Microsoft: Navigating the healthcare cyber threat landscape

During SANS CTI Summit Solutions Track 2025, Microsoft’s Director of Threat Intelligence Strategy, Sherrod DeGrippo, discussed the growing ransomware threat and its impact on patient care. These discussions included the increasing sophistication of cyber threats, the rise of ransomware-as-a-service (RaaS), and the financial burden on healthcare institutions.

What was said

According to DeGrippo, the emergence of RaaS has significantly increased the accessibility of sophisticated ransomware tools, allowing cybercriminals to launch attacks with little expertise. Some of the most notable threat actors targeting healthcare include:

• Lace Tempest: Operates using a RaaS model, allowing affiliates to easily deploy ransomware.
• Cadenza Tempest: Originally known for DDoS attacks, now shifting towards healthcare ransomware.
• Vanilla Tempest: Active since July 2022, this group uses INC ransomware procured via RaaS providers to encrypt critical patient data and demand ransom.
• Pro-Russian hacktivist groups: These financially motivated actors employ custom scripts and standard Windows tools to steal credentials, move laterally, and deploy ransomware. Ultimately, these groups overwhelm hospital systems and disrupt critical healthcare operations. 

By the numbers

In 2024 alone, 389 healthcare institutions in the US suffered ransomware attacks, placing the industry among the top 10 most impacted sectors.

The report also indicates that the average cost of downtime due to ransomware is $900K per day, with IBM estimating the total financial impact per ransomware incident to be nearly $11 million.

Furthermore, a 2023 study on ransomware attacks associated with disruptions at adjacent emergency departments in the US found ransomware attacks directly impact patient health and survival rates. More specifically, the study revealed:

• Stroke cases surged by 113.6% following ransomware incidents.
• Cardiac arrest cases increased by 81%, highlighting life-threatening delays caused by system disruptions.
• The rate of survival with favorable neurological outcomes declined from 40% pre-attack to just 4.5% during the attack.
• Ambulance arrivals increased by 35.2%, indicating system-wide strain on emergency services.
• Hospitals experiencing ransomware attacks saw a daily patient census increase of 15.1%, further burdening resources.

How healthcare organizations can improve cyber defenses

Healthcare organizations must develop an enterprise-wide cybersecurity strategy to combat the risk of ransomware attacks and improve their cyber defenses. Some of the actions include:

• Developing a cybersecurity team: Recruiting leadership, IT experts, compliance officers, and external consultants to oversee cybersecurity initiatives.
• Identifying the organization's security landscape: Gaining insight into vulnerabilities, regulatory requirements, and critical healthcare services that need protection.
• Employing data sources for threat intelligence: Using internal reports, patient information protection services, and external intelligence from cybersecurity firms.
• Frequently updating cybersecurity frameworks: Conducting quarterly or half-yearly to include the latest threat information and offer strong protection.

However, if in-house resources are limited, outsourcing cybersecurity expertise may be a viable solution to improve cyber defenses and protect patient lives.

Read also: HIPAA compliance in vulnerable communities

FAQs

What is ransomware?

Ransomware is malicious software that encrypts a victim's data, with attackers demanding payment to restore access or prevent data leaks.

What should I do if my data was exposed during a ransomware attack?

Affected individuals must monitor their financial accounts, change passwords, and use the identity theft protection services offered by the organization.

How can healthcare organizations prevent breaches?

They can adopt measures like multi-factor authentication, regular audits, employee training, and advanced encryption methods to protect patient data.

Learn more: HIPAA Compliant Email: The Definitive Guide