Prescription for Protection: Healthcare Industry Observations from CrowdStrike Investigations

Organizations in the expanding healthcare ecosystem are under mounting pressure to balance business growth, regulatory compliance, and the need for technology innovation while providing protections in an increasingly hostile threat landscape. These recommendations will help minimize the risk and impact of an attack to organizations in the healthcare industry.In parallel, distributed workforces and heavy reliance on remote access tools create a broader attack surface. In hospitals and health systems, operational continuity depends on virtual desktop infrastructure (VDI) and other remote access technologies. Unfortunately, adversaries increasingly exploit identity credentials in these environments.

Unique Threats Facing Healthcare 

The above example emphasizes the need for strict verification controls in help desk operations, specifically when receiving a request to reset or change MFA information such as phone numbers, tokens, or devices. 
Between November 2023 and November 2024, CrowdStrike observed a 50% increase in access credentials advertised for sale that specifically targeted healthcare entities — a clear indicator of rising demand among cybercriminals.²
CISOs should strive to perform assessments on at least an annual basis. Their review should cover not only traditional endpoints such as laptops and servers, it should also include cloud planes and SaaS applications, and should consider the risks associated with these assets beyond the control of the organization.
Mergers and acquisitions (M&A) activities and provider consolidation continue to be a key business driver and cornerstone growth strategy of the healthcare sector. According to Bain & Company, “Participation in the M&A market has long been a strong indicator of success in this industry … larger than any other industry, highlighting the importance of M&A to total share returns in healthcare.”¹
The Zero Trust concept should be implemented when possible. Organizations should consider performing an identity-focused assessment to understand what trusts are in place and what their identity risk is. CrowdStrike Services performs Identity Security Assessments for organizations to understand the existing domain configurations, identity hygiene, and identity attack paths attackers use for privilege escalation and lateral movement. 
Despite emphasis on cybersecurity due diligence, successfully integrating multiple technology environments post-acquisition remains one of the most persistent risk areas. This challenge is a leading contributor to network intrusions observed by CrowdStrike Services.
Continuing care and recovering quickly during an incident is top of mind for healthcare CIOs and CISOs. Having a Business Continuity Plan (BCP) isn’t enough — it must be tested for feasibility. In some incident response investigations performed by CrowdStrike Services, healthcare organizations did not test their BCP operations and were caught “flat-footed” after systems and operations were halted due to encryption, and their backups were deleted by the threat actor. 
Ransomware and data extortion remain the most common threat facing the healthcare sector, often forcing hospitals and clinics to delay or divert care. According to investigations by CrowdStrike Counter Adversary Operations and analysis of incident responses by CrowdStrike Services, big game hunting (BGH) adversaries that most frequently targeted the healthcare sector victims were affiliates of MASKED SPIDER (BianLiang), ROYAL SPIDER (BlackSuit), TRAVELING SPIDER (INC), BITWISE SPIDER (LockBit BLACK/RED/GREEN), FROZEN SPIDER (Medusa), and VICE SPIDER (Rhysida).²
Beyond the immediate risks of a breach, healthcare organizations must also comply with HIPAA regulations. HIPAA requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Key requirements include:
1. Bain & Company, Global M&A Report 2025, p. 58: https://www.bain.com/globalassets/noindex/2025/bain_report_global_m_and_a_report_2025.pdf

HIPAA Security and Breach Notification Rules

CrowdStrike Services performs Cybersecurity Maturity Assessments for organizations that, for example, discover a third-party business partner doesn’t use MFA when connecting to their environment. Our Cloud Security Assessments identify issues like misconfigurations in the cloud plane, such as overly permissive network groups and legacy authentication protocols in use. 

1. Risk Analysis and Management: Conducting a risk analysis to identify potential risks and vulnerabilities to ePHI and implementing appropriate security mitigations
2. Administrative Safeguards: Policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI
3. Physical Safeguards: Protecting the physical location of information systems from natural and environmental hazards and intrusion
4. Technical Safeguards: Technology and related policies and procedures that protect ePHI and control access to it

HIPAA Breach Notification Rule

2. CrowdStrike Counter Adversary Operations 2024 trend data

1. Notification to Individuals: Informing affected individuals of the breach without unreasonable delay and no later than 60 days after discovery
2. Notification to HHS: Reporting breaches to the U.S. Department of Health and Human Services (HHS)
3. Notification to the Media: If the breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets

The HIPAA Breach Notification Rule requires covered entities to provide notification following a breach of PHI. The key requirements include:

How CrowdStrike Can Help

This was further demonstrated in another incident CrowdStrike Services responded to, where the threat actor targeted the healthcare organization’s Microsoft Azure environment. In this case, the threat actor accessed Azure after socially engineering the organization’s help desk to change the password and multifactor authentication (MFA) phone number of a user in the Billing and Claims department. Once authenticated to Azure, the threat actor navigated to the victim user’s Sharepoint and email mailboxes in M365, and accessed and downloaded emails and files containing sensitive protected health information (PHI).

In-Depth Cybersecurity Review

This blog explores CrowdStrike’s frontline observations across multiple incidents, the unique risks facing healthcare organizations, the adversary tradecraft we’ve seen, and practical steps to strengthen cybersecurity readiness.
Organizations should consider implementing individual assessments for each data plane — for example, on-premises, IaaS, and SaaS. These assessments should review all facets of information security, including direct and third-party access and configuration controls, data storage protections, and detection and response technologies.

Zero Trust Approach

In one incident handled by CrowdStrike Services, the adversary gained initial access to the victim environment through a recently acquired entity’s remote access solution. The acquiring entity’s technology team was operationally responsible for 20+ Active Directory (AD) domains, all connected with two-way, transitive trust to ensure shared resources can be effectively accessed across multiple acquired business entities. The adversary abused the lapse of enforced control within the acquired entity’s environment to extract data from the core organization and perform data extortion against the victim organization — threatening the release of damaging information in exchange for a hefty payment.

Enforced vs. In Use

Having an incident response firm on retainer is the best way to stop the bleeding and start the healing after an incident. CrowdStrike Services has responded to countless organizations in the healthcare industry, ensuring a holistic approach in the investigation and remediation, recovery, and assessment process to maximize operational efficiency and minimize security risks.

Business Continuity Planning

While securing sensitive data and maintaining secure operations should always be top of mind for healthcare CISOs, HIPAA rules and regulations must also be continuously in focus as related to cybersecurity.
If an organization has performed regular assessments, then a tabletop exercise, interactive Live Fire, or Red Team/Blue Team Exercise is encouraged. These initiatives allow teams to execute their organization’s response plans and practices, identify and correct gaps in coverage and response, and put the security team and the plan through a thorough stress test. 

• How does business resume if a threat actor brings down the entire virtualized environment through encrypting its hypervisors? 
• Which mission-critical systems, applications, and/or devices operate using those virtualized servers? 
• Are there immutable or network-segmented backups to which a threat actor needs separate MFA for access? 
• How quickly can the organization onboard incident response firms, recovery firms, and external counsel to assist with investigation, containment, and recovery?

Assessments and Testing

Maintaining HIPAA compliance adds additional pressure on healthcare CISOs and CIOs — especially when faced with today’s complex and fast-moving threats.
In another incident CrowdStrike Services responded to, an adversary used valid credentials to log into a healthcare organization’s VDI environment. From this perch, they performed local credential extraction, conducted reconnaissance and mapped the environment, and exfiltrated sensitive data before deploying ransomware. This “double extortion” tactic disrupted care delivery and pressured the organization to pay the demand to restore operations.

Incident Response

Organizations should consider the following questions when building or refining their BCP:

In Summary

Organizations that adopt a proactive cybersecurity approach through risk assessments, response exercises, exposure management, and more will typically have a lower risk and lower impact of a breach. CrowdStrike recommends the following steps for healthcare organizations.

Additional Resources

The healthcare sector continues to be a prime target for cyber adversaries, with threat actors constantly evolving their tactics to exploit vulnerabilities. Over the past year, CrowdStrike Services responded to a growing number of financially motivated attacks aimed at encrypting data and extorting victims across the healthcare ecosystem. Notably, the tactics and techniques employed by threat actors have been unusually consistent across various healthcare entities, including hospitals, pharmaceutical companies, health insurance firms, and patient clinics.
CrowdStrike Services has performed assessments and investigations for organizations in every vertical that have relied on policies and configurations that are in use or available, but not enforced. Our investigations show threat actors have taken advantage of non-enforced configurations, or exceptions in environments that circumvent access controls such as blocking MFA methods like SMS, using trusted locations as exemptions for MFA, or never rotating API keys. These policies create indefensible scenarios for all organizations.