As the risk of being hit grows, how well an organisation governs its data determines the blast radius of an attack and how quickly care can continue. How can this be done?
Ransomware attacks are continuing to hit the healthcare sector, with potentially devastating consequences that can go on for months after the incident.
In February 2026, University of Mississippi Medical Center was forced to close all clinics after suffering a ransomware attack.
In June 2024, the NHS was left in disarray after a ransomware attack on pathology services provider Synnovis, resulting on one of its most operationally disruptive cyber incidents in recent memory. In the attack attributed to the Qilin ransomware group, patient data was published on the dark web in a textbook case of double extortion.
In February the same year, Change Healthcare — a subsidiary of UnitedHealth Group responsible for processing a substantial proportion of US healthcare claims — suffered an attack attributed to ALPHV/BlackCat. It soon emerged that approximately 100 million individuals’ data had been compromised, making it the largest healthcare breach in US history.
Healthcare consistently ranks among the most targeted sectors globally for ransomware attacks, says Tracey Hannan-Jones, consulting director in information security, UBDS Digital. The reasons are “structural”, and they are “getting worse”, she says.
As the risk of being hit grows, how well an organisation governs its data determines the blast radius of an attack, and how quickly care can continue. How can this be done?
Evolving Ransomware
Ransomware attacks are becoming more sophisticated, hitting a healthcare sector already struggling amid a lack of budget. The risk is compounded by the fact that the sector holds extremely sensitive data, and downtime is not an option.
Attack techniques have shifted beyond traditional encryption, with threat actors adopting “encryption-less extortion” tactics that focus exclusively on data exfiltration and threatening to leak or sell stolen sensitive information, Lorri Janssen-Anessi, VP of global risk operations at BlueVoyant tells IO. “These often form part of double and triple extortion strategies.”
AI is further accelerating this shift, enabling attackers to “increase the speed, scale, and sophistication of attacks”, she warns.
As techniques evolve beyond encryption, backups are no longer enough to protect the sector. Jake Moore, global cybersecurity advisor at ESET describes a “clear shift” from data encryption to double extortion.
Things have changed dramatically since the WannaCry attack in 2017, which affected up to a third of England’s NHS trusts and hundreds of GP Practices, Moore says. “At no point did the ransomware operators threaten to release the data. But today, ransomware groups like Clop and Qilin use the threat of leaking compromised healthcare data to place added pressure on their victims.”
Human and Operational Impact
Attacks on healthcare are different to other industries because they have a direct human impact. For years, healthcare treated ransomware as a data protection problem: Back it up, restore it, move on.
With double and triple extortion, this is no longer the case, experts say.
“When systems go down, clinicians lose access to records, treatment is delayed, and staff revert to manual processes that slow care and introduce risk,” Dr Darren Williams, founder and CEO, BlackFog tells IO. “Cyber resilience has become inseparable from patient safety and continuity of care.”
The Synnovis incident, which left patients unable to have blood tests for months, is a prime example of how things can quickly go drastically wrong. While it was not a direct event, the death of a patient at King’s College Hospital NHS Foundation Trust has been linked to the issues getting a blood test at the time. A spokesperson for the trust said a number of contributing factors led to the patient’s death including “a long wait for a blood test result”.
And in some cases, the sensitivity of the data accessed is exceptionally high. Take the example of New York City Health and Hospitals, the largest public healthcare system in the US, which disclosed in May that hackers stole personal data, medical records and biometric information including fingerprints, in a breach affecting at least 1.8 million people.
“Unfortunately, we see plenty of high-profile attacks that impact patient care, shutting down booking systems, ambulance routing systems, internal communications and delaying test results,” says Moore.
Poor Data Governance
The impact of poor data governance is made worse by the fact that medical records cannot simply be reissued.
At the same time, sprawl is a major issue, Dr Williams says. “Patient data lives across electronic health records, imaging systems, aging legacy platforms, connected devices, and a long tail of third-party vendors. When an organisation doesn’t know precisely where its sensitive data sits, it can’t protect it, and just as importantly, after an attack it can’t say with confidence what was taken. That uncertainty is what turns a contained incident into a full breach notification, regulatory exposure and a loss of patient trust.”
Taking the risks into account, experts believe data governance must now evolve from being a compliance chore to form the backbone of resilience. Dray Agha, senior manager of security operations at Huntress suggests a mindset shift from “box-ticking” to “operational necessity”. “This means actively minimising data footprints, enforcing strict access controls, and understanding data flows, ensuring that even when a breach occurs, critical systems remain insulated and recoverable.”
Frameworks such as ISO 27001 help provide organisations a structured way to build and evidence data governance before an attack, rather than afterwards when it’s too late.
Defining what “good” data governance means in practice, ISO 27001 demands rigorous asset management, continuous risk assessment, and precise information classification. This ensures that organisations apply security controls “directly proportionate to the value and sensitivity of the data they hold”, says Agha.
Meanwhile, ISO 22301 for Business Continuity Management directly addresses operational resilience, according to UBDS Digital’s Hannan-Jones.
Alongside data governance, regulation plays a central role in shaping how the healthcare sector manages ransomware risk. The US Health Insurance Portability and Accountability Act (HIPAA) and the UK Cyber Security and Resilience Bill and UK General Data Protection Regulation (GDPR, as well as the EU Digital Operational Resilience Act (DORA ) and the Network and Information Systems 2 directive (NIS2) are imposing stricter requirements, with security leaders required to enhance third-party risk management, maintain vendor oversight, and meet strict incident reporting rules.
Boosting Data Governance And Resilience
There’s no doubt ransomware will continue to hit organisations, and the healthcare sector remains a significant target. This makes it integral that the sector overhauls the way it governs data, knowing what it holds, where the information lives, and how it’s classified, minimised, access-controlled, and recoverable.
Addressing modern ransomware risks in healthcare requires a shift from “reactive defence” to “organisation-wide resilience”, according to BlueVoyant’s Janssen-Anessi. “This means embedding cybersecurity into core sector decision-making, ensuring that cyber resilience is built into every area of an organisation’s operations — not just the IT or security teams.”
It also means shifting from typical, siloed security models to “a fundamentally different approach that can proactively tackle cross-domain ransomware attacks”, says Janssen-Anessi. “Traditional security models are insufficient because they were largely designed and built to deal with isolated incidents and perimeter-based defence strategy rather than persistent, evolving threat activity,” she points out.
At least once a year, healthcare security and compliance leaders should be carrying out regular multi-agency cybersecurity drills and red teaming exercises, advises ESET’s Moore. “This means working with other critical services such as the fire and police service, putting systems under pressure and identifying security gaps in their data governance processes before ransomware operators can do the same.”
| What does ISO 27001 say? | |
|---|---|
| Know what information you hold | Information asset inventory and classification (A.5.9, A.5.12, A.5.13) detail how you can’t protect, recover, or accurately report on data you haven’t mapped. |
| Hold less data | Address retention and secure deletion/minimisation (A.8.10), which directly shrinks what attackers can steal. |
| Control who reaches it | Employ least privilege and access restriction (A.5.15, A.8.3), so a single compromise doesn’t expose everything. |
| Be able to recover | Backup and ICT readiness ensure resilience help with continuity (A.8.13, A.5.29, A.5.30), including tested restoration, not just backups that exist on paper. |
Expand Your Knowledge
Blog: Healthcare AI is Moving Fast, But Data Governance is Struggling to Keep Up







