Skip to the main content.

2 min read

Ransomware's Impact on Healthcare: Incident Response Plans are Critical

Ransomware's Impact on Healthcare: Incident Response Plans are Critical

Unfortunately, healthcare organizations are more likely to pay a ransom because their records are essential for patient care, making them a prime target for cyber-attacks.

medical record data safetyThe value of patient health records is especially enticing to threat actors, given the scope of information contained, such as a patient's date of birth, payment details, Social Security Number, home address, and email address. And oftentimes, they are inadequately secured.

Experts found it can take only a few seconds to get into a patient’s health record. Additionally, threat actors may receive up to $1,000 for it, making it a lucrative record to buy. The dark web revealed an entire healthcare organization had a price tag of $10 million.

You Need a Current and Tested Incident Response Plan

Many healthcare organizations continue to operate without an incident response (IR) plan despite the increase in cyber threats and 3.4 billion phishing emails sent daily.

Forty-two percent of healthcare organizations do not have an incident response plan due to a lack of knowledge and staff to implement the entire framework, according to a report by Shred-it.

The remaining 58 percent of healthcare organizations most likely have an outdated or untested IR plan.

Downtime Can Be Costly

When an incident occurs (depending on the severity), an organization may experience significant downtime, meaning their key operating systems are crippled. Incidents prevent healthcare workers from accessing vital data to provide critical patient care.

In 2021, 2,032 medical organizations experienced a ransomware attack that impacted 19.76 million patient records and cost almost $7.8 billion in downtime, according to Comparitech.

The amount of downtime can be decreased significantly with an effective IR plan.

Not only does an IR plan reduce downtime, but it also provides an organized approach to quickly respond and restore your organization's operations during an incident.

But note: Incident response plans are not "one and done." The IR plans require regular testing and revision to protect patients and organizations as part of a continuous improvement program.

Post-Incident: Conduct a Post-Mortem

Once a healthcare organization has recovered from an incident, it is important to conduct a "post-mortem" or "lessons learned" exercise with the incident response team and other key stakeholders.

A post-incident exercise allows teams to identify strengths and weaknesses within their incident response plan and evaluate areas of opportunity. It is an effective way to improve processes, revise communication plans, and update external business partners.

Post-Incident Questions

You can use the following questions as a guideline to conduct the post-incident discussion:

  1. Was your incident response plan easy to execute and did it provide guidance during the incident?
  2. Did the incident response team have the depth to fill gaps in case a member of the primary team is unavailable?
  3. Did the incident response team have the proper training, authority, and tools to quickly detect, respond, and recover from the incident?
  4. Did internal and external business partners provide proper responses to employees, vendors, and government entities?
  5. What network security tools, training, internal communications, or processes are needed to enhance the protection and detection of cyber incidents?

Gathering the above information should lead to revising the IR plan, that has:

  • A diverse and strong balance of skill sets among business partners (IT, Compliance Officer, Legal, HR, and communications).
  • Reliable and reputable external partners that provide the expertise to execute and support the organization during the incident.
  • Streamlined processes, customized training, and commitment from leadership to test it regularly.


In a nutshell, healthcare is a hotspot for threat actors targeting valuable patient records. Shockingly, almost half of these places are flying blind without solid incident response plans, risking major disruptions and costs in the case of an incident. Time for a reality check: develop an incident response plan, test it, and update it regularly to avoid costly downtime and regulatory penalties.

If you are looking to develop, revise, or test your incident response plan, contact PacketWatch. Our advisory services team is ready to help organizations like yours close security and compliance gaps.

Sheri Garver has nearly two decades of professional accreditation and compliance background. She is the Senior Advisor of Regulatory Compliance for PacketWatch, a premier cybersecurity firm in Scottsdale, Arizona.

If you need help with your compliance or accreditation programs, please contact PacketWatch so we can discuss how we can help your organization meet and exceed its compliance goals.

The Rise of Shadow AI

3 min read

The Rise of Shadow AI

Last spring, Gartner issued eight cybersecurity predictions at their Security and Risk Management Summit. Among the eight, one really caught my eye: ...

Read More
The Weak Link in Your Network Might Lie with Your Vendors

4 min read

The Weak Link in Your Network Might Lie with Your Vendors

Optimizing operational performance is a key ingredient for organizations to produce quality products and/or deliver excellent service and generate...

Read More
How to Develop the Right Security Program for Your Organization

5 min read

How to Develop the Right Security Program for Your Organization

Creating a Security Program is one of the best ways an organization can lower the risk and impact of a cybersecurity incident.

Read More