Opinion / Commentary

Ransomware in Healthcare Is a Patient Safety Crisis, Not an IT Problem

The ransomware attack on ChipSoft paralysing 80% of Dutch hospitals and the Anubis attack on Signature Healthcare this week are not data breach incidents with clinical inconvenience as a side effect. They are patient safety events. The healthcare sector's continued treatment of ransomware as a cybersecurity problem rather than a clinical risk is costing lives.

CipherWatch Editorial Β· Security Intelligence Platform
5 min read

The ChipSoft ransomware attack affected approximately 80% of Dutch hospitals. ChipSoft’s HiX electronic patient record system is the dominant clinical information system in the Netherlands, used for medication management, lab results, surgical planning, care coordination, and emergency triage. When HiX went down, hospitals reverted to paper processes. Surgeries were postponed. Medication administration required manual verification against paper records maintained before the attack. Ambulance diversions were implemented at affected hospitals.

In the same week, Anubis ransomware struck Signature Healthcare, a US long-term care provider, encrypting administrative and clinical systems and, according to early reports, exfiltrating patient data from 38 facilities.

These are not unusual events for healthcare. The sector has been the most consistently targeted of any critical infrastructure vertical for ransomware groups over the past five years. The attacks are larger, more frequent, and more disruptive than they were in 2020 and 2021, when the first wave of healthcare ransomware attacks prompted an outpouring of industry concern and government attention. That concern and attention has not translated into a proportionate improvement in the sector’s resilience.

The Reframing That Has Not Happened

When a hospital is hit by ransomware, the incident is processed as a cybersecurity event. The CISO or IT director leads the response. The incident response firm is engaged. The regulators are notified of a data breach. The board receives a report on the technology impact and the recovery timeline.

What is consistently absent from this framing is a direct clinical risk assessment: how many patients received suboptimal care during the downtime period? How many medication errors occurred because pharmacy systems were unavailable? Were any patients harmed as a result of ambulance diversions or delayed surgical procedures?

These questions are difficult to answer precisely, which is part of why they are rarely asked formally. Healthcare organisations are not structurally set up to attribute patient harm to IT failures in the way they are set up to attribute patient harm to clinical errors. Root cause analysis frameworks, incident classification systems, and regulatory reporting pathways are all designed for clinical events, not technology events that produce clinical consequences.

The consequence is that the healthcare sector systematically underreports the patient safety impact of ransomware attacks. Studies that have attempted to measure this β€” examining mortality data, adverse event rates, and outcome metrics before and after major hospital ransomware attacks β€” have found statistically significant increases in mortality at affected hospitals during downtime periods. The effect is not large enough to appear in individual incident reports. It is visible in aggregate data. Healthcare organisations are not seeing it because they are not looking for it.

Why Healthcare Is Consistently Targeted

Ransomware operators target healthcare because it works. The combination of critical operational dependency on clinical systems, limited security investment relative to other regulated industries, pressure not to disrupt patient care, and reputational incentive to resolve incidents quickly makes healthcare one of the most reliably profitable targets available.

The moral dimension β€” that attacking hospitals risks patient lives β€” is not a deterrent. Criminal ecosystems do not self-regulate on the basis of the harm they cause. Some ransomware groups have made public statements about not targeting hospitals; those statements have been observed to be inconsistent with their actual targeting behaviour. The ChipSoft attack demonstrates that healthcare system-wide disruption remains an acceptable outcome for current ransomware operators.

The structural vulnerabilities that make healthcare attractive β€” legacy clinical systems that cannot be easily patched, flat network architectures inherited from a pre-threat era, large numbers of connected medical devices with no meaningful security controls, and a procurement environment that historically prioritised clinical functionality over security features β€” are well-documented and slow to change.

What Adequate Investment Looks Like

Healthcare information security budgets are, across the sector, substantially lower than financial services or government as a percentage of IT spend. This is partly a function of how healthcare has historically viewed IT β€” as a cost centre supporting clinical operations rather than as critical infrastructure requiring investment in its own right β€” and partly a function of the genuine competing demands on healthcare capital: clinical equipment, facilities, staffing, and the perpetual pressure of operating budgets.

The argument that improved security investment in healthcare has a clinical ROI β€” measured not just in avoided ransom payments and recovery costs but in avoided patient harm β€” has been made repeatedly in academic and policy literature. It has not consistently reached the decision-makers who set healthcare capital budgets.

DORA and NIS2, for European healthcare organisations, and HIPAA Security Rule enforcement in the US, provide regulatory pressure that is beginning to change this calculus. The fines are not yet at a level that changes investment decisions for large health systems, but the regulatory direction is clear and the threshold for enforcement action on demonstrably inadequate security posture is moving.

The Governance Question

Ransomware in healthcare ultimately demands a governance response that treats clinical risk and cyber risk as the same risk category β€” because in a digitised clinical environment, they are.

Hospital boards that have approved capital budgets for MRI equipment, surgical robotics, and building infrastructure without equivalent scrutiny of clinical information system resilience are making an incomplete risk assessment. The clinical risk from a two-week HiX outage is comparable in its patient safety implications to many physical infrastructure failures that would receive immediate board-level attention.

The ChipSoft attack will produce a recovery. The Dutch healthcare sector will resume normal operations. The next attack on a major clinical system provider will follow. Until healthcare governance structures treat the resilience of clinical information systems as a patient safety matter β€” not just a data protection matter β€” the structural conditions that make healthcare the preferred target of ransomware operators will remain intact.

Share this article