On September 27, 2020, the University Hospital of Düsseldorf, Germany, suffered a ransomware attack that rendered its systems inoperable for days. A patient requiring urgent care was transferred to another hospital 30 kilometers away. She died during the transfer.
This is the first documented case of a death directly attributed to a cyberattack. And although the incident occurred in Europe, the message it sent to the healthcare industry worldwide was unequivocal: ransomware in hospitals is not an IT problem. It’s a matter of life and death.
In Latin America, attacks on the health sector have steadily increased in recent years. Public hospitals, private clinics, laboratories, social service organizations, and national health systems have been victims of attacks that paralyzed operations, exposed patient data, and in some cases forced them to revert to pen and paper for days or weeks.
This article analyzes why the healthcare sector is such an attractive target for ransomware groups, what is happening in the region, and what healthcare organizations can do to protect themselves effectively.
Why hospitals are a favorite target for ransomware
It’s no coincidence that the healthcare sector consistently tops the rankings of industries most targeted by ransomware. There are structural reasons that make it particularly vulnerable and especially profitable for attackers.
The pressure of time is unbearable.
In a hospital, time is literally a matter of life or death. When a retailer’s systems are attacked, the company may operate at a reduced capacity for days or weeks while the incident is resolved. When a hospital’s systems are attacked, doctors cannot access patient records, networked equipment stops working, medication orders cannot be processed, and scheduled surgeries must be canceled.
That time pressure is exactly what ransomware groups are looking for. They know that a hospital can’t afford to be down for weeks waiting to recover its systems from a backup. That urgency makes the likelihood of paying the ransom significantly higher than in other sectors.
Health data is the most valuable commodity on the black market
A stolen credit card number is worth between one and three dollars on the black market. A complete medical record can be worth between ten and one thousand dollars, depending on its contents. The difference is enormous and has a straightforward explanation: health data cannot be altered.
If your credit card is stolen, you cancel it and get a new one. If your medical records are stolen, those records exist and are yours forever. They contain information about illnesses, medications, surgeries, mental health history, and in many cases, complete identification data. This permanence is what makes medical records so valuable for identity theft, insurance fraud, and outright extortion of patients.
Modern ransomware groups know this. That’s why many attacks on the healthcare sector combine system encryption with the prior exfiltration of patient records, creating a double lever of extortion: pay to recover the systems or see the patient data published.
The technological infrastructure is historically deficient.
The healthcare sector invests heavily in medical technology: diagnostic imaging equipment, patient monitors, laboratory systems, and assisted surgical equipment. But historically, it has underinvested in the IT infrastructure that connects and protects all of that.
The result is a heterogeneous, often outdated, technology ecosystem with legacy systems that have been in operation for decades and do not receive security updates because either the manufacturer no longer provides them or the update requires regulatory validation that can take months. Many medical devices connected to the network run versions of Windows that Microsoft stopped supporting years ago.
This reality is not exclusive to developing countries. Hospitals in the developed world face the same problem. But in Latin America, it is compounded by more limited IT budgets, fewer cybersecurity specialists, and a cybersecurity culture that in many cases is only just beginning to develop.
Connected medical devices greatly expand the attack surface
The digitization of the healthcare sector has led to a proliferation of network-connected devices that were not designed with security as a priority. Vital signs monitors, infusion pumps, radiology equipment, medication delivery systems, security cameras, and dozens of other devices are now part of a modern hospital’s network.
Each of these devices is a potential entry point for an attacker. And unlike a computer that can be updated with a security patch, many of these medical devices cannot be patched without a manufacturer recertification process that can take months, or they simply don’t have updates available.
The landscape in Latin America: real cases and trends
The region is no stranger to this reality. In recent years, a number of high-profile cases have accumulated, illustrating the magnitude of the problem.
In Argentina , the 2023 attack on PAMI was one of the most high-profile. The Rhysida group managed to exfiltrate and publish data from millions of members, including medical information and sensitive personal data. The incident exposed the vulnerabilities of one of the largest healthcare systems in the region and sparked a debate about the need to invest in cybersecurity in the public health sector.
In Colombia , the Keralty healthcare network, which operates under the Sanitas brand and serves more than six million people, was attacked in November 2022 by the RansomHouse group. The attack affected appointment scheduling systems, the emergency network, and medical records, forcing patients to rely on manual processes for days. Full recovery took weeks.
In Chile , the Maule Health Service suffered an attack in 2022 that compromised primary care systems in several hospitals in the region. That same year, the University of Chile Clinical Hospital reported a security incident that affected part of its digital infrastructure.
In Mexico , multiple hospitals belonging to the IMSS and ISSSTE have reported security incidents in recent years, although the lack of mandatory reporting of breaches means that many cases are not public knowledge.
The pattern that is repeated in all these cases is similar: outdated infrastructure, lack of network segmentation, absence of advanced detection tools, and backups that either did not exist or had been compromised by the same attack.
Ransomware groups targeting the healthcare sector
Not all ransomware groups attack indiscriminately. Some have stated policies against targeting hospitals or critical healthcare infrastructure. But these policies aren’t always respected, and many groups have no qualms about doing so.
LockBit is one of the most active groups globally and has attacked multiple health organizations in Latin America and the world, despite having declared at one point that hospitals were beyond its reach.
Rhysida is a relatively new group that targets the healthcare sector as one of its primary objectives. The attack on PAMI in Argentina was carried out by this group, and it has attacked healthcare organizations in multiple countries in the region.
RansomHouse was responsible for the attack on Keralty in Colombia and has shown a pattern of target selection that frequently includes the Latin American health sector.
BlackCat/ALPHV is another of the most technically sophisticated groups and has had a significant presence in attacks on the health sector globally, including the devastating attack on the Change Healthcare health system in the United States in 2024, which affected millions of patients and generated losses estimated in the billions of dollars.
The consequences of an attack: beyond the economic cost
When discussing the impact of a ransomware attack on the healthcare sector, the cost of ransom and system recovery is only part of the story, and not necessarily the most important part.
The impact on patient care is the most immediate and serious consequence. Cancelled surgeries, emergency referrals, inability to access medical records, and medication errors due to a lack of access to up-to-date information. In the most serious cases, such as Düsseldorf, this impact has irreversible consequences.
The exposure of patient data generates legal, regulatory, and reputational consequences that extend far beyond the initial incident. In many countries in the region, the exposure of health data is regulated by specific laws that provide for penalties for organizations that fail to adequately protect that information.
The cost of recovery is often far greater than the ransom demanded. Rebuilding systems, hiring incident response specialists, replacing compromised hardware, paying regulatory penalties, and covering legal costs can easily increase the initial ransom value tenfold.
Reputational damage is difficult to quantify but can have lasting effects on patient trust, especially in the private sector where the choice of healthcare institution is an active decision.
How to protect a healthcare organization: a layered approach
Cybersecurity in the healthcare sector has unique characteristics that make it more complex than in other sectors. Operational constraints are real: you can’t simply shut down medical equipment to patch it, you can’t interrupt the connectivity of critical systems to perform maintenance, and you can’t sacrifice system availability in the name of security when that availability is literally life-threatening.
But these restrictions don’t eliminate the possibility of protection. They require an approach tailored to the realities of the sector.
Network segmentation: the most critical control
Network segmentation is the practice of dividing the hospital network into zones isolated from each other, so that an attacker who compromises one segment cannot move freely to all the others.
In a properly segmented hospital, critical medical equipment is on a separate network from administrative computers, which are in turn separated from the visitor and patient network. If ransomware enters via a phishing email on an administrative computer, it cannot automatically spread to patient monitoring systems.
This is probably the security measure with the greatest impact on reducing the scope of a successful attack, and it is completely independent of the medical software used or whether the equipment can be patched or not.
Endpoint detection and response
For devices that can be protected with security software—computers, servers, clinical workstations—behavioral-based detection is the most effective layer against modern ransomware.
Bitdefender GravityZone has a specific vertical for the healthcare sector that takes into account the particularities of that environment: verified compatibility with the main hospital information systems, minimal impact on the performance of clinical teams and centralized management capacity that allows a small IT team to maintain visibility over hundreds or thousands of endpoints.
Its ransomware protection module includes the ability to detect the encryption process in its early stages and automatically revert changes before the attack spreads. In a hospital setting, this automatic remediation capability can be the difference between an incident contained in minutes and a crisis that paralyzes operations for days.
Heimdal Security complements this protection at the network layer, blocking communication between malware and its command and control servers before the attack can progress. Its patch management module automates the updating of patchable systems, reducing the attack surface without requiring manual intervention from the IT team.
Immutable backup and recovery plan
In the healthcare sector, the question isn’t if a security incident will occur, but when, and how long it will take the organization to resume operations when it does. The answer to that question is largely determined by the quality of the backup system and the existence of a proven recovery plan.
Acronis Cyber Protect is particularly relevant in this context due to its combination of backup and active protection. Its immutable cloud copies ensure that a version of the data always exists that ransomware cannot access or delete. The granular recovery functionality allows for the restoration of individual files or systems without requiring a full environment restoration, significantly reducing recovery time.
Just as important as having the right backup system is testing it regularly. A backup that has never been tested is a backup that cannot be relied upon when it is needed most. Hospitals that best manage this risk conduct regular recovery drills to verify that critical systems can be restored within the timeframes defined in the business continuity plan.
Identity and privileged access management
Attacks that come in through compromised credentials are especially dangerous in the healthcare sector because hospital systems tend to have many users with high levels of access: doctors who need to access multiple systems, IT administrators who manage critical infrastructure, and external providers who connect remotely for maintenance.
Implementing multi-factor authentication on all remote access and critical systems, managing privileged access with specific tools, and periodically reviewing which users have access to which systems are basic controls that significantly reduce the risk of compromise through credentials.
Training of clinical and administrative staff
Healthcare professionals are naturally oriented toward patient care, not cybersecurity. That’s understandable and correct. But it also means that without specific training, they are especially vulnerable to phishing and other social engineering techniques.
Security training for the healthcare sector cannot be the same as for the technology sector. It must be brief, practical, relevant to the clinical context, and repeated frequently. Phishing simulations adapted to the hospital setting, clear protocols on what to do when receiving a suspicious email, and simple reporting channels are more effective than lengthy theoretical training sessions that clinical staff don’t have time to absorb.
The regulatory framework: what the law requires in the region
Information security regulations in the health sector vary significantly between countries, but the regional trend is towards greater stringency.
In Argentina , Law 25.326 on the Protection of Personal Data establishes specific obligations for the handling of sensitive data, a category that includes health data. The enforcement authority, the AAIP, has the power to impose sanctions and has increased its regulatory activity in recent years.
In Colombia , Law 1581 of 2012 and its implementing decrees establish a data protection framework that applies with particular rigor to health data, classified as sensitive data. The Superintendency of Industry and Commerce has sanctioned healthcare organizations for the improper handling of patient data.
In Chile , Law 19.628 on the protection of private life is being updated with a bill that significantly strengthens security requirements and penalties for non-compliance, with specific provisions for health data.
In Mexico , NOM-024-SSA3-2012 establishes specific security requirements for health information systems, including protection measures for electronic clinical records.
Failure to comply with these regulations in the context of an attack that exposes patient data can result in significant financial penalties that add to the already high cost of the incident.
Conclusion
The Latin American health sector is at the intersection of two mutually reinforcing trends: accelerated digitization that expands the attack surface and sustained growth of ransomware groups that have identified the sector as one of their most profitable targets.
Protecting oneself in this context is not easy. The operational constraints of the hospital environment are real, budgets are limited, and the complexity of healthcare technology environments is genuinely high. But the alternative—continuing to operate with insufficient levels of protection—has consequences that go far beyond the economic.
Healthcare organizations that are taking cybersecurity seriously aren’t doing so because it’s mandatory or because someone is forcing them to. They’re doing it because they understand that the continuity of their patients’ care depends on their systems functioning, and that today that continuity is more threatened than ever.
Does your healthcare organization want to assess its level of exposure and the most appropriate solutions for its context? At aufieroinformatica.com you can consult with our cybersecurity specialists.
