Incident Response to Ransomware at a U.S. SLTT Hospital

2025 funding cuts to the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) and prohibitions to U.S. State, Local, Tribal, and Territorial (SLTT) government entities from spending State and Local Cybersecurity Grant Program (SLCGP) funds on MS-ISAC membership have placed U.S. public health entities at greater cyber risk.

Smaller entities within the public health sector are even further stifled by these cuts. According to Microsoft, they face “significant challenges” due to limited resources and difficulty finding skilled IT specialists. Paired with the fact that healthcare remained the costliest industry for data breaches at $7.42 million on average in 2025, as reported by IBM, this finding shows how U.S. SLTT healthcare entities have limited options to address the enduring impacts of cyber threats.

In this case study, we'll review a real-life incident in which the MS-ISAC Cyber Incident Response Team (CIRT) responded to a ransomware attack at a U.S. SLTT hospital that caused direct threats to patient care, including lab reporting, medication distribution, and patient diversion. We'll highlight the toll federal cybersecurity funding cuts impose on U.S. SLTTs and their constituents as well as why public funding for cybersecurity resources like the MS-ISAC remains a cost-effective and critical option for under-resourced U.S. SLTTs in the healthcare sector.

MS-ISAC Federal Funding Cuts: The Impact on U.S. SLTTs

On March 6, 2025, the U.S. federal government cut a portion of previously guaranteed funding to the Cooperative Agreement (CA) with the Center for Internet Security^® (CIS^®) to support the MS-ISAC. More recently, on September 30, 2025, the U.S. Department of Homeland Security (DHS) officially ended its 21-year partnership with the MS-ISAC, which was originally established to provide cybersecurity services and support to U.S. SLTT entities. Beyond these cuts, when DHS issued the notice of funding opportunity for the final year of the SLCGP, it explicitly prohibited U.S. SLTTs from spending the funds on MS-ISAC membership and services, per StateScoop.

These reductions coincided with 2024 survey data from the MS-ISAC’s National Cybersecurity Review (NCSR) indicating that 73% of state and local government respondents cited funding as their top cybersecurity concern. Additionally, despite observing a drop in the global average cost of a data breach, IBM found that the average cost to U.S. organizations rose 9.2% to $10.22 million, while healthcare remained the most expensive sector for security breaches.

In July 2025, a U.S. Senator serving on the Select Committee on Intelligence issued a press release noting that small hospitals in particular are “prime targets for cybercriminals” and are very likely to pay ransoms to ensure continuity of care. Additional Members of U.S. Congress have demonstrated their awareness of the impacts of cyber threats on U.S. SLTTs. As reported by Politico, a 2025 cyber threat snapshot of threats to state and local governments by a member of the House Homeland Security Committee identified major incidents had impacted state and local governments across 44 U.S. states in 2025.

U.S. SLTT leaders have expressed serious concerns, as well. On August 7, 2025, the National Association of Counties (NACo) along with other partners sent a letter to Congress urging it to include the MS-ISAC in Fiscal Year 2026 federal appropriations, noted Infosecurity Magazine. In another open letter, 30 cybersecurity professionals, including former heads of federal cybersecurity organizations, similarly wrote to Congress requesting it continue federal funding for the MS-ISAC.

Despite expressed concerns, these recent decisions remain in place and have made it more difficult for U.S. SLTTs to attain necessary cybersecurity funding and services. These cuts are especially impactful to under-resourced organizations like those in the public health sector, which frequently lack adequate cybersecurity funding while administering critical services.

Safety Impacts of a Healthcare Ransomware Attack

In the second quarter of 2025, a ransomware incident forced a remote U.S. SLTT hospital to come face to face with the life safety impacts of a significant network intrusion:

• Disrupted Access to Critical Systems: The incident left the already resource-constrained entity struggling to maintain patient care due to the threat actor disabling access to critical systems, including the domain controller.
• Reduced Ability to Treat Trauma Patients: The disrupted access to critical systems delayed lab reporting, affected medication distribution, and impacted the facility’s ability to treat trauma patients, as they were unable to administer computerized tomography (CT) scans.
• Insufficient Staffing to Support: Beyond inhibited system access, the facility lacked sufficient staffing to read radiology films and support the hospital during an around-the-clock incident.
• Challenge of Transferring Digital Medical Records: If the hospital needed to divert any critical patients via medivac, they would have run into additional difficulties, as the incident inhibited staff's ability to transfer necessary digital medical records.

Coordinated Analysis and Incident Response from the MS-ISAC

The victim entity’s servers were all affected due to connectivity across a single virtual machine (VM) environment, otherwise known as a flat network topography. The department leveraged an endpoint detection and response (EDR) tool, which failed to generate any alerts during the incident.

To isolate the infection, IT staff disconnected systems from the internet and severed virtual local area network (VLAN) communication. Lacking an on-call vendor to perform incident response, the victim turned to CIRT of the MS-ISAC. CIRT was previously commissioned through the CA to provide no-cost incident response and coordination to U.S. SLTTs experiencing a serious incident. Following the March 2025 partial federal defunding, CIS, which is the parent organization of the MS-ISAC, elected to provisionally support the cost of critical services like CIRT.

Here's how CIRT supported the affected U.S. SLTT hospital:

• Rapid Collaboration and Launch of Investigation: As soon as CIRT became aware of the victim’s request, the team began working with the hospital IT staff. Once it received the necessary artifacts, it initiated its investigation.
• Preliminary Findings Provided in under 48 Hours: Within 48 hours, CIRT shared preliminary findings, used its expertise to coordinate incident response with the agency, and provided guidance on how to make risk-based decisions.
• Additional Analysis and Tailored Guidance: Widespread encryption created challenges for both sides in effectively investigating the scope of impact, but over the weeks that followed, CIRT analysts provided additional analysis and tailored guidance to the victim.

Despite the significant disruption caused by the incident, the entity expressed gratitude for CIRT’s dedication and support.

Meet the Moment with MS-ISAC Membership

This incident discussed above demonstrates the harsh realities under-resourced U.S. SLTTs confront in defending against threat actors armed with the capability, opportunity, and intent to conduct these attacks at scale. During an incident with immediate impacts to life safety, the MS-ISAC CIRT would historically consider sending an analyst onsite to help coordinate the incident response process and gain direct access to infected machines, but due to recent federal budget cuts, this was not an option. Given the challenges under-resourced U.S. SLTTs face in securing critical systems and data against persistent cyber attacks, threats against these entities are likely to continue.

The MS-ISAC remains committed to providing U.S. SLTTs with essential cybersecurity services, and it has shifted to a cost-effective paid membership model to fill the void of U.S. federal funding. MS-ISAC membership continues to provide an array of critical resources to support U.S. SLTTs in defending against cyber attacks like those described in the case study above. These include the 24x7x365 CIS Security Operations Center (SOC), CIRT, real-time malicious indicator feeds, advisories and targeted notifications, as well as tools and resources for enhancing organizations’ security posture like CIS SecureSuite^® Membership, which is available at no cost to U.S. SLTTs.

Want to learn more about how to enhance your cyber defenses with CIS SecureSuite Membership? Check out our video below.

 

 

CIS also offers cost-effective add-on solutions to further help U.S. SLTTs respond to and prevent incidents like those described in this case study. These CIS Services^® include CIS Managed Detection and Response™ (CIS MDR™), Albert Network Monitoring and Management, Malicious Domain Blocking and Reporting Plus (MDBR+), Penetration Testing, and Vulnerability Assessments.

Despite CIS offering cost-adjusted MS-ISAC membership for the most resource-deprived agencies, the short notice of the cancellation of funding as well as budgetary cycles and limitations will inevitably mean some entities fall through the cracks. To prevent this from happening as much as possible, CIS continues to advocate for a whole-of-state model to support U.S. SLTTs’ cybersecurity, meaning the community collectively shares a stake in supporting this critical effort. Compared to à la carte industry service offerings, the previously allocated $27 million to support over 90,000 U.S. SLTT organizations is extremely cost effective, as made clear in this MS-ISAC report.

The MS-ISAC is prepared to work alongside U.S. SLTT decision-makers to ensure we meet this void, as a community-driven defense model is the only way for us to effectively respond to persistent cyber threats and meet this challenging moment.

Ready to join our community dedicated to the collective cyber defense of U.S. SLTTs?