Healthcare cybersecurity expert, True North ITG Co-Founder and CEO Matt Murren unpacks a common security threat his clients face: a ransomware attack via Remote Desktop Protocol. In this post, he shares a real-world example of a ransomware attack through Remote Desktop Protocol and how your organization can prevent a similar attack.

What is a ransomware attack?

The U.S. Cybersecurity and Infrastructure Security Agency describes ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” In an attack, malicious actors will then “demand ransom in exchange for decryption.”

Ransomware attacks can wreak havoc in any organization, but healthcare organizations are particularly vulnerable as they depend on technology and systems to care for human lives.

THE ATTACK: What is an example of a ransomware attack via Remote Desktop Protocol?

Malware and ransomware attacks are not as easy to spot out as they once were. Today’s attackers are more sophisticated, executing their plans slowly and tactically. Recently, we encountered a client case where attackers breached the internal network over nearly five weeks with no known impact.

The attackers methodically planted bits of software across all seven locations of the affected organization using the following vectors:

Remote Desktop Protocol: Accessed through a password provided via email

Infected files: Sent to internal users to gain access to various pieces of the network

Network controls: Infiltrated to allow traffic to traverse between networks

Lack of patching: Took advantage of security risks in the Remote Desktop Protocol software

Once the attackers thoroughly and strategically set the malware foundation in place, they disabled all systems. The server software was breached, workstations were erroring out, and all sites of care were shut down.

Predictably, a ransom request came through a few hours later demanding $4.2 million in exchange for returning the organization’s functionality.

THE IMPACT: What are the organizational consequences?

In this specific situation, the organization was able to avoid paying the $4.2 million. (Quick note: This is nearly always the advisable approach, as paying the original amount often triggers a second ransom request and/or additional attacks.) Unfortunately, the ransom is not the only harmful aspect of these breaches.

  • Organizations who experience an attack also suffer from:

  • Lost productivity and revenue during downtime

  • Inability to provide care to patients

  • External brand impact and lost patient loyalty

  • Internal frustration and eroded trust

  • Mitigation costs (in this case, $1 million)

In this specific example, recovering from the attack required locking down the network for hours while thoroughly cleaning servers and deploying 45 staff members working 24/7 to get the workstations back up.

YOUR APPROACH: What precautions can my team put in place to prevent a ransomware attack like this?

As attackers become increasingly sophisticated, healthcare organizations are called to establish equally sophisticated defense mechanisms. Below are key precautions we recommend implementing to prevent a ransomware attack mitigate its impact:

People and Policy Prevention Tips

Conduct a Regular Risk Analysis/Network Vulnerability Assessment

  • Identify vulnerable points most likely to get hit by attackers and make a plan to mitigate those risks

  • Evaluate and address staff adherence to security procedures

  • Double-check where your data back-ups are saved (Pro tip: they should be stored off of the main network, eliminating the need to pay a ransom)

Document your Security Incident Response: Roles and Tracking

  • Create an established plan for security breach response

  • Identify who holds specific response roles and what each individual is responsible for handling

  • Investigate, debrief, and learn from any event

Practice your security incident response in drills to get visibility into gaps and ensure your team is ready

Create a Risk Mitigation Calendar  

  • Schedule all risk analysis activities to keep up with critical tasks

  • Validate and verify your data backups on a quarterly or bi-annual basis

  • Assign dates for security incident response drills

Security and Technology Prevention Tips

Detect Early

  • Invest in security event incident management software that ties back to the security operations center

  • Set up alerting and monitoring procedures for concerning events

Back up Data Regularly and Safely

  • Secure both offsite and on-premises back-ups of servers and critical data—and update them at least twice a year

Plan and Practice for an Attack

  • Establish a procedure for severing connection to the network to recover the EMR

  • Save a read-only version of your EMR to help the incident response team access necessary charts and notes, enabling surgeries and appointments (and revenue, too!) to carry on.

Immediate Actions: Dos and Do Nots

If you do encounter a ransomware attack, there are several next steps you must take—and a few missteps you should avoid.


  • Contact your I.T. security provider or internal security staff

  • Contact your I.T. cyber liability insurance provider

  • Contact the FBI (for cyber liability insurance reasons)

  • Start your business continuity and recovery process with your technical and operational team

  • Document everything


  • Chat with the attacker

  • Divulge any information or terms

  • Begin negotiations without the FBI, a security expert, or your insurance team available

  • Start any process without a lead incident manager and thorough documentation

  • Wait to bring in your operational team. Everyone should be involved in addressing the event to see and tackle each level of impact.

  • All of these actions (or lack thereof) will help keep your patients safe, stabilize your response team, and support recovery and reimbursement for costs incurred during recovery.

One final note: If you do communicate with the attacker, be sure to mention that you have contacted local FBI agents.

Bottom Line:

Ransomware attacks via Remote Desktop Protocols have the potential to devastate the finances and operations of hospitals and health systems – not to mention the lives of patients. Though this threat is not likely to diminish, there are strong tactics available to empower your organization to circumvent and combat a potential attack. These include educating your teams to recognize suspicious activity, conducting regular risk assessments and mitigation activities, reviewing and closing security gaps, establishing thorough protocols and alert systems, and consistently practicing your security incident response plan.

Proactive preparation may take time and effort, but it is always better than cleaning up after an avoidable mess.

About True North ITG

True North ITG is a Healthcare I.T. and Cloud Service Provider that helps business stakeholders improve their bottom line. True North’s Consulting, Cloud Hosting, and I.T. solutions help healthcare businesses navigate technology challenges to reach full I.T. maturity and gain a competitive advantage through agile, efficient, cost-effective, and secure technology solutions. Learn more at: https://www.True