Preventing ransomware in healthcare requires layering technical defenses, staff training, and resilient backup systems so that even when attackers get through one barrier, they can’t lock down your operations. Healthcare remains one of the most targeted sectors: in 2024, 61 ransomware-related breaches were reported to the U.S. Department of Health and Human Services, and the February 2024 attack on Change Healthcare alone compromised 100 million patient records and cost $2.4 billion in response expenses. The average breached healthcare organization faces roughly $8 million in total costs, or about $400 per patient record exposed.
What makes healthcare uniquely vulnerable is the combination of legacy medical devices, high-pressure clinical workflows that resist security friction, and data that attackers know organizations will pay to recover. The good news: the HHS 405(d) program and NIST frameworks provide clear, prioritized guidance. Here’s how to put it into practice.
Segment Your Network to Contain the Blast
Most ransomware doesn’t stay where it lands. It moves laterally across the network, encrypting everything it can reach. Network segmentation breaks your environment into isolated zones so that a compromised workstation in billing can’t reach an MRI machine or your electronic health record servers. The HHS 405(d) program specifically recommends using VLANs and firewalls to isolate network-connected medical devices, restricting communication to only the devices and services each segment genuinely needs.
This matters especially for legacy medical equipment. Many devices run outdated operating systems that can’t be patched, making them easy entry points. Placing them on their own network segment with strict access rules keeps them functional without putting the rest of your infrastructure at risk. Map every connected device first. You can’t segment what you don’t know exists, and most health systems dramatically undercount their IoT footprint.
Adopt Zero Trust Architecture
Traditional network security assumes that anything inside the perimeter is trusted. Zero trust flips that assumption: every user, device, and connection must prove it’s authorized before accessing any resource, every single time. NIST’s zero trust model centers on three core components working together: a policy engine that decides who gets access, a policy administrator that enforces those decisions, and policy enforcement points placed at every resource boundary.
For hospitals, zero trust is particularly valuable because clinicians, contractors, and telehealth providers access systems from shifting locations and devices throughout the day. A zero trust approach validates each request based on the user’s identity, the device’s security posture, and the sensitivity of the data being accessed. This means a compromised laptop connecting from a nurse’s station gets blocked from reaching patient databases, even though it’s physically inside the building. Rolling out zero trust across an entire health system takes time, so most organizations start with their highest-value assets (EHR systems, billing platforms, pharmacy networks) and expand outward.
Strengthen Authentication Without Slowing Clinicians
Stolen or weak passwords remain one of the most common ways attackers gain initial access. Multi-factor authentication is essential, but in a clinical setting where seconds matter, traditional MFA methods like typing in a code from a phone app create real friction. Healthcare organizations need authentication that’s both strong and fast.
FIDO2 and WebAuthn protocols eliminate passwords entirely using public/private key cryptography, which makes them both more secure and faster for end users. Physical security keys, like the YubiKey Bio series, combine a hardware token with a built-in fingerprint reader, letting a clinician authenticate with a single tap. Biometric recognition is especially useful in open hospital environments where staff move between shared workstations throughout a shift. Combining a physical key with biometrics gives you two authentication factors in one quick gesture, keeping login times short while making credential theft dramatically harder.
Build Immutable, Tested Backups
Backups are your last line of defense, and ransomware operators know it. Modern attacks routinely target backup systems first, encrypting or deleting them before locking down production data. If your backups can be modified or destroyed from the same network, they offer false security.
Immutable backups use Write Once, Read Many (WORM) storage, meaning once data is written, it cannot be altered or deleted for a defined retention period. Follow the 3-2-1 rule: maintain three copies of your data, on two different types of media, with one copy stored offsite. Geographic distribution protects against site-specific disasters, whether that’s a ransomware event or a physical emergency. Critically, verify that your EHR platform and other clinical applications actually support immutable backup protocols before assuming you’re covered.
Backups only matter if they work when you need them. Schedule regular restoration tests, including full system recovery drills, so you know how long it takes to bring clinical operations back online from backup. The average healthcare organization takes 255 days to identify a breach and another 103 days to fully contain it. Practiced recovery procedures can compress that timeline dramatically.
Train Staff With Realistic Phishing Simulations
Email remains the primary delivery method for ransomware. A large hospital study found that when staff received a customized phishing email designed to look like an internal communication, 55% clicked the malicious link on the first attempt. After a second simulation campaign run roughly four months later, that rate dropped to 21%. For more generic phishing emails, click rates fell from 7% to 3% over three rounds.
The key finding: training frequency matters. Campaigns spaced about four months apart produced significant, measurable improvement. One annual training session isn’t enough. Run simulations regularly, vary the email types (fake package deliveries, IT password resets, internal memos), and provide immediate feedback when someone clicks. Staff who just failed a simulation are far more receptive to learning what they missed. Focus extra attention on departments with high click rates rather than treating all staff identically.
Prepare an Incident Response Plan Before You Need It
Prevention will never be 100% effective, so your response plan determines whether a ransomware event becomes a brief disruption or a months-long crisis. HHS guidance recommends that every healthcare facility establish pre-determined severity definitions and clearly delegated authority so IT teams can immediately lock down systems once certain thresholds are reached, without waiting for committee approval during an active attack.
A strong healthcare incident response plan includes several specific elements:
- Rapid federal reporting: Notify CISA and the FBI immediately, as they can provide technical response support and threat intelligence specific to the variant you’re facing.
- Cross-department coordination: Include IT personnel in all incident command communications, and bring clinical and administrative representatives into IT recovery planning. Siloed responses leave gaps.
- Business continuity activation: Trigger downtime procedures for clinical operations, including paper-based workflows for medication administration, lab orders, and patient tracking.
- Controlled communications: Appoint a single spokesperson. Establish an approval process for all messaging to patients, staff, media, and partner organizations. Monitor social media for misinformation that could undermine trust.
Practice the plan through tabletop exercises at least twice a year. Include clinical leadership, not just IT, because decisions about diverting ambulances or postponing surgeries fall on operational leaders who need to understand their role before a real event.
Understand Your HIPAA Obligations
Under the HIPAA Security Rule, healthcare organizations are required to conduct a risk analysis identifying threats and vulnerabilities to electronic protected health information and then implement security measures to address those risks. This isn’t optional guidance; it’s a legal baseline.
One point that catches many organizations off guard: when ransomware encrypts patient data, HHS considers that a breach. The reasoning is that the data was “acquired” by an unauthorized party through the encryption process. You must comply with breach notification requirements, including notifying affected patients and HHS, unless you can demonstrate a low probability that the data was actually compromised based on four factors specified in the HIPAA Breach Notification Rule. Assuming that encrypted-but-not-exfiltrated data doesn’t count as a breach is a common and costly mistake.
Use the HHS 405(d) Framework as Your Roadmap
If you’re unsure where to start, the Health Industry Cybersecurity Practices (HICP) framework published through the HHS 405(d) program provides a prioritized checklist organized into ten practice areas: email protection, endpoint protection, identity and access management, data protection and loss prevention, IT asset management, network management, vulnerability management, security operations and incident response, network-connected medical device security, and cybersecurity governance. The framework is scaled for organizations of different sizes, recognizing that a rural clinic and a large health system have different resources and risk profiles.
Working through these ten areas systematically gives you coverage across the full attack surface rather than over-investing in one area while leaving another exposed. Start with the areas where your current gaps are widest, which a thorough risk assessment will reveal, and build outward from there.