Demo Request
X Close Search

How can we assist?

How Human-Operated Ransomware Attacks Are Targeting Healthcare Organizations

How Human-Operated Ransomware Attacks Are Targeting Healthcare Organizations

Post Summary

Listen to this article: 
Custom Audio Player
0:00
What are human-operated ransomware attacks?

These attacks involve human adversaries who infiltrate networks, adapt to vulnerabilities, and spend months stealing credentials, moving laterally, and waiting for the best opportunity to exploit a system.

Why are healthcare organizations targeted by ransomware?

Healthcare organizations are a top target because they store valuable patient data and often have less robust cybersecurity measures compared to other industries like finance.

What is the best defense against ransomware attacks?

The #1 defense is a robust data backup and recovery system, which ensures quick restoration of data and eliminates reliance on ransom payments.

How can healthcare organizations reduce ransomware risks?

Train staff on cybersecurity policies and awareness. Perform initial and ongoing risk assessments for all technologies, especially remote access tools. Keep backup systems up-to-date and test recovery plans regularly.

What are the most vulnerable attack vectors for healthcare organizations?

Vulnerabilities often occur through VPNs and remote access connections, especially when flaws in remote access products are overlooked or unmanaged.

With experience in sysadmin functions, malicious bad actors are taking advantage of common misconfigurations in network security, probing defenses, and adapting to what is revealed. Lately it has been observed that human adversaries are sometimes spending months stealing and adding credentials and leaving indiscernible footprints that enable  lateral movement in compromised networks. They are not hit-and-run operations breaking in, encrypting data, and making immediate ransom demands.

Small, everyday detection alerts that seem easy to dismiss, may be signs of a compromised network being probed by someone already hacked into the network learning what the threshold is for scrutiny. These long-game invasions aren’t always concerned about stealth. By utilizing built-in local administrator accounts, common account names, or even service accounts of known vendors, these bad actors may be moving around freely without attracting attention.

It may be the devastating ransomware news story that gets attention, but what you’re not hearing is how things got to that point. While exploring network vulnerabilities, these human adversaries may utilize single machines for other purposes, as recently observed: sending a short burst of SPAM email or having an internal machine complete a network scan for other vulnerabilities in a matter of seconds. In other words, many of these ransomware attacks are patiently waiting for the best opportunity to exploit a found vulnerability.

Healthcare organizations (HCOs) are the second most popular target behind financial institutions because of the payoff amounts attackers can get when successful. And HCOs spend far fewer dollars on cybersecurity than the financial sector.

The #1 defense against ransomware is having an excellent data backup and recovery system. The reason ransomware works is that it denies access to or alters essential enterprise or patient data. If you have a copy of that data which is not locked or altered and a procedure to quickly restore it, you have your way out of the data prison. Sure, an adversary could also threaten to release captured data to prove a compromised system, but this is different from a ransomware attack that stops patient care or hospital operations. It doesn’t mean you should not also be taking other steps to reduce data risk, but you can’t get locked out of your house for long if you keep a spare copy of the keys somewhere safe.

The human factor is highly impactful in preventing cybersecurity failures. Kaspersky conducted a survey among healthcare workers and found that 32% had never received cybersecurity training from their workplace. Additionally 10% of managers weren’t aware of a cybersecurity policy.

Some of the most vulnerable attack vectors right now are through VPN and remote access connections. HCOs have far less experience in managing remote access than other systems. Flaws in the newer crop of remote access products leave even more vulnerabilities and therefore opportunities ripe for exploitation. This is another reason why completing initial risk assessments and conducting re-assessments with product updates is essential. You can’t easily guard against things of which you are not even aware. Even established remote access like Citrix have been shown to include vulnerabilities. Our advice for combating ransomware threats starts with robust backup and recovery systems. Train all staff on cybersecurity policies and conduct awareness training  to minimize threats even beyond ransomware. And keep risk assessments up-to-date for 100% technology vendors, especially as those products change. Awareness is essential to know where and when to act. For a deep dive into the strategy of human-operated ransomware attacks, we recommend reading Microsoft’s report on prevention.

Key Points:

What are human-operated ransomware attacks, and how do they work?

  • Human-operated ransomware attacks involve skilled adversaries who infiltrate networks and adapt to discovered vulnerabilities.
  • Attackers often spend months stealing credentials, performing lateral movement, and leaving minimal footprints before exploiting a system.
  • Unlike hit-and-run ransomware attacks, these long-game tactics involve probes and reconnaissance to identify weak points and determine thresholds for detection.

Why are healthcare organizations targeted by ransomware?

  • Healthcare organizations store valuable patient data, which makes them a lucrative target for cybercriminals.
  • The average cost of a healthcare data breach exceeds $7 million, making ransom payments highly profitable for attackers.
  • Compared to industries like finance, healthcare spends significantly less on cybersecurity as a percentage of IT budgets.
  • The reliance on third-party vendors, cloud software, and network-connected devices increases their attack surface.

What are the key vulnerabilities exploited in healthcare ransomware attacks?

  • VPNs and remote access connections are common attack vectors due to misconfigurations and flaws in remote access products.
  • Built-in administrator accounts and common credentials are often used to move laterally within networks.
  • Lack of risk reassessments when products are updated leads to unaddressed vulnerabilities.
  • Insufficient staff training and lack of cybersecurity policies leave employees unaware of potential threats.

What is the best defense against ransomware attacks?

  • A robust data backup and recovery system is the most effective defense, ensuring quick restoration of data without paying a ransom.
  • Backups should be secure, unaltered, and regularly tested to ensure they work when needed.
  • Other defenses include conducting risk assessments, maintaining up-to-date security policies, and ensuring all stakeholders are trained in cybersecurity awareness.

How can healthcare organizations reduce the risk of ransomware attacks?

  • Train employees: Conduct regular cybersecurity training to help staff recognize threat vectors and understand how to respond to potential attacks.
  • Update risk assessments: Perform initial and ongoing risk assessments for all vendors and technologies, especially remote access tools.
  • Automate processes: Use automation to streamline risk management and monitor vulnerabilities in real-time.
  • Improve collaboration: Break down departmental silos to create a unified approach to risk management, involving IT, procurement, and compliance teams.

Why is training healthcare staff on cybersecurity important?

  • A survey by Kaspersky revealed that 32% of healthcare workers have never received cybersecurity training, and 10% of managers are unaware of cybersecurity policies.
  • Training empowers employees to recognize and report suspicious activity, reducing the likelihood of successful attacks.
  • Awareness helps prevent human errors, such as clicking on phishing links or using weak passwords, which are common entry points for attackers.

How does risk assessment help combat ransomware?

  • Risk assessments identify vulnerabilities in technologies, vendors, and processes that attackers could exploit.
  • Regular re-assessments are essential as products and software updates may introduce new risks.
  • Comprehensive assessments ensure healthcare organizations are 100% risk-aware, mitigating the chances of overlooked vulnerabilities.

What are the long-term benefits of improving ransomware defenses?

  • Protects patient data'and ensures continuity of care, even during a cyberattack.
  • Builds trust with stakeholders, including clinicians, patients, and the board, by demonstrating a commitment to cybersecurity.
  • Improves efficiency and reduces costs by automating risk management tasks and preventing breaches.
  • Enhances the organization’s overall cybersecurity posture, reducing vulnerabilities and ensuring regulatory compliance.

What is the ultimate goal for healthcare organizations in combatting ransomware?

  • To adopt robust cybersecurity measures that protect data and patient care while enabling the safe adoption of new technologies.
  • Foster a culture of risk awareness across the organization, ensuring all departments collaborate to identify and address potential threats.
  • Implement automation and training to streamline processes, reduce manual tasks, and improve response times to cybersecurity incidents.

Recent Posts

Censinet Recognized in the 2025 Gartner® Market Guide for Third-Party Risk Management Technology Solutions
Censinet, KLAS, and American Hospital Association Publish the 2025 Healthcare Cybersecurity Benchmarking Study
Censinet Appoints Cambrey Ware as Chief Commercial Officer
Censinet Announces Partnership with This Week Health’s 229 Project
Censinet and AHA Deliver Webinar on Navigating GRC, Cybersecurity, and Patient Safety in the Era of AI
Censinet Delivers New AI Cyber Governance, Risk, and Compliance Products and Capabilities at ViVE 2025
Censinet Announces AI Strategy and Infrastructure to Transform Cyber GRC in Healthcare at VIVE 2025
Censinet to Announce Early Findings from The Healthcare Cybersecurity Benchmarking Study, New AI Products at ViVE 2025

Categories

Slide 1

This is some text inside of a div block.
Text Link
Forbes article

Stronger Together: A Response To Rising Systemic Risk In Healthcare

The cyberattack on Change Healthcare shows systemic risk in healthcare is real—where even brief disruptions can mean life-threatening delays in treatment, lost medication access, and diverted emergency care.

Read More >>
Friendly software engineer

Senior Full-Stack Software Engineer

As a Senior Full-Stack Software Engineer on our innovative, fully-remote team, you'll collaborate with talented colleagues to employ AI and other cutting-edge technologies to create impactful solutions that protect patients and shape the future of he

Read More >>
Beckers Health IT logo

5 ways to reduce 3rd-party cybersecurity risks, per 18 experts

Healthcare information technology security leaders from across the country have shared insights with Becker's regarding the most important steps for hospitals and health systems to take in preventing increased cybersecurity risks when working with th

Read More >>
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Third Party Risk
Enterprise Risk
Provider Solutions
Vendor Solutions
About
Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land