URGENT MESSAGE: Log4j Zero-Day Vulnerability Response| Learn more
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Ransomware: In the Healthcare Sector

It is hard to ignore the recent increase in reporting of hospitals victimized by ransomware. Ransomware has become such an issue that the MS-ISAC, along with our partners at the National Health Information Sharing and Analysis Center (NH-ISAC) and Financial Services Information Sharing and Analysis Center (FS-ISAC), teamed up to host trainings around the country on how to defend against it. Ransomware is a type of malware that infects systems and files, rendering them inaccessible until a ransom is paid. When this occurs in the healthcare industry, critical processes are slowed or become completely inoperable. Hospitals are then forced to go back to utilizing pen and paper, slowing the medical process and ultimately soaking up funds that may otherwise have been allocated to the modernization of the hospital.

Typically, ransomware infects victim machines in one of three ways:

  • through phishing emails containing a malicious attachment
  • via a user clicking on a malicious link
  • by viewing an advertisement containing malware (malvertising)

Ever-evolving variants and tactics, techniques, and procedures (TTPs) make it hard for security experts to keep up. Additionally, platforms such as ransomware as a service[i] (RaaS) make it easy for anyone with little to no technical skill to launch ransomware attacks against victims of their choosing.


Recently, multiple hospitals across the country were infected with ransomware via outdated JBoss[ii] server software. In these cases, the attacker uploaded malware to the out-of-date server without any interaction from the victim, as opposed to infecting the hospitals through common workstations used by everyday staff. Hollywood Presbyterian Hospital in California was one of the hospitals affected, in a case which delayed patient care and ultimately resulted in the hospital paying $17,000 to re-gain access to files and their network. Actors used an open source tool, JexBoss, to search the Internet for vulnerable JBoss servers, and infected networks, regardless of what industry they were running on. While there is no definitive proof, some have speculated that the high ransom demands observed in healthcare related cases indicated the cyber threat actors were aware of who they had infected. They may have been aware that devices compromised in an infection process are often crucial to a hospitals’ mission, and the ransomware may render them inaccessible, delaying patient care while causing tremendous pressure to remediate the issue immediately. This pressure, combined with the fact that hospitals generally have financial resources on hand, potentially increases the likelihood the attackers will be paid.


For organizations which haven’t prepared for this attack, ransomware can be extremely damaging to day-to-day operations by blocking access to files and systems. MS-ISAC’s Primer on ransomware outlines the crucial steps every organization should take to heighten defenses against ransomware by properly securing networks, systems, and the end user. Keeping your anti-virus current, implementing proper email filtering, and maintaining up-to-date back-ups and storing them offline are just a few of the recommendations you’ll find in the Primer to help harden your organization against the threat of ransomware.

U.S. hospitals can get access to Malicious Domain Blocking and Reporting (MDBR) to help defend against ransomware at no cost.


[i] What is RaaS? Ransomware as a service (RaaS) is a new platform designed to enable someone with very little know how about malware, code, or cyber attacks, to conduct a ransomware attack and turn a profit. RaaS is designed to operate with a user-friendly platform that allows the attacker to simply pick their victim, set the ransom, pick a payment deadline and bitcoin wallet address, and deploy a ransomware variant. The developers of many RaaS platforms take a percentage of whatever the attacker is paid.

[ii] What is a JBoss Server? JBoss is an open-source application server program, which is a platform for developing and deploying enterprise java applications, services, and web portals. JBoss is an open source alternative to commercial options such as IBM WebSphere, Oracle BAE, or SAP NetWeaver. The last JBoss version released was 7.1.1, in 2012. Following that final release, JBoss’s name was switched to Wildfly. If you are running an applications server by the name of JBoss… it is out-of-date and has been for years!