Universal Health Services, one of the largest hospital operators in the United States with approximately 400 facilities across the US and UK, was hit by Ryuk ransomware on the morning of the 27th of September. The attack took down the IT infrastructure across the affected facilities, with operational impact including diversion of ambulances, delays in laboratory testing, and the manual-paper-based fallback for patient records that healthcare-sector incident response always reaches in cases of this nature (UHS press releases through October, Healthcare IT News reporting). The recovery has been multi-week and is, as of the start of October, still in progress.
The healthcare-sector exposure that the COVID-period has elevated is the operational story. Healthcare IT environments are, on the longstanding pattern, structurally challenging to secure — the long-tail of unpatched and unsupported medical-device-attached Windows hosts, the limited downtime windows for patching, the heterogeneous vendor-managed equipment, the regulatory environments that constrain certain modernisation paths. The COVID-period operational tempo has produced sustained elevated demand on healthcare IT and has reduced the capacity for planned security-improvement programme work. The UHS case is, in this sense, a predictable consequence of the structural posture meeting the operational pressure.
The Ryuk operator profile is in the same family as the targeted-ransomware operators that have driven the year's incident landscape — Sodinokibi, Maze, Conti, the Evil Corp WastedLocker variant, and several others. The targeting decisions are made on operational criteria (size, perceived ability to pay, sector dynamics that make ransom payment more likely) and the specific cases are, on the running pattern, single examples of a sustained campaign against multiple comparable victims. The healthcare sector has been visibly attractive to multiple ransomware operators through the year — Ryuk's own operational tempo against US hospitals has been documented through CISA alerts (CISA Joint Cybersecurity Advisory AA20-302A on Ryuk targeting healthcare), and other operator clusters are running comparable campaigns.
For the customer-portfolio briefing work, the UHS case is the worked example for any customer with healthcare-sector exposure (we have one healthcare customer in the SOC portfolio; we have no current vCISO healthcare engagement). The wider lesson is the structural one — the customer-organisation segments where security-programme maturity is constrained by operational tempo, regulatory environment, or vendor-managed-equipment legacy are the segments where ransomware-targeting is producing the highest-impact incidents. The customer-organisation programmes that have been investing through 2018-2020 have, in aggregate, the better posture; the customer-organisation segments that have been running on cost-pressure-driven minimum compliance are exposed.
The wider strategic point about ransomware-and-critical-infrastructure is that the targeting pattern is producing operational consequences that are more public and more politically salient than the data-exposure-and-financial-impact pattern of the earlier era. A hospital diverting ambulances is news; a manufacturer's production-floor outage is news; a government agency's service-delivery disruption is news. The political environment for ransomware is shifting; the regulatory and law-enforcement responses are becoming more substantive (the OFAC sanctions track, the various criminal-prosecution efforts, the sustained CISA / NCSC alerting cadence) and the next several years will produce significant policy output on the subject. Whether the policy output will materially change the operational picture is the question.
I will return to this. The healthcare-sector cyber-resilience theme is going to be a thread of the autumn customer briefings.