Health-ISAC Hacking Healthcare 1-17-2025

This week, Health-ISAC^®‘s Hacking Healthcare^® examines a new proposal from the UK that may ban healthcare entities from making ransomware payments and require the reporting of ransomware incidents to the government. Join us as we break down what the three proposals are and then analyze what it may mean for the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version: TLP WHITE Hacking Healthcare 1.17.2025
Size : 50.3 kB Format : PDF

Text Version:

Welcome back to Hacking Healthcare^®.

UK Consultation: Government Proposes Potential Ransomware Payment Ban for Critical Infrastructure

On Tuesday, the UK Home Office published an open consultation on “proposals to increase incident reporting and reduce payments to criminals.”[i] Hacking Healthcare has been following these developments and we discussed potential proposals back in May of last year[ii], but with the new government now settled in, we finally are seeing concrete steps forward. Let’s examine the new proposals, and what they might mean for the healthcare sector. 

What is the issue?

Ransomware continues to be a blight on the public and private sector with the UK’s National Cyber Security Centre’s (NCSC) Annual Review 2024 stating that “ransomware attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure.”[iii] The press release for the new proposals specifically calls out the impact of ransomware attacks on a key supplier to London area hospitals and the National Health Service (NHS). The Consultation Options Assessment for the proposals, which provides additional background material on the consultation and an impact analysis, also identifies that ransomware incidents have continued on an upwards trend and that “polling commissioned by the Home Office showing that nearly three quarters (74%) of the public were concerned about the possibility of ransomware”.[iv]

What are the proposals?

The UK’s Home Office is describing these proposals as “world leading” and claim that they are “Aiming to strike at the heart of the cybercriminal business model and protect UK businesses by deterring threats”[v] The proposals are also described as being developed with support from various government entities, industry experts and think tanks. In particular, it cites the insights gained from the UK’s involvement with the Counter Ransomware Initiative, which we previously covered last October.[vi]

So what are the proposals?

1. Targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure (CNI)[vii], that are regulated, or that have competent authorities[viii].

2. A new ransomware payment prevention regime to cover all potential ransomware payments from the UK.

3. A ransomware incident reporting regime

 An analysis of these proposals and the impact they may have is included in the Action & Analysis section. 

What comes next?

The UK Home Office is requesting that interested parties provide their views on the proposals by 17:00 on 8 April 2025[ix]. The Home Office will review the feedback that has been submitted and provide a response at a later date.

Action & Analysis 
**Included with Health-ISAC Membership**

[i] https://www.gov.uk/government/consultations/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals

[ii] https://health-isac.org/health-isac-hacking-healthcare-5-27-2024/

[iii] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[iv] https://assets.publishing.service.gov.uk/media/67865faff029f40e50881768/20250114_-_Consultation_OA_SECMIN_.pdf

[v] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[vi] https://health-isac.org/health-isac-hacking-healthcare-10-9-2024/

[vii] The 13 national infrastructure sectors in the UK include Chemicals, Emergency Services, and Health. Critical national infrastructure is a subset within these: https://www.npsa.gov.uk/critical-national-infrastructure-0

[viii] The term Competent Authority generally refers to an entity with expertise that has been granted authorities to regulate or oversee a particular sector or function 

[ix] Time and date are assumed to be local to the UK Home Office.

[x] https://health-isac.org/health-isac-hacking-healthcare-8-11-2023/

[xi] https://health-isac.org/health-isac-hacking-healthcare-4-16-2024/

[xii] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia

[xiii] https://assets.publishing.service.gov.uk/media/67864097c6428e013188175a/Consultation-Document-Proposals-v2.pdf

[xiv] https://assets.publishing.service.gov.uk/media/67864097c6428e013188175a/Consultation-Document-Proposals-v2.pdf

[xv] https://assets.publishing.service.gov.uk/media/67864097c6428e013188175a/Consultation-Document-Proposals-v2.pdf

[xvi] https://assets.publishing.service.gov.uk/media/67864097c6428e013188175a/Consultation-Document-Proposals-v2.pdf

[xvii] https://assets.publishing.service.gov.uk/media/67864097c6428e013188175a/Consultation-Document-Proposals-v2.pdf

• Related Resources & News
• Software Supply Chains and ISACs – The Inevitability Curve Podcast EP14
• New HIPAA Cybersecurity Rules Pull No Punches
• What’s in HHS’ Proposed HIPAA Security Rule Overhaul?
• Cyber Threats Know No Borders
• Health-ISAC Hacking Healthcare 1-10-2025
• Google’s rural healthcare cybersecurity initiative
• Gen Z is stealing your health data—and the consequences may be worse than you think
• Left to Our Own Devices Podcast #71: Errol Weiss
• 2025 Newsletter – January
• The Year Ahead: What Can We Expect Within the Cybersecurity Landscape?