Patch the vulnerability that allowed initial access
4. Deploy enhanced monitoring on rebuilt systems
5. Verify system integrity before reconnecting to the network

Day 7-30: Post-Incident

1. Conduct a thorough post-incident review
2. Update your incident response plan based on lessons learned
3. Complete HIPAA breach notifications if required
4. Implement additional security controls to prevent recurrence
5. Provide targeted training to staff on the attack vector used

To Pay or Not to Pay

The FBI recommends against paying ransoms. However, the decision is complex:

Arguments against paying:

• No guarantee you'll get a working decryptor
• Funds criminal organizations
• Makes you a target for future attacks
• May violate OFAC sanctions if the attacker is a sanctioned entity

Arguments for paying (in some cases):

• Patient safety may require immediate system restoration
• Backups may be compromised or insufficient
• Double extortion threat to publish patient data

If you decide to pay: Work with law enforcement and a professional ransomware negotiator. Never communicate directly with attackers.

HIPAA Implications

A ransomware attack is presumed to be a HIPAA breach unless you can demonstrate a low probability that PHI was compromised. You must:

• Conduct a risk assessment per the Breach Notification Rule
• Notify HHS within 60 days of discovery (or immediately if 500+ individuals affected)
• Notify affected individuals
• Notify media if 500+ individuals in a single state are affected

How HIPAA Agent Helps

Our HIPAA Compliance Platform includes:

• Ransomware playbook generator customized to your practice's EHR, backup systems, and IT setup
• Real-time threat intelligence alerting you to active ransomware campaigns targeting healthcare
• Dark web monitoring detecting if your credentials are compromised before attackers use them
• Breach probability scoring identifying your biggest vulnerabilities before an attack

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Related Guides