In two of the opening sessions of the Healthcare Cybersecurity Forum on March 3 at the 2025 HIMSS Global Conference in Las Vegas, representatives from a prominent health system and the chief technology officer of a Silicon Valley cloud data security and management firm took turns breaking down the high stakes and high probability of cyberattacks and ransomware – while also pointing to possible remedies when disaster strikes.
Adopting an adversarial mindset
Intermountain Health’s Shawn Anderson, director of the system’s Cybersecurity Data, Endpoint, and Application Protection team, and Erik Decker, vice president and chief information security officer (CISO), painted a bleak picture of the new threat environment facing multiple industries, including healthcare.
Threats such as social engineering, third-party compromise, and system vulnerability compromise all are used by intruders as paths to gain access to IT management systems to launch cyberattacks. In particular, the common path is to use any element of compromise to engage in “privilege escalation” – moving from a lower-tier workstation or device admin privilege to then compromise a server admin before moving along to domain and enterprise admin privileges that can compromise your entire organization.
The speakers pointed to the recent release of BlackBastaGPT – an AI chatbot for threat intelligence researchers based on the internal chats of the ransomware group that claimed credit for 2024’s Change Healthcare attack – as proof of how automated some intrusions have become.
Using the chatbot trained on the attacker’s data, the answer to a prompt outlined a structured plan of privilege escalation to dump credentials from an existing system and move laterally across the network, authenticating as domain admins until it gaining full control over the domain and deploying ransomware via Cobalt Strike.
Anderson and Decker pointed to the ease of this approach for attackers as one key reason to adopt an “adversarial mindset” to understand these strategies and tactics to better inform security models. Older, established security models such as Bell-LaPadula – with its focus on enforcing access control – seem to be in need of an update due to the limitations of “control up.” In other words, it focuses on preventing users from access information at higher levels of security than their clearance, but this does not account for the manipulation of data at lower levels.
Today, the Intermountain Health team embraces the privileged access workstation (PAW) system for security controls, which provides isolation for admin workstations to block access between the tiers of admins exploited in the chatbot example.
Accelerating recovery with an “assume breach” mindset
Josh Howell, chief technology officer of Rubrik, followed the dire warnings from the Intermountain duo with his own talk on shifting from a prevention-only mindset to one that operates under the assumption that an attack will occur and preparation is essential.
As Howell noted, ransomware attacks aren’t the rare, “black swan” events they once were; instead, they are regular occurrences with devastating consequences. Particularly concerning are increasingly common attempts to target organizations’ backup data. Ransomware attackers specifically target backup systems because holding data hostage forces organizations to pay ransom demands.
Howell contrasted the 2024 CrowdStrike outage with ransomware attacks for good reason:
- The CrowdStrike incident was highly disruptive but manageable, as organizations knew exactly what happened, when, and how to fix it.
- In contrast, ransomware attacks involve uncertainty, making it difficult to know which systems are compromised and when the infection began.
This uncertainty makes recovery far more challenging and time-consuming, highlighting the importance of detailed forensic analysis and robust recovery planning.
A major theme of Howell’s talk was the concept of isolated recovery environments (IREs), which differ from traditional disaster recovery (DR) solutions. If an attacker compromises production environments, they also compromise DR systems if shared credentials or replication exist. An IRE must be completely separate, with no shared credentials, no shared certificates, and no automatic replication from production
Organizations that fail to establish an IRE risk reinfecting themselves during recovery, making the process even more time-consuming and costly.
Prioritizing critical applications for recovery
Many healthcare organizations struggle with identifying and prioritizing critical applications in a cyberattack. Howell referenced a real-world case where a hospital’s ransomware recovery took four months because they had no clear understanding of their application dependencies.
In terms of application recovery strategy. Howell encouraged organizations to define a core set of critical applications needed for patient intake; ordering tests and treatments; processing payroll; and, in the inpatient side, feeding patients.
Howell acknowledged that interdependencies between applications complicate recovery, but having a prioritized list reduces downtime and streamlines decision-making. That rapid recovery was on the minds of several attendees who are facing an HHS-proposed HIPAA Security Rule update to require restoration within 72 hours of the loss of critical relevant information systems and data.
Echoing the Intermountain team’s “adversarial mindset,” Howell highlighted threat hunting as crucial in ransomware recovery because malware often resides in systems long before encryption begins.
Threat hunting best practices
- Identify the first appearance of malware before selecting a restore point.
- Automate scanning of backups using hash values and YARA rules (a malware detection method).
- Utilize forensic tools to analyze changes over time and pinpoint clean recovery points.
Working with incident response vendors
Howell stressed the importance of knowing your incident response (IR) vendor before an attack happens. Many organizations know they have someone through a cyberinsurance policy to contact but often don’t even know how to contact their IR team, which causes delays in critical decision-making.
IR best practices:
- Predefine vendor contacts and establish communication protocols.
- Ensure offline access to incident response plans, as organizations often disconnect from the internet during an attack.
- Work with cyber insurers and IR vendors to develop a clear response playbook.
Explore Related Content
