What is Red Teaming in Healthcare?  

AIM

In healthcare red teaming, ethical hackers (cybersecurity experts hired by the healthcare organization) attempt to infiltrate the organization’s network and discover weaknesses that would result in compromise if not remediated. Red teaming utilizes any and all methods of attack available to threat actors, including social engineering, advanced persistent threats (APTs), phishing, baiting, pretexting, malware, and even physical reconnaissance and compromise.  

Impact

Red teaming and adversary simulation allow highly targeted healthcare providers to run “fire drills” of a real-world attack. Last year, over 700 healthcare security incidents were reported to the US Department

of Health and Human Services Office for Civil Rights (HHS OCR), with roughly 186 million people affected. More regular red teaming in healthcare could bring down these numbers by showing healthcare data security teams where adversaries could successfully strike and warning them with enough time to fix it.

Challenges Specific to Healthcare  

The healthcare industry has always been a hot target for attackers. First, the amount of sensitive health information, also known as protected health information (PHI), stored within healthcare organizations is surpassed only by the amount of personally identifiable information (PII) stored along with it. Attackers targeting healthcare providers have a good chance of stealing both. However, PHI is more valuable on the black market, as the Center for Internet Security (CISA) notes, making it an even more lucrative part of the pie. According to the Infosec Institute, on underground criminal forums, PHI garners the highest price on the black market, above any other data, including credit card data and PII.  

Historical Context:

Before widespread digitization, sensitive healthcare records were difficult to steal. Kept on paper within file cabinets, doing so practically required a physical heist.

Current Reality:

Now, global connectivity, aided by the federal mandate to move towards electronic health records, has made scores of personal healthcare information available online. While this streamlines healthcare processes, provides additional convenience for patients, and even contributes to increased healthcare security, it also raises the possibility of PHI maliciously being accessed from anywhere.

Technology Outpacing Security:

In short, the bleeding edge of technology has melded with the healthcare sector in such a way that cybersecurity find it difficult to stay ahead of emerging issues. Not only are electronic health records at risk; many medical IoT devices become quick (and easy) targets for attackers taking advantage of still nascent (or nonexistent) internal healthcare data security controls. Medical IoT is one of the many areas in which technology has outstripped security, yet again.

Because of the risk of danger to not only patient privacy but human health, regulatory compliance is stringent in healthcare. HIPAA (Health Insurance Portability and Accountability Act) governs the safe usage, transfer, retrieval, and storage of PHI and medical records, and its Security Rule requires providers to secure patient privacy and ePHI (electronic PHI) via appropriate healthcare cybersecurity controls.

Business Case:

As healthcare systems consider the realities of operating on a fast-paced digital level, it is important to note organizations will incur more cost and reputational damage if they wait to invested in healthcare cybersecurity until after suffering a breach.

Cost Comparison:

The cost of the average global data breach clears $4.88 million, and $9.36 million in the US. In comparison, the average piece of enterprise-level security software can cost between a few thousand dollars and upwards of $100K for a one-time purchase. SaaS solutions and outsourced managed security services (MSS) can average several thousand dollars per month but still don’t approach the cost and damage inflicted by a breach.

Top Cyber Threats in Healthcare 

We know threat actors are after sensitive healthcare information, but how are they obtaining it? The HHS OCR reported that hacking and ransomware experienced exponential growth in recent years: 

  • Hacking | 239% increase  (2019-2023) 
  • Ransomware | 278% increase (2019-2023) 

The healthcare industry, like any other, faces a barrage of threats from without and within. Some, like attacks on third parties, reflect trends across sectors but hit healthcare especially hard. Others come with the territory. In recent years, specific threats to cybersecurity in healthcare have come to include:  

Third-party provider attacks

Get ready for another triple-digit figure: the number of individuals affected by cyberattacks on third-party healthcare providers rose to 287% between 2022 and 2023. The attack on Change Healthcare, for example, impacted a partner that provides no less than 100 critical services to the healthcare sector.

Attacks on easily accessible medical devices

Medical devices can be accessed remotely from anywhere if they lack the proper protection. With so many devices per patient bed (the average hospital has 10-15 per bed, so up to 15,000 for a 1,000-bed facility), ensuring all are properly encrypted and secure can be an overwhelming task).

Taking advantage of data accessibility

The need for accessible data puts PHI at risk. Patient data needs to be accessible immediately, remotely, and on multiple devices. While this is optimal for ideal patient care, the necessary ubiquity of digitized patient data undeniably increases the chances of attack.

Outdated technology at many healthcare facilities

Outdated tech like legacy systems or unsupported devices provide easy inroads for threat actors looking to leverage old vulnerabilities and launch widespread attacks. Overhauling (and relearning) all technical systems requires massive budget approvals and dedicated resources of time. In fast-paced environments where life-or-death decisions are made daily, hospitals and healthcare centers can’t afford to grind things to a halt; making progress in updating old systems slow. This makes them susceptible to stale vulnerabilities (63% of which can be found lurking in hospital networks).

There are countless opportunities for cybercriminals to take advantage of any weakness in the healthcare chain. When threat actors steal patient data, they can sell it for hundreds of times the going rate of non-medical information because of the numerous and lucrative things that can be done with it. PHI - like diagnoses, medications, and insurance details - has a longer “shelf life” than things like credit card numbers that can easily be changed or expire. This allows threat actors to exploit it for a longer amount of time. Additionally, PHI can be used to illicitly obtain medication, file fake medical claims, and more. 

Evaluate Your Safeguards for Patient Data

How would your infrastructure hold up against an attacker? Put your defenses to the test with Cobalt Strike.

Request a quote

Healthcare Cyberattack Statistics

How likely is an entity within the healthcare sector to experience a cyberattack? Very likely. A recent study indicated that 92% of all healthcare organizations were the victim of at least one cyberattack in the past year alone (up 4% from last year’s already high 88%). Average price tags of healthcare breaches were also high, averaging $9.77 million per incident for the industry in 2024.   

Individual costs

Individual costs were similarly high. The average healthcare organization suffered anywhere between $10,000 and $25 million in losses from their most expensive breach, with the highest expense stemming from system downtime during the incident. This follows an emerging trend of more sizable data breaches within the sector, such as the attack on Change Healthcare that affected over 100 million individuals. Based on success rates like these, and barring something changing the appeal of sensitive health-related information, it is likely that similar attacks will continue to harass the industry in 2025.

The Path Forward

If future cyberattacks are inevitable for healthcare entities, then the best way to meet them is fully prepared. Building a zero-trust foundation of healthcare information security from the ground-up might be thorough, but unrealistic given time and budget constraints given most healthcare groups. Strategically, organizations can quickly identify the weakest defenses (I.e., the ones that will be most attractive to threat actors) and start there, placing limited resources where they matter most.

The Tools

Offensive security techniques like red teaming and penetration testing can prove especially effective against high-cost, high-probability attacks. Penetration testing goes a step beyond identifying vulnerabilities alone and tells an organization which are the most likely to be compromised. This lets busy healthcare entities know where to focus their efforts. Red teaming pushes preparation even further by staging an all-out attack against an organization’s entire defensive force; technologies, tools, and teams. It not only reveals which healthcare security measures work under pressure, but how effectively your security experts operate when the stakes are high.

Key Terms to Remember

The Internet of Medical Things (IoMT), or medical IoT devices, are valuable targets for attackers. Plagued with at least 162 vulnerabilities, the IoMT consists of connected devices meant to support patient well-being – but can be co-opted to steal sensitive patient data, or worse. Here are some examples:

    • Smart Infusion Pumps | One study reports that 75% of smart infusion pumps (used to deliver exact medicine dosage to patients) have vulnerabilities that make them susceptible to attack.

    • MRI and CT Scanners | MRI and CT scanners are just two connected imaging systems used in healthcare. Research shows that 88% of organizations suffered at least one data breach in the past two years due to a vulnerability in a connected device.

    • Wearable Health Devices | Attackers can easily access and infiltrate unencrypted health information stored on wearable health devices (used to monitor heart rate, insulin levels, blood pressure, and more)

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) aims to strengthen HIPAA’s ability to protect patient data in the digital era and encourages healthcare providers to adopt Electronic Health Records (EHR). The HITECH Act was passed in 2009 as part of the American Recovery and Reinvestment Act

The Personal Health Information Protection Act (PHIPA) is a healthcare information security regulation in Ontario, Canada that requires personal health information to be properly collected, used, and disclosed according to applicable patient privacy rights and standards, and mandates patient consent for the use and access of their medical records. Healthcare organizations operating within Ontario, Canada could be in violation of PHIPA policies if they fail to take the proper steps to secure patient healthcare data.

Personal Identifiable Information Security (PIIS) refers to the policies, regulations, practices, and data security measures in place to secure personal identifiable information. Because healthcare organizations store vast amounts of PII (alone, and associated with PHI), healthcare users are always a target of cybercriminal activities. Investing in a strong PIIS strategy will ensure that members of the healthcare sector stay compliant, protect patient privacy, and avoid costly breaches.

Protected healthcare information (PHI) refers directly to individually identifiable information handled by a covered entity under HIPAA. By law, PHI must be secured when stored, accessed, used, transmitted, or maintained. Because of security drift, what were HIPAA-compliant PHI controls today may lapse tomorrow. For that reason, it is crucial to healthcare cybersecurity to maintain updated healthcare security systems.


Be prepared with Cobalt Strike. 

Red teaming can uniquely prepare healthcare organizations by leveraging all methods of attack available to threat actors; from spear phishing executives to pretexting, BEC scams, phishing campaigns, AI-generated voice calls, hidden ransomware links,  and more. However, healthcare red teaming requires proper tools.  

Fortra’s Cobalt Strike, a sophisticated threat emulation tool, can be utilized by security teams of any maturity level to perform their own red team engagements and adversary simulations. It not only tests internal defenses but informs blue teams of security issues, so they are better prepared.