* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/) * [Healthcare](https://origin-researchcenter.paloaltonetworks.com/blog/category/healthcare/) * Tips to Prevent Ransomwar... # Tips to Prevent Ransomware in Healthcare Environments [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F05%2Ftips-to-prevent-ransomware-in-healthcare-environments%2F) [](https://twitter.com/share?text=Tips+to+Prevent+Ransomware+in+Healthcare+Environments&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F05%2Ftips-to-prevent-ransomware-in-healthcare-environments%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F05%2Ftips-to-prevent-ransomware-in-healthcare-environments%2F&title=Tips+to+Prevent+Ransomware+in+Healthcare+Environments&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2016/05/tips-to-prevent-ransomware-in-healthcare-environments/&ts=markdown) \[\](mailto:?subject=Tips to Prevent Ransomware in Healthcare Environments) Link copied By [Matt Mellen](https://www.paloaltonetworks.com/blog/author/matt-mellen/?ts=markdown "Posts by Matt Mellen") May 12, 2016 6 minutes [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown) [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown) [Locky](https://www.paloaltonetworks.com/blog/tag/locky/?ts=markdown) [ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown) If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware. By this time last year, [105 healthcare breaches had been reported to the U.S. Department of Health and Human Services (HHS)](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) for a total of over 92 million lost records, compared to "only" 81 breaches and 3.5 million records so far in 2016. Good news, right? Well, sort of. Unfortunately, this seemingly positive trend does not reflect the actual threat landscape in the healthcare industry. Healthcare organizations subject to HIPAA only need to report breaches to HHS if 500 or more patient records are exposed. Many types of cyberattacks on hospitals, like ransomware, impact systems and possibly patient care, but do not result in breached records and hence are not reported to HHS (although there are [currently opposing views](http://www.cmio.net/topics/policy/ransomware-considered-health-data-breach-under-hipaa) on whether a ransomware attack should be reportable under HIPAA). Ransomware is a type of malware that restricts access to files or systems with encryption until the victim (the hospital) pays the ransom for the key to unlock them. In a previous post I outlined [how hospitals can track down the infected PC](https://www.paloaltonetworks.com/blog/2015/11/network-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc/) when an infected PC somewhere on the network encrypts the contents of an entire department shared drive. As a former security operations lead for a hospital network, I responded to numerous ransomware infections firsthand as a result of targeted phishing campaigns against the hospital. The incident response team followed the same procedure for each incident: isolate the infected PC and restore the corrupted (encrypted) files on the department shared drive from backup. In such isolated instances, there was no impact to clinical operations and patient care. However, the story would have been different in the case of widespread infection on the network. Several healthcare providers in [Washington](https://www.washingtonpost.com/local/likely-ransomware-cyberattack-still-crippling-medstar-health-computers-at-some-hospitals/2016/03/30/a82c9fa8-f687-11e5-8b23-538270a1ca31_story.html), [California](http://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace/#7b62e21a75b0) and [Kentucky](http://www.healthcareitnews.com/news/methodist-hospital-recovering-five-day-ransomware-attack-claims-it-did-not-pay) were publicly impacted in 2016 by what appears to be widespread ransomware infection across many different devices in a short amount of time. **Prevent and Minimize the Impact of Ransomware** There are many things that your healthcare organization should be doing to minimize the impact of successful ransomware attacks. Here are a few tips to get you started: |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Effectiveness** | **Mitigation Type** | **Activity** | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Minimize Impact | **Develop and execute a plan for an end user awareness program** \* *Yes, I know it's difficult to get approval to send regular hospital-wide security advisories, but smarter end users will surely result in fewer ransomware incidents.* | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Minimize Impact | **Review / Validate Server Backup Processes** \* *Some organizations don't realize their backups are compromised or were configured improperly until it's too late. You may need them to restore service.* \* *Start with your File Servers that host network shares for critical hospital departments* \* *Ensure you have backups that are not accessible by end users - ideally off-site. Backup administrator roles should be assigned sparingly, used sparingly and regularly audited.* \* *Test your backups regularly to validate they can be restored properly.* | | Medium [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png) [![side arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png) | Minimize Impact | **Review network drive permissions to minimize the impact that a single user can have** ***End User Privilege Reviews*** \* *Assign a project manager to organize an effort to evaluate permissions that users have on mapped network drives. Implement the principle of least privilege to minimize the impact that any single user can have on the organization's network shared drives.* \* *This process could turn into a large, complex effort, so start with network drive locations used by critical departments (Emergency, Organ Transplant etc).* ***Administrator User Privilege Reviews*** \* *Audit privileged roles used by the Server, Backup \& Network Teams to validate appropriate access.* \* *Ensure administrators are assigned normal restricted accounts, separate from their highly privileged accounts.* \* *Require administrators to only use their highly privileged accounts when they need them.* \* *Remove automatic network drive mappings from administrative accounts, where possible.* \* *Restrict administrative accounts from receiving email.* | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Prevention | **Disable macro scripts from MS Office files using AD Group Policy** \* *According to Microsoft, [98% of Office-targeted threats use macros](https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/). Disabling macro scripts from MS Office files will stop ransomware such as [Locky](https://www.paloaltonetworks.com/blog/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/).* \* *Office macros are usually not required for the majority of PCs used in healthcare environments. Enable macros for exceptions or certain departments only.* | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Prevention | **Review your monthly patch management processes** \* *Many hospitals struggle to patch their systems within 30 days of Microsoft's "Patch Tuesday" monthly patch release.* \* *Review your patching processes and look for opportunities to remove roadblocks.* \* *Consider deploying an* [*advanced endpoint product*](https://www.paloaltonetworks.com/products/secure-the-endpoint/traps)*that prevents exploits due to missing patches and malware.* | | Medium [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png) [![side arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/side-arrow.png) | Prevention | **Evaluate your inbound spam / malware protection** \* *Ensure you are configured to block inbound mail as per recommendations from your email server vendor (i.e. block executables in attachments etc)* | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Prevention | **Deploy a next-generation firewall to protect the hospital network** \* *Ensure your firewall automatically blocks known threats based on a threat feed that constantly updates.* \* *Ensure your firewall provides sandboxing capabilities so you can stop unknown threats (URLs and executables) before they reach the endpoint. Sandboxing is the best way to detect new variants of ransomware that constantly appearing in the wild.* \* *Configure your firewall/proxy to require user interaction for hospital end users communicating with websites uncategorized by the network proxy or firewall (i.e. click a "proceed" button). Many uncategorized websites are used in targeted phishing campaigns to distribute malware.* | | High [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) [![up arrow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/05/up-arrow.png) | Prevention | **Deploy advanced endpoint protection to protect the endpoint** \* *Traditional antivirus is not effective anymore against advanced malware like ransomware which continuously changes to avoid detection. Your endpoints need advanced protection capable of stopping processes that exhibit malicious **techniques**, rather than checking for individual known bad files.* \* *Whitelisting can work for some organizations but most hospitals need to permit hundreds of applications across their departments so it is often difficult for IT to manage the list.* [*Technique-based malware*](https://www.paloaltonetworks.com/products/secure-the-endpoint/traps)*detection tends to be very effective, and also lightweight on the endpoint.* | These suggestions range from low-tech to high-tech and vary in cost, but all contribute to create a hospital environment that is highly resistant to ransomware with the least amount of manual management. Decide for yourself which combination of mitigating activities is best for your environment. If you want to read more about the history of ransomware -- take a look at [The Rise of Ransomware](https://www.paloaltonetworks.com/blog/2016/05/unit-42-ransomware-trends/), a recent paper from our threat intelligence team, Unit 42. *** ** * ** *** ## Related Blogs ### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown) [#### From Ransom to Revenue Loss](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/from-ransom-to-revenue-loss/) ### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown) [#### Customer Spotlight: Canadian Healthcare Company Gets to the Heart of the Matter with Innovative Cybersecurity Solution](https://origin-researchcenter.paloaltonetworks.com/blog/2016/08/customer-spotlight-canadian-healthcare-company-gets-to-the-heart-of-the-matter-with-innovative-cybersecurity-solution/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### The Ransomware Speed Crisis](https://origin-researchcenter.paloaltonetworks.com/blog/2025/09/ransomware-speed-crisis/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/) ### [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### Curb Healthcare Costs --- Can Cybersecurity Platformization Help?](https://origin-researchcenter.paloaltonetworks.com/blog/2025/02/curb-healthcare-costs-can-cybersecurity-platformization-help/) ### [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### 5 Trends Shaping Healthcare Cybersecurity in 2025](https://origin-researchcenter.paloaltonetworks.com/blog/2025/01/5-trends-shaping-healthcare-cybersecurity-in-2025/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language