Safeguarding the healthcare sector from ransomware attacks: insights from a literature review

Quality assessment

The following are the criteria used to assess the quality of the selected primary studies. This quality assessment was conducted by two authors as explained above.

• (a)

  The study focuses on the Integration and Analysis of the data, the possible answers were Yes (1), and No (0).

• Integration and analysis: This criterion evaluates whether the study integrates data or findings into a meaningful discussion relevant to the ransomware landscape in the healthcare sector. A score of Yes (1) is assigned if the article:

• •

  Synthesizes various attack types or techniques (e.g., phishing, brute-force attack),

• •

  Links vulnerabilities or incidents to specific impacts in healthcare settings (e.g., patient data breach, service disruption),

• •

  Provides comparative or trend-based analysis across cases,

• •

  Discusses mitigation strategies or correlates technical findings with real-world implications.

• A score of No (0) is given if the article only reports isolated incidents or descriptive information without connecting it to broader patterns, challenges, or implications

• (b)

  Assessment: 2021–2024 = (3), 2018–2020 = (2), 2016–2017 = (1), and before 2016 = (0).

• (c)

  The articles are cited more than 200 = (4), 150–200 = (3), 100–149 = (2), 99–50 = (1), 49–1 = (0.5).

• (d)

  The study is published in a well-reputed venue that is adjudged through the CORE ranking (A, B, and C) of conferences, and for journals, letters along with scientific reports it is categorized on Scientific Journal Ranking (SJR) into Q1, Q2, Q3 and Q4 as shown in Table 4.

A comprehensive overview of ransomware attacks, detailing references, publication year, methodology, and source (like book, journal, conference or pre-prints), methodology section defines the research approach of the article (quantitative, qualitative, or mixed methods) and the specific procedures used to conduct the study along with a quality assessment. The literature review underscores the importance of cybersecurity self-evaluation in healthcare, with sources published between 2016 and 2024 in books (B), journals (J), conferences (C), or ArXiv (A). These works encompass various technical methods, denoted by (a), the year of publication is marked by (b), the number of citations each article has received, indicated by (c), and the rank of each article is denoted by (d). The final column represents the total quality assessment score, with a range where 10 is the highest and 2.5 is the lowest, indicating a moderate level of reliability and impact within the field as detailed in Table 5.

Types of ransomware attacks in health sector

These ransomware variants often utilize a combination of social engineering tactics (Frumento, 2019), software vulnerabilities, and brute-force attacks to infiltrate networks within the healthcare sector. Once inside, they employ sophisticated encryption techniques to render data inaccessible, demanding ransom payments in cryptocurrency for decryption keys. Cryptocurrency is an untraceable payment method that malicious parties use to receive ransom from the victims to hide their identity (Reshmi, 2021). Ransomware typically spreads through email attachments or malicious downloads, encrypting victims’ data and locking their computers. The two main types are Crypto Ransomware, which encrypts specific file types, and Locker Ransomware, which locks access to the entire system. For instance, CryptoLocker (Kok et al., 2019b) and Cryptowall (Thamer & Alubady, 2021). To mitigate the impact of ransomware attacks, healthcare organizations must implement robust cybersecurity measures, including continuous updates to anti-ransomware solutions (similar to software updates), regular system patching, comprehensive employee training on phishing awareness, and secure, regularly tested backup systems (Reshmi, 2021). Furthermore, ransomware attacks represent significant threats in the healthcare sector, employing diverse strategies to infiltrate and encrypt sensitive hospital information. The scareware (Kok et al., 2019b) Ransomware tricks victims by pretending to be authorities as well as threatening to reveal their secrets, making them pay out of fear of getting in trouble or being embarrassed. Also, variants of ransomware attacks demand user interaction, while others do not. For instance, SamSam specifically targets the healthcare department by exploiting vulnerabilities in Remote Desktop Protocol (RDP), File Transfer Protocol (FTP), and Java servers. Additionally, Locky ransomware is activated through user interaction, often distributed via phishing emails that contain malicious payloads (Minnaar & Herbig, 2021). On the other hand, WannaCry spreads swiftly without requiring user interaction, leading to instant and widespread disruptions.

Notably, WannaCry gained attention in 2017 for exploiting vulnerabilities within Windows systems and utilizing worm-like capabilities to propagate across interconnected networks rapidly (Butt et al., 2019; Mahler, Elovici & Shahar, 2020; Jobair et al., 2022; Thakur, 2024; Guvçi & Şenol, 2023). This ransomware propagates by exploiting unpatched software, highlighting the crucial role of timely updates and security patches in defending against these cyber threats. However, ransomware variants like Ryuk and SamSam (Al-Qarni, 2023) Gain entry into healthcare networks through phishing emails or by exploiting weak authentication credentials and unprotected remote access points. Once inside the network traffic, attackers precisely target crucial and sensitive data, such as patient records and administrative files, for encryption. The encryption methods used by ransomware employ advanced algorithms, making the data inaccessible without the precise decryption key, which the attackers demand in exchange for ransom payments. These incidents highlight the urgent need for robust cybersecurity protocols. Essential measures include comprehensive employee training to identify phishing tactics, proactive monitoring of network activities, and the implementation of secure backup solutions.

Overall, several high-impact ransomware strains have uniquely targeted the healthcare sector, each with distinct technical mechanisms and consequences. SamSam is notorious for exploiting weak Remote Desktop Protocol (RDP) credentials through brute-force attacks, allowing attackers to gain access to hospital networks and manually deploy custom-built payloads that bypass traditional antivirus tools. Once inside, SamSam encrypts entire systems using RSA and AES algorithms, crippling core operations. WannaCry, on the other hand, spread globally in 2017 by exploiting the EternalBlue vulnerability in the SMB protocol. Its worm-like behavior enabled it to propagate rapidly across unpatched systems without user interaction, encrypting files with AES and demanding ransom in Bitcoin, infamously disrupting the UK’s NHS. Ryuk uses a multi-stage attack, often delivered through Emotet or TrickBot malware, which enables credential theft and lateral movement across the network before encrypting high-value systems. Ryuk disables backups and shadow copies, making data recovery extremely difficult. Locky typically spreads via phishing emails containing macro-enabled Office attachments. Once opened, it connects to command-and-control servers to execute encryption using AES and appends distinctive extensions like. locky. Lastly, Netwalker gained traction during the COVID-19 pandemic by targeting overwhelmed healthcare institutions. Operated as a ransomware-as-a-service (RaaS), it uses phishing and exploits to infiltrate systems, then conducts double extortion by encrypting and exfiltrating data, threatening public leaks if ransoms are not paid. These strains illustrate the evolving sophistication of ransomware threats and their devastating impact on healthcare delivery and patient safety.

These strategies are essential for mitigating the severe impacts of ransomware attacks on electronic health operations and ensuring the protection of patient care and the confidentiality of their data. Table 6 summarizes key ransomware types affecting healthcare organizations, highlighting their impact, methods of propagation, encryption techniques, and ransom demands. Attacks like Crypto ransomware, WannaCry, and Ryuk have caused major disruptions by encrypting critical systems and demanding cryptocurrency payments. Most propagate via phishing or by exploiting system vulnerabilities, using strong encryption methods like Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA). Scareware, while not using actual encryption, relies on fear tactics to extort victims. The data emphasizes the need for robust cybersecurity measures in healthcare settings.

Impacts of ransomware attack in the health sector

Ransomware attacks have an unfavorable impact on the sensitivity of hospital data, leading to financial losses, interruptions in patient care, and data breaches. Below is an analysis of how ransomware attackers contribute to these economic losses, disruptions in patient care, and other adverse events in healthcare organizations. Moreover, ransomware attacks have complicated impacts on healthcare organizations, including severe financial losses, disruptions in patient care, and compromised data security. From a financial perspective, these attacks impose direct costs, including ransom payments that often leave no traceable record, that can escalate depending on the ransomware variant and the volume of data encrypted (Kok et al., 2019b; Zlatolas, Welzer & Lhotska, 2024; Reshmi, 2021). Additionally, healthcare providers face considerable expenses in alleviating operational disruptions, conducting forensic investigations, and implementing cybersecurity enhancements to prevent future incidents. Patient care disruption is a major concern (Frumento, 2019; Neprash et al., 2022; Sunil & Mathew, 2024; Triplett, 2024; Newaz et al., 2019; Swasey, 2020) appointments, and compromised medical records. Moreover, such disruptions can threaten patient safety and compromise the quality of care provided. Data breaches resulting from ransomware attacks usually expose sensitive patient information to unauthorized access, potentially violating healthcare privacy regulations and triggering legal consequences. The long-term penalties include damaged reputation (Thamer & Alubady, 2021; Minnaar & Herbig, 2021) loss of patient trust and data (Sunil & Mathew, 2024; van Boven et al., 2024), and regulatory fines and insurance-related costs (Minnaar & Herbig, 2021), further intensifying the financial (Thamer & Alubady, 2021; Frumento, 2019; Neprash et al., 2022; Baker & Shortland, 2023), and operational burden on healthcare organizations (Frumento, 2019). Also, it is essential to implement effective insurance against ransomware attacks that require a public-private partnership, with governments navigating through co-insurance, regulation, and investment (Baker & Shortland, 2023). However, mitigating these impacts necessitates comprehensive cybersecurity strategies, robust incident response protocols, and continuous staff training to reinforce defenses and safeguard patient welfare and organizational resilience against evolving cyber threats. As explained in Table 7, the impacts and types of losses associated with ransomware attacks in the healthcare sector are detailed.

Prevention measures in the health sector

Emerging cyber threats are increasing drastically and ransomware attacks are most favorite for the attackers to launch due to instant results with encrypting devices and demanding ransom. However, it is quite impossible to retrieve everything swiftly, without executing the plans of disaster recovery and backup strategy and it is a matter of fact that the foundation for implementing prevention strategies lies in the business continuity plan (Spence et al., 2018; Tully et al., 2020; Vithanwattana et al., 2021) and data backup procedures (Vithanwattana et al., 2021; Thamer & Alubady, 2021; Spence et al., 2018). The healthcare industry has undoubtedly integrated Information and Communication Technology (ICT) to significantly enhance the valuable and sensitive infrastructure of hospital platforms. This digitalization, beginning with the computerization of hospital environments has made the healthcare sector a prime target for cybercriminals seeking to compromise sensitive patient information due to the unawareness of employees (Spence et al., 2018; Frumento, 2019) and bring various devices into the organization. Therefore, it is crucial to implement effective risk mitigation strategies within the healthcare landscape (Frumento, 2019). Currently, hospitals are increasingly adopting digital technologies, including digital devices, which makes them vulnerable to digital assaults. Indeed, medical devices, increasingly connected to networks and the Internet, face cybersecurity threats like ransomware, which can disable devices, disrupt their operations and compromise patient data (Kolade et al., 2023).

The healthcare sector also combats ransomware by implementing some conventional methods like network segmentation with firewalls (Tully et al., 2020; Butt et al., 2019), conducting rigorous risk assessments for medical devices, Mahler, Elovici & Shahar (2020) and integrating various technologies (Triplett, 2024). Hospitals also prioritize software and system updates with automated patch management to mitigate ransomware risks effectively. Therefore, it is crucial to implement optimal strategies to mitigate financial costs, unforeseen business losses, and reputation damage resulting from these severe attacks. Similarly, key risk mitigation techniques include developing business continuity plans, maintaining data backups, and educating employees about ransomware threats (Vithanwattana et al., 2021; Thamer & Alubady, 2021; Spence et al., 2018).

Apart from conventional methods, some of the novel methods are also there to impede the way of ransomware attacks like as threat identification, ontology-based likelihood, severity decomposition, and risk integration (TLDR) methodology to assess these risks by identifying vulnerabilities and using expert input to estimate likelihood and severity (Mahler, Elovici & Shahar, 2020). In addition to methodologies, emerging techniques are playing a crucial role in enhancing the cybersecurity of the healthcare sector. Various techniques like Blockchain (Vithanwattana et al., 2021; Al-Qarni, 2023; Alenizi & Alrashdi, 2023), Software Defined Networking (SDN) and ML are instrumental in combating cyber threats (Jobair et al., 2022). These technologies reinforce systems, detect anomalies, and make a strong barrier against potential threats, thereby preventing the compromise of data and services (Thamer & Alubady, 2021).

Table 8 outlines various strategies and best practices that healthcare organizations can implement to prevent, detect, and respond to ransomware attacks, along with their descriptions, implementation methods, effectiveness, challenges, and examples.

Detection strategies in the health sector

Detecting ransomware presents a challenging challenge, prompting healthcare organizations to employ various methods like deploying intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor and mitigate malicious activities attentively. IDS and IPS are critical in detecting and preventing ransomware attacks by monitoring and analyzing network traffic for suspicious activities (Branch et al., 2019). IDS identifies potential threats by comparing network patterns against known vulnerabilities and signatures, providing early warnings. IPS actively blocks malicious traffic and entities, preventing ransomware from entering the network premises (Ramadan et al., 2021; Mukhopadhyay & Jain, 2024). They also enforce end-user security measures like restricting website access and deploying network segmentation to mitigate ransomware attacks efficiently. Moreover, end-to-end security balances these systems by ensuring comprehensive protection through strong authentication techniques and performing continuous monitoring of all devices (Tully et al., 2020; Ramadan et al., 2021; Mukhopadhyay & Jain, 2024). Likewise, penetration testing works as a strong pillar among the detection strategies (Mukhopadhyay & Jain, 2024). Collectively, these measures establish a solid defense strategy against ransomware attacks. In addition to traditional approaches, ML techniques have emerged as powerful tools for the early detection of ransomware, particularly in critical environments like smart healthcare systems (SHS). One such method is the Pre-Encryption Detection Algorithm (PEDA), which applies ML to detect crypto-ransomware in its early stages by analyzing API call patterns. With a low false positive rate of 1.56%, PEDA has demonstrated superior performance compared to other detection algorithms (Kok et al., 2019b; Li & Madisetti, 2024). Similarly, HealthGuard is an ML-based security framework designed to detect malicious activities in SHS, utilizing techniques like artificial neural network (ANN), decision tree (DT), random forest (RF), k-Nearest Neighbor (kNN), and decision tree. Trained on data from eight devices, HealthGuard achieves 91% accuracy and a 90% F1-score in threat detection, addressing security concerns in IoT-integrated medical devices (Newaz et al., 2019). Table 9 outlines the detection strategies for ransomware attacks in the healthcare sector.

Responsive attitude in the health sector

Responsive behavior involves having detailed disaster recovery plans in place to enable a quick and efficient recovery if an attack occurs (Spence et al., 2018; Reshmi, 2021). Additionally, responding to incidents effectively by implementing measures such as regularly updating incident response plans with training and maintaining automated backups stored offsite to ensure data integrity and rapid recovery is crucial (Al-Najjar, Mahmoud & Al Najjar, 2024; Reshmi, 2021). Many hospitals and clinics prioritize these practices to enhance their resilience against cyber threats. Protecting the organization’s reputation is crucial to minimize the impact and costs associated with an attack. These combined strategies help healthcare facilities prevent ransomware attacks and respond effectively to minimize damage and ensure continuity. Moreover, ransomware attacks are rising, and cyber insurance provides crucial coverage for related costs, helping businesses recover quickly. It also offers preventive and mitigative services to reduce the likelihood and impact of attacks. By supporting organizations before and after breaches, cyber insurance covers it to some extent, but sometimes it is also a costly solution (Kolade et al., 2023; Branch et al., 2019; Logue & Shniderman, 2021). Table 10 demonstrates the responsive measures to ransomware attacks in the healthcare sector.

Legal and regulatory implications of ransomware attacks

The healthcare sector is a diverse field and it has to be tackled from almost every perspective which is why it needs some sort of regulatory body to take care of it, maintain the records of patients in a better way and ensure cybersecurity (Robinson, Corcoran & Waldo, 2022). It allocates resources effectively and efficiently, all while ensuring comprehensive employee training and timely breach reporting. The HITECH Act compounds these challenges by requiring the adoption and meaningful use of EHRs, implementing advanced security measures, and integrating compliance with HIPAA (Tully et al., 2020; Vithanwattana et al., 2021; Minnaar & Herbig, 2021; Farringer, 2016; Mahler, Elovici & Shahar, 2020; Frumento, 2019; Reddy et al., 2023). The CFAA, which criminalizes unauthorized access to computers and networks, faces jurisdictional concerns and the emerging nature of cyberattacks (Page et al., 2021), making enforcement difficult. CISA’s voluntary information-sharing framework struggles with limited participation and the need for significant infrastructure development to facilitate effective communication (Slayton, 2018). Moreover, the Affordable Care Act (ACA) is responsible for quality reporting requirements that add another layer of complexity, necessitating continuous adjustments to compliance strategies among evolving cyber threats. Likewise, CMS plays a pivotal role in regulating and setting standards for healthcare delivery, payment, and quality improvement initiatives across the United States (Tully et al., 2020).

Similarly, the General Data Protection Regulation (GDPR) addresses the protection of personal data related to an individual’s physical or mental health, including healthcare services that reveal information about their health status (Zlatolas, Welzer & Lhotska, 2024). In the hospital sector, healthcare professionals are often the weakest link in the security chain, significantly contributing to data breaches (Yeng, Yang & Snekkenes, 2019; Chernyshev, Zeadally & Baig, 2019). Several other factors intensify these challenges, necessitating the modernization of existing laws, a shift in industry priorities towards IT security, the demand for better products from vendors, and the utilization of available resources to enhance security protections. Similarly, financial institutions strive to comply with anti-money laundering (AML) regulations, but cryptocurrencies largely circumvent these rules, enabling anonymous transfers. Regulators could enforce AML regulations for cryptocurrency transactions, particularly through virtual currency exchanges (VCEs) that convert cryptocurrency to fiat currency. This would involve VCEs verifying customer identities and monitoring large transfers. Global AML initiatives, such as the Financial Action Task Force (FATF), could contribute to reducing ransomware-related transactions to some extent (Blessing, Drean & Radway, 2022).

Healthcare providers face significant compliance challenges due to the complexity of regulations, rapid technological changes, resource limitations, and evolving cyber threats. Addressing these challenges requires continuous updates to laws, a multifaceted approach to compliance, and leveraging existing resources and guidance to enhance security measures (Farringer, 2016). Table 11 describes ransomware attacks’ legal and regulatory implications within the healthcare sector.

Synthesis and implications

The synthesis of findings suggests a crucial need for a multifaceted and continuously evolving cybersecurity posture in the healthcare sector. Technological solutions—particularly those involving AI and machine learning—show promise but must be backed by sound legal frameworks, organizational policies, and user education. Institutions must strike a balance between adopting cutting-edge innovations and ensuring regulatory compliance to manage risks effectively. Future research should focus on empirical validations and performance benchmarking of AI-driven detection models within a live healthcare environment.

Comparative design approach to ransomware strain analysis

To enhance the analytical depth of this study, a comparative design approach was integrated into the synthesis process to evaluate the behavioral, technical, and operational distinctions between prominent ransomware strains targeting healthcare. This involved systematically extracting and aligning data points across multiple dimensions, such as initial attack vectors, propagation techniques, encryption methods, impact severity, and ransom tactics. For instance, the comparison between WannaCry and SamSam revealed stark differences in delivery: while WannaCry propagated automatically through the EternalBlue SMB vulnerability, SamSam required manual deployment following brute-force RDP access. Similarly, Ryuk’s multi-stage architecture involving credential theft and lateral movement was assessed alongside Locky’s reliance on macro-enabled email attachments and command-and-control (C2) communication. Netwalker was further distinguished by its double extortion strategy, combining encryption with data exfiltration under the RaaS model. By capturing these differences through a comparative lens, the review enabled a structured evaluation of how varying technical features influence the scale of disruption and defense requirements in healthcare contexts. This comparison is visually supported in Table 6 and enriches the overall methodological rigor by linking literature synthesis to evidence-based threat profiling.

Literature-centric scope

This study primarily adopts a systematic literature review (SLR) methodology and does not include any empirical experimentation or real-world deployment of the techniques discussed. While the SLR provides valuable theoretical insights and consolidates existing research, it lacks validation through practical implementation or case-based testing in real healthcare settings, which may limit its applicability.

Rapid evolution of threat landscape

Ransomware tactics evolve rapidly, with attackers constantly developing new methods of intrusion and data encryption. Given the dynamic nature of these threats, some of the strategies and countermeasures identified in the reviewed literature may quickly become outdated. The current review may not fully reflect the most recent attack variants or defense tactics that emerged after the literature search window.

Absence of performance benchmarking

Although the article explores various ML and DL approaches for ransomware detection and prevention, it does not provide a comparative evaluation of these techniques. Without benchmarking across standardized datasets, it remains unclear which algorithms perform best in healthcare contexts concerning accuracy, efficiency, or adaptability.

Language and data source bias

The review only considers English-language publications and excludes gray literature, such as industry reports or non-peer-reviewed technical documentation. As a result, practical and context-specific knowledge—especially from non-English-speaking regions or small-scale healthcare institutions—may have been overlooked.

Generalization across diverse healthcare settings

The findings and recommendations presented in this review apply broadly to the healthcare sector without distinguishing between different types of organizations. Smaller clinics, regional hospitals, or under-resourced health facilities may have unique vulnerabilities or limitations that are not adequately captured in this generalized synthesis.

Empirical validation of detection and response methods

Future studies should focus on implementing and validating AI-based detection and response strategies in live healthcare environments. Testing these methods under realistic operational conditions will provide insights into their practical effectiveness, usability, and robustness against real-time ransomware threats.

Unified framework for ransomware mitigation

There is a clear need to develop an integrated and adaptive ransomware mitigation framework that combines real-time monitoring, anomaly detection, incident response, and legal compliance. Such a framework would offer a holistic solution tailored specifically for the healthcare domain and align with both organizational workflows and regulatory requirements.

Comparative analysis of AI techniques

Future research should conduct rigorous comparative studies of AI and ML algorithms using standardized healthcare-specific datasets. Evaluating metrics such as detection rate, false positives, latency, and scalability will help determine the most suitable techniques for different healthcare applications and institutional sizes.

Ethical, legal, and privacy considerations

While technical approaches are essential, future work must also address ethical and privacy issues. This includes concerns about data ownership, algorithmic bias, transparency in decision-making, and ensuring compliance with privacy regulations like HIPAA and GDPR when using AI-driven tools.

Simulation and scenario-based risk assessments

Developing simulation tools and risk modelling platforms could allow healthcare institutions to test their cybersecurity readiness. Simulations can help evaluate how ransomware propagates through digital infrastructure and assess the effectiveness of response strategies under different threat scenarios.

Standardization and policy development

There is a pressing need for collaborative initiatives between researchers, policymakers, and healthcare providers to develop standardized cybersecurity policies and incident response protocols. This would help establish uniform guidelines for ransomware prevention and support coordinated responses across national and international healthcare systems.