Healthcare has always been prepared for cyber disruptions, but the playing field has changed drastically. Attackers can move faster, acquire capabilities more easily, and exploit numerous entry points into organizations.
The emergence of ransomware-as-a-service has changed the game for cybercriminals. They no longer need to be tech geniuses; they can buy the tools they need and target organizations with minimal effort. While older tactics like phishing and identity theft are still common, the way these methods connect is becoming more sophisticated. Weaponization of zero-day vulnerabilities can occur within hours, while broader vulnerabilities can be exploited in minutes.
In the healthcare sector, teams are struggling to keep up with the constant stream of alerts and incidents. Recent polling from Fortified shows the gap: only 5% of respondents feel very confident in their organization’s ability to recover from a major cyber incident, while 40% acknowledge that their vulnerability management programs are lagging.
Healthcare requires an updated approach to tackle the speed, scale, and complexity of cyber threats.
A Look at What Has Changed
Threats have not changed in one clear direction; they’ve advanced in several ways at once.
AI is changing the timeline. Attackers can identify, test, and adapt faster. That puts more pressure on vulnerability management, detection, and decision-making.
Ransomware-as-a-service is changing who can attack. More actors can launch more capable attacks without having to build every tool themselves.
Identity is becoming a favorite method to get in the “front door”. Attackers do not always need to break in when they can log in, reset credentials, abuse remote access, or use trusted accounts.
Third-party access is changing the perimeter. Vendor connections, business associates, support portals, and cloud platforms are part of the healthcare attack surface.
Legacy systems continue to increase the likelihood of an incident. Healthcare can’t always patch, reboot, or replace systems on demand. That means plans must include segmentation, compensating controls, and accepted-risk decisions.
Why It Matters Now
The next healthcare cyberattack might catch teams off guard with its tactics. When an attack comes to light, organizations will have to make quick and smart decisions about what to isolate first, what to restore, and how to keep leaders and clinicians in the loop.
To stay one step ahead, healthcare leaders should map out escalation paths, identify critical systems, and designate who can take risks and make key decisions; they can empower our teams to act effectively.
Ultimately, the goal is to create a strategy that enables decisive, efficient responses under pressure.
What Leaders Should Ask
- Does our cyber plan account for AI-driven speed and faster vulnerability weaponization?
- Are we planning for ransomware-as-a-service, or only traditional ransomware?
- Which attack paths worry us most today: identity, remote access, vendors, exposed systems, or phishing?
Threats To Be Aware Of
FortiBleed: Working Credentials Exposed for Fortinet Firewalls
Overview:
FortiBleed involves a validated set of working credentials associated with internet-facing Fortinet FortiGate and SSL-VPN devices. This is not a traditional vulnerability; there is no Common Vulnerabilities and Exposures (CVE) identifier and no patch available. Fortinet’s bulletin recommends that organizations with internet-facing FortiGate or SSL-VPN devices assume they are exposed and immediately rotate administrative and VPN credentials.
Healthcare Impact:
Healthcare organizations depend on edge devices for remote access, vendor support, and network segmentation. If an attacker obtains valid firewall or VPN credentials, they could gain unauthorized access to clinical networks and downstream systems before any malware is detected. Administrative access to FortiGate devices can also enable control over firewall policies and routing into clinical environments.
Recommended Actions:
Immediately rotate all administrative, VPN, service, and emergency (break-glass) credentials. Enforce multi-factor authentication (MFA) for SSL-VPN and administrative access, remove management interfaces from the public internet, and review FortiGate admin and SSL-VPN logs for any unusual activity. Treat this situation as a critical (P1) credential exposure event, rather than a routine password reset.
Questions to Ask Your Team:
- Do we know every internet-facing Fortinet asset in our environment?
- Have all administrative and VPN credentials been rotated?
- Are Fortinet VPN and admin logins protected by MFA?
Nightmare Eclipse: Seven Windows Zero-Days
Overview:
Nightmare Eclipse included several public proof-of-concept exploits targeting essential Windows security components, including Microsoft Defender, BitLocker, and Windows kernel drivers. Some of these exploits were confirmed to be used in attacks, while others had publicly available exploit code.
Healthcare Impact:
Windows endpoints are essential to healthcare operations, serving a range of functions, from clinical workstations and shared devices to administrative endpoints and mobile systems. Vulnerabilities that enable SYSTEM-level access, evade Defender security controls, or bypass BitLocker can heighten risks across these endpoints, affecting care delivery, business operations, and privileged access processes.
Recommended Actions:
Apply the June 2026 Patch Tuesday updates immediately. Verify that the Microsoft Defender platform versions are up to date. Audit mobile and portable devices for BitLocker vulnerabilities, and inventory Windows 10 devices that may no longer receive security patches. For any device without a patch, use an application to allow listing and monitoring for any additional disclosures.
Questions to Ask Your Team:
- Are all Windows endpoints patched for the June updates?
- Are Defender platform versions current across the environment?
- Do we know which devices can’t be patched?
Domain Controller Patching Required: Netlogon RCE Under Active Exploitation
Overview:
CVE-2026-41089 is a critical vulnerability in Windows Netlogon that allows for remote code execution and is currently being exploited. An attacker with network access to a domain controller can execute code as the SYSTEM user without needing credentials or any user interaction.
Healthcare Impact:
Domain controllers sit at the center of identity, authentication, and access control. A successful compromise can enable credential harvesting, ransomware deployment, and broader disruption across domain-joined systems.
Recommended Actions:
Apply the May 2026 cumulative update to all domain controllers in a single maintenance window. Restrict inbound Netlogon and RPC traffic to trusted sources, review domain controller access from VPN and remote access infrastructure, and monitor for Netlogon crashes, unusual RPC traffic, new privileged accounts, and unexpected VSS activity.
Questions to Ask Your Team:
- Are all domain controllers patched?
- Are any domain controllers running end-of-life server versions?
- Do we have a tested recovery path if Active Directory becomes unavailable or untrusted?
Peer Pulse: Jason Stewart, Manager, EOD/vCISO, Fortified
Russell: As ransomware-as-a-service keeps lowering the barrier for attackers, what should healthcare leaders assume has changed about their risk?
Jason: Healthcare leaders must recognize that their risks are now broader and more accessible to a wider range of attackers. With technical barriers lowered, attacks once considered sophisticated are now within reach of less-skilled individuals. Risks that were previously moderate have now become critical. The focus should shift from “if” to “when,” emphasizing the importance of resilience, rapid detection, and operational recovery. End-user education, consistent patching, and strong safeguards against social engineering are essential components of a comprehensive security strategy. Ultimately, risk is pervasive, and being prepared means integrating security into both technology and human behavior.
Russell: Where is AI making healthcare security programs most uncomfortable right now?
Jason: The primary concern stems from regulatory uncertainty. The challenge lies in understanding how the use of AI data aligns with HIPAA and HITRUST, which have not yet adapted to AI’s complexities. Leaders are apprehensive about where data is stored, how it is managed, and whether it can be removed from models. Trusting vendors remains a significant concern. While AI-driven phishing attacks are on the rise, the main issue is ensuring that AI adoption complies with strict healthcare regulations.
Rusell: When attackers can move faster, automate more, and reuse proven playbooks, what does “ready” mean for a healthcare organization?
Jason: The term “ready” refers to accepting the inevitability of disruptions and preparing to be resilient in the face of them. While it’s impossible to guarantee 100% protection, readiness involves having a comprehensive incident response plan, a solid disaster recovery strategy, and well-drilled teams ready to handle unexpected situations. Staff members should be trained to operate effectively even when systems are down. Additionally, it’s important to align with frameworks such as the NIST Cybersecurity Framework 2.0 and to integrate cybersecurity into your organizational culture. This requires ongoing education, regular drills, and preparation for the worst-case scenarios.
Russell: How should CISOs explain AI-enabled social engineering to executives without turning it into fear or hype?
Jason: CISOs should present cybersecurity as a reality rather than hype. Use analogies like “The Matrix” to illustrate the distinction between the real world and a deceptive AI-driven one. This isn’t about instilling fear; it’s about confronting the facts. Cyberattacks are designed to extort data and money, and their frequency is increasing. Instead of spreading fear, focus on practical safeguards. Security should not be viewed as a barrier; it is essential to both patient safety and organizational strategy. The emphasis should be on adopting best practices to minimize risk and maintain trust.
Russell: What is the biggest mistake leaders make when they treat ransomware as a malware problem instead of an access and operations problem?
Jason: The biggest mistake is treating ransomware solely as a technical issue. Simply adding more technology won’t resolve it. Education is essential because end-users are often the weakest link in the security chain. Leaders who view cybersecurity as just a box to check tend to overlook its importance in strategic decision-making. Just as “meaningful use” once transformed healthcare, neglecting cybersecurity will result in failed projects or security breaches. Security must be integrated from the beginning, especially with AI initiatives. Otherwise, organizations may face regulatory failures or unintended breaches. The healthcare sector needs to prioritize cybersecurity, making it central to all strategic actions.
Closing Perspective
Cybersecurity tools and tactics are always changing, but one thing is clear: the speed of today’s attacks often outpaces current response plans.
Healthcare leaders should stop treating alerts and vulnerabilities as isolated incidents. Instead, they must recognize the factors reshaping the risk landscape, such as advancements in AI, ransomware-as-a-service, remote access, third-party vulnerabilities, and outdated infrastructure.
To tackle these challenges, assess what can be exploited and prepare to make decisions under pressure. This is where leadership can truly make a difference.