Ransomware in Healthcare
The previous article opened this series with a practical reality: systems may still be running while trust has already started to weaken. Because once ransomware becomes active, the question is no longer only whether systems are available. It is whether the organisation can still keep care, decisions, and dependencies governable while the pressure continues to build. The hospital is not silent. Phones are answered. Patients are still being received. Staff are still moving between wards, desks, treatment rooms and temporary workarounds. But the environment feels different. A record is not available quickly enough. A normal workflow has become manual. A supplier route is uncertain. A team has to decide whether a service can continue safely while the facts are still incomplete. That is what ransomware increasingly creates in healthcare: not only a technical interruption, but a standing operational pressure. Persistent. Adaptive. Built around timing, dependency, data, disruption and leverage. The question is no longer only whether every attack can be prevented. It is whether the organisation can still limit the impact when one gets through. In healthcare, that question becomes immediately human. Can care continue? Can staff still trust the information in front of them? Can patients still be redirected safely? Can leadership still act before uncertainty becomes wider harm?The pressure is persistent, not occasional
Healthcare continues to face a broad and active ransomware ecosystem. Some resilience indicators may improve over time. Organisations may pay less often. Recovery playbooks may become more mature. Backups may be better protected. Incident teams may be better prepared. All of that matters. But improvement does not mean safety. Better recovery does not remove pressure while the incident is active. It does not prevent data from being staged. It does not automatically stop lateral movement. It does not guarantee that a hospital can keep operating safely while trust is unclear. For leadership, the implication is simple: resilience cannot be designed around the hope that the next serious incident will be rare. It has to assume that pressure will continue, attackers will adapt, and some attempts will progress beyond prevention. The question is not whether healthcare can become perfectly protected. The question is whether it can keep enough control when protection is bypassed.Vastaamo and the moment confidentiality becomes leverage
The Vastaamo psychotherapy breach is one of the clearest examples of what happens when attackers do not merely disrupt systems, but weaponise the most sensitive form of trust. Therapy notes and personal information were stolen. The organisation was extorted. Then individual patients were contacted and blackmailed directly. That is a different kind of harm. The organisation did not only lose control of data. It lost control of a duty of confidentiality that sat at the heart of the care relationship. For leadership, this is the deeper lesson: a data breach in healthcare is not only a privacy event. It can become a direct human- harm event, where vulnerable people become targets because information that should never have left the care environment is now in hostile hands. At that point, the question is no longer only: can we restore systems? It becomes: what harm is already in motion, and what could we still have interrupted earlier? That is why containment has to include data movement, not only encryption. If data theft is part of the pressure model, resilience must include the ability to reduce exposure before leverage fully forms.Ardent Health and the pressure of timing
The Ardent Health Services attack in 2023 showed another part of the same pattern: timing and scale. The incident became known over the Thanksgiving period and affected a health system operating hospitals and care sites across multiple states. Emergency departments were placed on divert. Non-urgent procedures were affected. Systems had to be taken offline while the organisation worked to regain control. This is where ransomware pressure stops being local. A decision to divert ambulances is not an IT decision. It is a care-continuity decision. It affects emergency departments, neighbouring providers, ambulance services, patients, families, clinicians and regional capacity. The human question becomes immediate: who can decide quickly enough that a patient should be sent elsewhere? Who knows which services can still be trusted? Who has the authority to shift operations into a safer degraded mode before the pressure spreads further? That is why timing matters so much. Ransomware often arrives when the organisation is least able to absorb friction: evenings, weekends, holidays, staffing pressure, transition moments, supplier handovers or already constrained capacity. Attackers understand pressure. Healthcare leaders have to design for it.Recovery is improving, but control can still be lost
Some healthcare ransomware reporting shows encouraging signs: lower payment rates in some periods, more structured recovery and stronger operational awareness. That matters. But a lower payment rate does not automatically mean control is stronger during the incident itself. An organisation can recover eventually and still lose too much control in the first hours or days. Data may already have left. Backups may have been targeted. Identity paths may have been abused. Supplier connections may have become unsafe. Operational teams may have been forced into workarounds before leadership had a clear picture of what was happening. The visible recovery timeline is only part of the story. The more important question is how much leverage the attacker gained before recovery started.The cross-sector pattern
This is not only a healthcare pattern. In the Kaseya VSA attack , a trusted software pathway allowed impact to scale across many downstream organisations. In Norsk Hydro, ransomware became an operational challenge that forced parts of the business into manual processes while recovery continued. In manufacturing , the same pressure appears when production systems must keep running while remote access or plant-level dependencies become unsafe. In finance , it appears when transaction trust, customer access and privileged pathways have to be narrowed without freezing the institution. Healthcare carries a different kind of human consequence, but the underlying pattern is shared across sectors. The attacker uses dependency, timing and leverage to increase pressure before the organisation has full clarity. That is why control during the active phase matters more than the maturity label an organisation carries before the incident begins.SOURCES
The article draws on public reporting and research into healthcare cyber incidents, regional care disruption, supplier dependency, and patient-safety consequences. Sophos — State of Ransomware in Healthcare 2025 Public reporting on the Scripps Health ransomware incident and prolonged operational disruption Public reporting on the Vastaamo psychotherapy data breach and patient blackmail Public reporting on the Ardent Health Services ransomware incident and ambulance diversion Public reporting on Kaseya VSA and Norsk Hydro as cross-sector examples of dependency, leverage and operational disruption
Scripps Health and the pressure that does not end quickly
The Scripps Health ransomware incident in 2021 remains a useful example because it shows how operational pressure accumulates over time. This was not a short outage that ended with a technical fix. For weeks, access to electronic systems was severely affected. Staff had to work through downtime procedures. Paper records returned. Patient portals and records were disrupted. Some patients were diverted. Care continued, but under conditions that became harder every day. That is the part leadership teams sometimes underestimate. The loss of control is not only the initial interruption. It is the persistence of the interruption. Every hour without trusted access creates more manual work. Every manual workaround creates more reconciliation later. Every delayed record, delayed test result, delayed appointment or delayed administrative action adds pressure that remains after systems begin to return. Recovery is not a switch. It is a long operational climb back from uncertainty. And during that climb, people carry the weight. Clinicians work with less context than they normally rely on. Nurses chart manually under pressure. Administrative teams build backlogs that can last beyond the visible technical incident. Leaders make decisions while the organisation is still discovering what it can trust. That is why ransomware cannot be measured only by downtime. It must be measured by what the absence of control forces the organisation to absorb.The shift from encryption to leverage
The most important change is not only that ransomware activity continues. It is that the model has evolved. Encryption still matters. It can stop workflows, delay care, interrupt diagnostics and force manual workarounds. But increasingly, attackers also use data itself as leverage. Data may be accessed, copied or threatened before systems are locked. In some cases, extortion pressure exists even when encryption is not the main event. That changes the nature of the incident. If systems are encrypted, the organisation is fighting to restore availability. If data is stolen, the organisation is also fighting to preserve trust, explain exposure, manage regulatory pressure, reduce patient harm and protect people whose information may now be used against them. Recovery can bring systems back. It cannot pull stolen data back into the environment.Where S10 Group fits
This is where S10 Group’s role becomes relevant. Not as a replacement for prevention. Not as a recovery promise. And not as another dashboard that describes the incident while pressure continues to build. S10 Group is positioned as an operational containment layer for the phase after prevention has been bypassed and before the incident becomes much harder to govern. The platform is designed to help detect malicious behaviour after entry, contain movement before it spreads further, reduce ransomware and data-theft leverage, and stabilise the environment while leadership still needs room to make decisions. In healthcare, that means supporting the ability to keep care governable under pressure. Not by pretending that incidents will never happen. But by reducing how far they can move, how much leverage attackers can build, and how much pressure is forced onto staff, patients and leadership before control is regained.The pressure-test question
If this happened tomorrow, what would you do first? Would the first move be to wait for full confirmation? Or would there already be an agreed containment action that reduces exposure while the investigation continues? Who has the authority to make that decision immediately? Who decides whether to divert ambulances, pause a supplier connection, isolate an affected segment, restrict privileged access or keep a clinical workflow running in degraded mode? If those answers are unclear, ransomware pressure will find that hesitation. It always does.A more realistic definition of healthcare resilience
Resilience is not the claim that attacks will never succeed. It is not the confidence that recovery will eventually happen. And it is not the existence of controls in a normal operating state. In healthcare, resilience is the ability to keep care deliverable when the environment is under pressure, trust is incomplete and decisions cannot wait. That requires the ability to detect enough to understand where pressure is forming, contain enough to stop the cascade, and stabilise enough to keep the organisation operating while trust is rebuilt. This does not replace prevention. It completes it.The final span
This second article establishes ransomware as a standing operational pressure, not an occasional technical event. The next article moves into the dependency problem: when one breach becomes everyone’s problem because modern healthcare no longer operates as a set of isolated organisations. That is where the cascade becomes visible. And where containment starts to become a leadership question rather than a technical preference. Control can still be regained — if a containment move exists.What standing pressure looks like in practice
Standing operational pressure is not abstract. It appears in recognisable ways.
This is the human reality behind the operational language. Pressure accumulates when control is absent.
What changes when something slips through
Once ransomware activity moves beyond prevention, the organisation enters a different phase. The questions change quickly. Which systems can still be trusted? Which connections should be restricted before confidence is restored? Which identity paths or active sessions need to be narrowed? Can data movement be interrupted before exposure increases? Can critical care continue in a degraded but controlled way? These are not abstract security questions. They are operational decisions under pressure. And they cannot wait until every forensic answer is available.The gap between being prepared and being able to act
Healthcare organisations often have tools, plans, escalation routes and recovery procedures. Those are necessary. But ransomware exposes a different gap: the gap between knowing something may be wrong and having an executable move that changes the outcome. Detection may show suspicious behaviour. A report may confirm compromise. A dashboard may show systems becoming unavailable. But the decisive question is more practical: what can be stopped, isolated, restricted or stabilised right now? If that answer is unclear, the organisation may be prepared on paper while still exposed in practice. Plans matter. But when the pressure becomes real, the organisation is judged by what can actually be executed.Reducing attacker leverage
If ransomware increasingly depends on leverage, resilience has to focus on reducing that leverage before it fully forms. That may mean interrupting lateral movement before it reaches shared services. It may mean temporarily limiting data exchange. It may mean isolating a segment while preserving the minimum environment required for care. It may mean restricting a supplier route, narrowing privileged access or keeping a service running in a controlled degraded mode. None of these actions are comfortable. But they are often the difference between a contained incident and a prolonged crisis. This is where containment becomes more than a technical term. It becomes the practical way to preserve room to operate when trust is no longer complete.
Article #2 - 18 MAY 2026
By Stan van Gemert | S10 Group
Ransomware in Healthcare
The previous article opened this series with a practical reality: systems may still be running while trust has already started to weaken. Because once ransomware becomes active, the question is no longer only whether systems are available. It is whether the organisation can still keep care, decisions, and dependencies governable while the pressure continues to build. The hospital is not silent. Phones are answered. Patients are still being received. Staff are still moving between wards, desks, treatment rooms and temporary workarounds. But the environment feels different. A record is not available quickly enough. A normal workflow has become manual. A supplier route is uncertain. A team has to decide whether a service can continue safely while the facts are still incomplete. That is what ransomware increasingly creates in healthcare: not only a technical interruption, but a standing operational pressure. Persistent. Adaptive. Built around timing, dependency, data, disruption and leverage. The question is no longer only whether every attack can be prevented. It is whether the organisation can still limit the impact when one gets through. In healthcare, that question becomes immediately human. Can care continue? Can staff still trust the information in front of them? Can patients still be redirected safely? Can leadership still act before uncertainty becomes wider harm?The pressure is persistent, not
occasional
Healthcare continues to face a broad and active ransomware ecosystem. Some resilience indicators may improve over time. Organisations may pay less often. Recovery playbooks may become more mature. Backups may be better protected. Incident teams may be better prepared. All of that matters. But improvement does not mean safety. Better recovery does not remove pressure while the incident is active. It does not prevent data from being staged. It does not automatically stop lateral movement. It does not guarantee that a hospital can keep operating safely while trust is unclear. For leadership, the implication is simple: resilience cannot be designed around the hope that the next serious incident will be rare. It has to assume that pressure will continue, attackers will adapt, and some attempts will progress beyond prevention. The question is not whether healthcare can become perfectly protected. The question is whether it can keep enough control when protection is bypassed.Vastaamo and the moment
confidentiality becomes leverage
The Vastaamo psychotherapy breach is one of the clearest examples of what happens when attackers do not merely disrupt systems, but weaponise the most sensitive form of trust. Therapy notes and personal information were stolen. The organisation was extorted. Then individual patients were contacted and blackmailed directly. That is a different kind of harm. The organisation did not only lose control of data. It lost control of a duty of confidentiality that sat at the heart of the care relationship. For leadership, this is the deeper lesson: a data breach in healthcare is not only a privacy event. It can become a direct human-harm event, where vulnerable people become targets because information that should never have left the care environment is now in hostile hands. At that point, the question is no longer only: can we restore systems? It becomes: what harm is already in motion, and what could we still have interrupted earlier? That is why containment has to include data movement, not only encryption. If data theft is part of the pressure model, resilience must include the ability to reduce exposure before leverage fully forms.Ardent Health and the pressure of
timing
The Ardent Health Services attack in 2023 showed another part of the same pattern: timing and scale. The incident became known over the Thanksgiving period and affected a health system operating hospitals and care sites across multiple states. Emergency departments were placed on divert. Non- urgent procedures were affected. Systems had to be taken offline while the organisation worked to regain control. This is where ransomware pressure stops being local. A decision to divert ambulances is not an IT decision. It is a care-continuity decision. It affects emergency departments, neighbouring providers, ambulance services, patients, families, clinicians and regional capacity. The human question becomes immediate: who can decide quickly enough that a patient should be sent elsewhere? Who knows which services can still be trusted? Who has the authority to shift operations into a safer degraded mode before the pressure spreads further? That is why timing matters so much. Ransomware often arrives when the organisation is least able to absorb friction: evenings, weekends, holidays, staffing pressure, transition moments, supplier handovers or already constrained capacity. Attackers understand pressure. Healthcare leaders have to design for it.Recovery is improving, but control
can still be lost
Some healthcare ransomware reporting shows encouraging signs: lower payment rates in some periods, more structured recovery and stronger operational awareness. That matters. But a lower payment rate does not automatically mean control is stronger during the incident itself. An organisation can recover eventually and still lose too much control in the first hours or days. Data may already have left. Backups may have been targeted. Identity paths may have been abused. Supplier connections may have become unsafe. Operational teams may have been forced into workarounds before leadership had a clear picture of what was happening. The visible recovery timeline is only part of the story. The more important question is how much leverage the attacker gained before recovery started.The cross-sector pattern
This is not only a healthcare pattern. In the Kaseya VSA attack , a trusted software pathway allowed impact to scale across many downstream organisations. In Norsk Hydro, ransomware became an operational challenge that forced parts of the business into manual processes while recovery continued. In manufacturing , the same pressure appears when production systems must keep running while remote access or plant-level dependencies become unsafe. In finance , it appears when transaction trust, customer access and privileged pathways have to be narrowed without freezing the institution. Healthcare carries a different kind of human consequence, but the underlying pattern is shared across sectors. The attacker uses dependency, timing and leverage to increase pressure before the organisation has full clarity. That is why control during the active phase matters more than the maturity label an organisation carries before the incident begins.SOURCES
The article draws on public reporting and research into healthcare cyber incidents, regional care disruption, supplier dependency, and patient-safety consequences. Sophos — State of Ransomware in Healthcare 2025 Public reporting on the Scripps Health ransomware incident and prolonged operational disruption Public reporting on the Vastaamo psychotherapy data breach and patient blackmail Public reporting on the Ardent Health Services ransomware incident and ambulance diversion Public reporting on Kaseya VSA and Norsk Hydro as cross-sector examples of dependency, leverage and operational disruption
Scripps Health and the pressure
that does not end quickly
The Scripps Health ransomware incident in 2021 remains a useful example because it shows how operational pressure accumulates over time. This was not a short outage that ended with a technical fix. For weeks, access to electronic systems was severely affected. Staff had to work through downtime procedures. Paper records returned. Patient portals and records were disrupted. Some patients were diverted. Care continued, but under conditions that became harder every day. That is the part leadership teams sometimes underestimate. The loss of control is not only the initial interruption. It is the persistence of the interruption. Every hour without trusted access creates more manual work. Every manual workaround creates more reconciliation later. Every delayed record, delayed test result, delayed appointment or delayed administrative action adds pressure that remains after systems begin to return. Recovery is not a switch. It is a long operational climb back from uncertainty. And during that climb, people carry the weight. Clinicians work with less context than they normally rely on. Nurses chart manually under pressure. Administrative teams build backlogs that can last beyond the visible technical incident. Leaders make decisions while the organisation is still discovering what it can trust. That is why ransomware cannot be measured only by downtime. It must be measured by what the absence of control forces the organisation to absorb.The shift from encryption to
leverage
The most important change is not only that ransomware activity continues. It is that the model has evolved. Encryption still matters. It can stop workflows, delay care, interrupt diagnostics and force manual workarounds. But increasingly, attackers also use data itself as leverage. Data may be accessed, copied or threatened before systems are locked. In some cases, extortion pressure exists even when encryption is not the main event. That changes the nature of the incident. If systems are encrypted, the organisation is fighting to restore availability. If data is stolen, the organisation is also fighting to preserve trust, explain exposure, manage regulatory pressure, reduce patient harm and protect people whose information may now be used against them. Recovery can bring systems back. It cannot pull stolen data back into the environment.Where S10 Group fits
This is where S10 Group’s role becomes relevant. Not as a replacement for prevention. Not as a recovery promise. And not as another dashboard that describes the incident while pressure continues to build. S10 Group is positioned as an operational containment layer for the phase after prevention has been bypassed and before the incident becomes much harder to govern. The platform is designed to help detect malicious behaviour after entry, contain movement before it spreads further, reduce ransomware and data-theft leverage, and stabilise the environment while leadership still needs room to make decisions. In healthcare, that means supporting the ability to keep care governable under pressure. Not by pretending that incidents will never happen. But by reducing how far they can move, how much leverage attackers can build, and how much pressure is forced onto staff, patients and leadership before control is regained.The pressure-test question
If this happened tomorrow, what would you do first? Would the first move be to wait for full confirmation? Or would there already be an agreed containment action that reduces exposure while the investigation continues? Who has the authority to make that decision immediately? Who decides whether to divert ambulances, pause a supplier connection, isolate an affected segment, restrict privileged access or keep a clinical workflow running in degraded mode? If those answers are unclear, ransomware pressure will find that hesitation. It always does.A more realistic definition of
healthcare resilience
Resilience is not the claim that attacks will never succeed. It is not the confidence that recovery will eventually happen. And it is not the existence of controls in a normal operating state. In healthcare, resilience is the ability to keep care deliverable when the environment is under pressure, trust is incomplete and decisions cannot wait. That requires the ability to detect enough to understand where pressure is forming, contain enough to stop the cascade, and stabilise enough to keep the organisation operating while trust is rebuilt. This does not replace prevention. It completes it.The final span
This second article establishes ransomware as a standing operational pressure, not an occasional technical event. The next article moves into the dependency problem: when one breach becomes everyone’s problem because modern healthcare no longer operates as a set of isolated organisations. That is where the cascade becomes visible. And where containment starts to become a leadership question rather than a technical preference. Control can still be regained — if a containment move exists.What standing pressure looks like
in practice
Standing operational pressure is not abstract. It appears in recognisable ways.
This
is
the
human
reality
behind
the
operational
language.
Pressure
accumulates
when
control
is
absent.
