EHRs and Ransomware: Protecting Your Crown Jewel

EHRs and Ransomware: Protecting Your Crown Jewel

Last year, more than a dozen health systems were driven into EHR downtime by ransomware attacks. The EHR is the information system equivalent to the heart of a healthcare provider. All-important patient information flows through these critical information systems.

In some cases, organizations shut the systems down to protect them from an uncontrollable spread of ransomware. In others, the attack compromised the system themselves. Either scenario has the potential of causing enough financial damage to an organization that it is unable to recover

As I address in another recent blog, ideally, healthcare organizations will have sufficient safeguards in place to prevent a ransomware infection from occurring. Safeguards may include anti-phishing training, policies and procedures, antivirus and anti-malware solutions, updating and hardening systems, web filtering, and secure email gateways. However, even with these safeguards in place, there is still a risk of infection.

If a healthcare provider detects a ransomware infection before it has spread to the EHR, the organization can take steps to ensure the attack does not cripple the EHR. It should immediately isolate the infected systems removing them from the network. The IT organization should make backups of systems. Incident response activities should start immediately, including analysis of the ransomware. The organization should also begin threat hunting to ensure the ransomware has not already spread beyond the identified systems.

If a ransomware attack reaches the EHR system, the organization needs to take additional steps to mitigate the impact. The first thing an organization needs to do is execute its business continuity plan to maintain operations while the system is unavailable. Implementing the plan typically means going to paper records and manual processes. While this is going on, the organization will need to be careful to identify and remove all infected systems from the network. Failure to do so can result in a lot of effort being for naught when systems are reinfected soon after IT puts them back online.

If the ransomware has not spread to the organization’s backups, it will need to restore from those backups. If the backups are infected as well, there is a chance that a decryption key is already publicly available, and if so, the organization can try decrypting its files.

If these options are not available, the organization will need to decide if it will pay the ransom, and if so, hope that the keys provided by the attacker will decrypt its systems without too much further damage.

If the organization is forced down this path, it should continue its threat hunting efforts. As attackers have become more sophisticated in their attacks, they often leave backdoors in place to easily reinfect their victims. It is essential that any malware they have placed in the organization’s systems is irradicated and any access they might have locked down.

Along those same lines, now that the organization has demonstrated its willingness to pay a ransom, it is even more vital that it strengthen its defenses lest it is victimized again. Identifying risk and treating that risk by introducing additional safeguards is even more urgent than before the initial infection.

Fortunately, most organizations recognize that the EHR is one of its crown jewels; therefore, it is more likely that business continuity and disaster recovery planning is in place. If this is the case, the organization will be more prepared to recover these systems. Nevertheless, that can still take time to do. If an organization has not planned and tested its recovery plans in advance, it can be challenging and time-consuming to recover if they can do so at all.

The most important thing an organization should do if worried about a ransomware attack impacting its EHR is to take action now before the attack happens. Being proactive includes identifying the risk to those systems, implementing controls to safeguard the systems and information, monitoring to identify infections before deployment, developing incident response capabilities to deal with infections, and having backup, business continuity, and disaster recovery plans in place and tested.

Clearwater has experts who can assist with risk management, business continuity planning, and threat hunting if needs arise in these areas. Reach out to us with your questions and concerns at


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us