Guarding against catastrophic ransomware attacks starts with understanding how the professionalized ransomware groups have evolved from "spray and pray" tactics to sophisticated, targeted campaigns.

AI and phishing

Phishing remains one of the most reliable methods attackers have for getting initial access—this is especially true in a fast-paced hospital environment, where employees are under pressure and distracted.

Generative AI has made social engineering even more effective. Typical giveaways like grammatical errors have largely disappeared, while AI-assisted reconnaissance has enabled hyper-personalized messages by collecting organizational and personal details from social media and other public sources. According to the European Union Agency for Cybersecurity (ENISA), AI-supported phishing accounts for 80% of social engineering activity worldwide.

An emerging threat involves using deepfake technology to clone the voices or even video images of executives to trick employees into making wire transfers, resetting passwords, or granting higher privileges.

Threat-of-life ransomware

In a healthcare context, ransomware isn't merely a data crime; it's increasingly recognized as a threat to life. Today's attackers exploit the reality that downtime in healthcare can directly impact patient care and safety. Operational disruption can delay medical tests and procedures, increase medical errors, and necessitate diverting patients to other hospitals—leading to overcrowding. All of these contribute to increased mortality risk.

This "downtime pressure" is a highly effective leverage point, which attackers often further increase by setting short deadlines that force quick decisions by hospital boards.

911 and emergency service shutdowns

Increasingly, attackers are targeting 911 dispatch networks, especially smaller agencies that may have fewer cybersecurity resources. These attacks threaten to disable computer-aided dispatch (CAD) and radio communications, forcing dispatchers to use paper logs and manual radios, which increases response times when every second counts.

The best way to prevent ransomware attacks in hospitals is through "defense in depth." This layered approach ensures that if one control fails, others are in place to stop the attacker.

Security awareness training

Traditional, compliance-focused slideshows do little to improve phishing susceptibility. Modern managed security awareness training (SAT) uses engaging storytelling and current threat intelligence to provide ongoing, relevant lessons that make a measurable impact. Realistic phishing simulations and just-in-time training ensure that employees connect threats to their day-to-day, helping to build a first layer of human defense.

Strong identity protections

Across industries, hybrid workforces and cloud workspaces have put identity on the front lines. This is especially true in healthcare, where clinicians routinely access a large number of point-of-care workstations and administrative staff interact with hundreds of patients, insurers, and third-party services.

Enforced multi-factor authentication (MFA) is essential for protecting against credential misuse. Hospitals should go a step further with phishing-resistant multi-factor authentication (MFA). These methods include passkeys, hardware keys (FIDO2 keys), or badge taps, which help ensure that even if an attacker steals a doctor's password, they are unable to take over the account.

Identity security posture management (ISPM) continuously monitors identities for risks like dormant accounts, excessive privileges, and misconfigurations so they can be addressed before attackers find them.

Identity threat detection and response (ITDR) provides detection and response for accounts, credentials, and directory systems. ITDR monitors for signs of identity misuse, including impossible travel, privilege escalation, and suspicious token usage. It can then issue automatic step-up security challenges or isolate the account.

Continuous endpoint hardening & monitoring

Modern cybersecurity is complex enough without inviting attackers in. It's easy for misconfigurations, unpatched software, unauthorized applications, and other vulnerabilities to creep in across an organization's ever-increasing number of endpoints. Just as ISPM hardens identities, endpoint security posture management (ESPM) proactively seeks out security gaps so teams can close them before adversaries exploit them.

With today's sophisticated threats, modern defense can't stop at prevention. Attackers increasingly use stealth techniques like polymorphic or fileless malware and living off the land (LotL) to evade detection. Traditional antivirus (AV) is a valuable first layer of protection, but it mostly focuses on looking for known malware signatures and will often miss customized malware. AV must be layered with a tool that monitors behaviors, such as endpoint detection and response (EDR).

EDR monitors workstations, laptops, servers, and other devices for unusual behaviors, such as a PDF reader spawning PowerShell or rapid file encryption. EDR can automatically kill the process and isolate the device to prevent the attack from spreading.

Segmentation of critical systems

Network segmentation is a crucial strategy for containing the possible blast radius of an attack. It operates like the separate watertight compartments of a ship's hull, which can be sealed off to prevent the ship from sinking in the event of a breach.

This is especially critical to reduce ransomware risk in healthcare settings, where many internet of medical things (IoMT) devices, like infusion pumps, are difficult to patch. Medical equipment should be contained to its own virtual local area network (VLAN), as should administrative (billing portals), clinical (EHR servers), and public environments.

Backup testing

In ransomware attacks, backups are the ultimate insurance policy—which is why attackers increasingly target them. Defenders counter this by following the "3-2-1-1-0 rule."

• 3 total copies of data
• 2 different media types
• 1 offsite copy
• 1 offline (air-gapped/immutable) copy
• 0 errors during automated backup testing

The keys to this strategy are the immutable copy—meaning it can't be changed or deleted until a set period has passed—and periodically testing backups to ensure recovery.

Hospitals face a unique challenge in balancing patient care with security. When security adds too much friction, staff will find workarounds, like taping passwords to monitors or leaving sessions logged in after they walk away. "Tap-and-go" proximity badges can help with this, but come with their own challenges (see below). Security plans must also include "break-glass" procedures that allow immediate access for emergencies. These should trigger a high-priority alert and automatic audit to ensure proper usage.

Legacy systems and medical devices also introduce numerous potential vulnerabilities. Expensive MRI and CT scanners often run on outdated operating systems that can't be patched or run EDR. These have to be secured through measures like segmentation and strict firewalls.

In the wake of a breach, HIPAA compliance failures may add steep fines on top of expensive remediation, notification costs, and reputational damage. A "Tier 4" violation (willful neglect not corrected) can carry an annual penalty cap of over $2 million per violation category. Additionally, proposed updates to the HIPAA Security Rule aim to strengthen many requirements.

However, if an organization can prove it implemented "recognized security practices"—such as the HHS's Health Industry Cybersecurity Practices (HICP)—for at least 12 months before a breach, the Office for Civil Rights (OCR) may reduce fines and shorten investigations.

Hospitals face additional cybersecurity challenges in the volume of physical and digital traffic they deal with.

Doctors, nurses, and administrative staff often use shared computers and tap-and-go badges to log in quickly. If a badge is left in a lab coat or on a counter, a bad actor can pick it up and access sensitive data. Proximity badges can balance speed and security with an "MFA-lite" approach (e.g., requiring a PIN every four to eight hours). Systems should also be configured to automatically lock the screen when the badge's signal is no longer detected.

A hospital's security is only as strong as its weakest vendor. Because third parties like billing companies and transcription services have remote access to hospital networks, attackers could potentially piggyback on the vendor's legitimate access. Hospitals can guard against this by adopting a Zero Trust model, using controls such as least privilege, identity-based access, or just-in-time access.

The Huntress Agentic Security Platform empowers healthcare organizations to educate teams, harden identities and endpoints, and detect and respond to threats quickly—containing ransomware attacks before they get off the ground. Plus, it's all backed by a 24/7, expert-led security operations center (SOC).

Learn More