Claroty’s “Global State of CPS Security 2024 report highlights the impact of cyberattacks on healthcare, revealing that 78% of organizations paid over $500,000 in ransomware recovery. Ty Greenhalgh, healthcare industry principal at Claroty, shares insights into these findings below.

24×7: How do ransomware attacks on cyber-physical systems differ from traditional IT system breaches in terms of impact on healthcare environments?

Ty Greenhalgh: Ransomware attacks on cyber-physical systems (CPS) in healthcare differ significantly from traditional IT breaches because they directly target physical systems responsible for critical care, such as medical devices and healthcare infrastructure. IT breaches typically impact the confidentiality, integrity, or availability of data—the cybersecurity triad. Traditionally, breaches were viewed mainly as threats to data confidentiality. However, healthcare has recently shifted its focus toward the importance of availability and system uptime.

Ty Greenhalgh
Ty Greenhalgh

CPS attacks can severely disrupt healthcare operations, leading to postponed surgeries, diverted patients, and compromised patient safety. Claroty’s research reveals that nearly half of respondents experienced over 12 hours of downtime due to cyberattacks, which in healthcare can delay care, cause misdiagnoses, or even result in death. These disruptions not only impact medical procedures but also limit access to patient records, diagnostic tools, and connected medical devices, making CPS attacks far more severe than traditional IT breaches.

24×7: What proactive measures can healthcare organizations implement to reduce their risk of paying large ransoms, as highlighted in your report?

Greenhalgh: Many healthcare professionals, including leadership, jump straight to hardening and mitigation when they hear this question. However, experienced information security professionals know that there are vital steps that need to be completed to determine which hardening and mitigations are most effective. A CISO of one of the largest health systems in the country said, “A CISO’s job begins after visibility, which is quickly followed by ‘oh no.’” Improving asset visibility and maintaining an accurate inventory of connected devices and their software, including IoT and medical devices (IoMT), is the first step, according to NIST CSF and other popular frameworks.

One of the top three healthcare attack vectors is internet-facing devices with known exploitable vulnerabilities. To accurately identify vulnerabilities in outdated or unpatched systems and allow organizations to prioritize their defense based on risk, an organization needs to know the granular details of each network-connected device and how it communicates with other devices and the internet.

Another top attack vector is through third parties. Implementing CPS-specific secure remote access tools, which offer better protection than general VPNs, along with session monitoring and multi-factor authentication, can further reduce exposure to remote access attacks. These considerations can help prevent unauthorized network access.

Network segmentation is a critical mitigation solution designed to prevent attackers who penetrate the network. This technique is ideal for isolating key systems, preventing bad actors from moving across the network and escalating privileges to install ransomware. Additionally, regular backups and well-prepared incident response plans ensure quicker recovery, reducing the need to pay large ransoms.

Adhering to regulatory guidance also plays a key role in strengthening defenses against attacks. For example, the Department of Health and Human Services’ (HHS) voluntary Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) can further enhance cybersecurity preparedness in healthcare organizations. These HPH CPGs have recently been suggested as requirements in a new U.S. Senate bill, the Healthcare Security Infrastructure and Accountability Act.

24×7: How has the increase in connected medical devices (IoMT) amplified the cybersecurity challenges within hospitals?

Greenhalgh: IoMT devices are crucial for patient care but often lack proper security configurations, making them highly vulnerable to cyberattacks. Compounding this problem with the volume of devices, often in the tens of thousands, the workload in chasing and mitigating device vulnerabilities becomes daunting. These devices manage real-time functions like patient monitoring telemetry, drug delivery pumps and CT scans for trauma patients in a golden window, so any disruption poses a direct threat to patient safety.

As the number of IoMT devices increases, so does the need for remote access for maintenance. A major issue is the lack of visibility into third-party access, with nearly 63% of respondents admitting they have little or no understanding of how vendors connect to their CPS environments, which increases risks from remote access.

Many IoMT devices also run on outdated or legacy systems that are difficult to patch, further exacerbating the security challenge and creating the need for network segmentation as a barrier. But even then, without accurate visibility into the communication needs of these complex IoMT systems of devices like CT scanners, segmentation without visibility can also inadvertently restrict the device from operating properly and thus threatening patient safety.

As hospitals adopt more connected devices, the attack surface grows, creating more entry points for cyberattacks. This makes it critical for healthcare organizations to implement comprehensive cybersecurity strategies tailored to IoMT devices.

Greenhalgh: 78% of healthcare organizations reported paying over $500,000 in ransomware payments. Healthcare facilities worldwide are being heavily targeted by ransomware attacks. The healthcare sector’s critical nature and the operational risks associated with downtime might make organizations more willing to pay these high ransoms to restore service quickly.

From a regional perspective, European healthcare organizations were notably impacted, with 59% reporting payments exceeding $500,000, and 23% paying between $1 million and $5 million. However, the financial and operational toll of ransomware is particularly challenging for rural healthcare organizations, especially in the U.S. Rural hospitals often operate on constrained budgets and have limited resources, making it difficult to invest in advanced cybersecurity solutions. For these organizations, the cost of implementing preventive measures is high, yet the financial and reputational damage of a ransomware attack can be even more devastating.

As these smaller healthcare facilities struggle to balance costs with security needs, they remain highly vulnerable to ransomware attacks. Without adequate funding and cybersecurity support, rural hospitals may be forced to pay ransoms to restore critical services swiftly, which further strains their already limited resources.

24×7: What are the long-term operational and financial impacts on hospitals that have paid ransoms, and how can they recover?

Greenhalgh: Hospitals that pay ransoms face significant long-term operational and financial consequences. Even after making ransom payments, hospitals often endure extended periods of downtime as they work to fully recover compromised systems and restore patient data. According to the report, 49% of respondents indicated that the recovery process took a week or more, with nearly 30% reporting recovery times exceeding a month​. This extended downtime can lead to severe financial repercussions, including lost revenue, increased operational costs, and reputational damage.

When hospitals are forced to pay ransoms from their already limited resources, it redirects critical funds that could otherwise strengthen their cybersecurity defenses. This financial strain further limits their ability to invest in security measures needed to prevent future attacks.

Recovery from these attacks requires more than just technical fixes; hospitals must invest in cyber resilience strategies to ensure long-term protection. This includes strengthening their security posture by investing in cybersecurity insurance, implementing incident response plans, and improving employee training on recognizing phishing attempts and other common attack vectors. Proactively engaging with regulatory bodies and adhering to best practices in cybersecurity will also help mitigate future risks.

24×7: What role do regulatory bodies and government policies play in shaping the cybersecurity strategies of healthcare organizations facing CPS threats?

Greenhalgh: Regulatory bodies and government policies play a crucial role in shaping the cybersecurity strategies of healthcare organizations, particularly when it comes to CPS threats. Regulations such as HIPAA in the U.S. and GDPR (General Data Protection Regulation) in Europe require healthcare organizations to ensure the confidentiality, integrity, and availability of protected health information (PHI) and other sensitive data.

Additionally, the HHS’ HPH CPGs, which are currently voluntary, may soon become mandatory as the HHS seeks to integrate these goals into regulations and programs.

The U.S. Senate has recently released a bill mandating the HPH CPGs. These goals help healthcare organizations address common vulnerabilities by setting foundational safeguards to protect against cyberattacks, improve response capabilities, and minimize residual risk. Built on frameworks like CISA’s CPGs, NIST’s Cybersecurity Framework, and the National Cybersecurity Strategy, the HPH CPGs guide organizations in maturing their defenses against emerging threats.

As the sector prepares for future regulations, healthcare organizations should align their strategies with both regulatory requirements and the HPH CPGs. This includes prioritizing essential security practices like asset management, phishing-resistant multi-factor authentication, and mitigating known vulnerabilities—elements that strengthen both IT and OT infrastructure defenses. By doing so, organizations can boost cyber resilience, safeguard patient data, and ensure they’re prepared for an evolving threat landscape.