Threat groups and nation-state actors attacking healthcare organizations continue to target the same pressure points: cloud access, exposed infrastructure, remote access, vulnerable perimeter systems, and trusted identities.
That pattern matters. It tells healthcare cybersecurity teams where to focus their defenses, and gain a deeper understanding of the tactics threat groups use can help mitigate the impact of an attack.
The names of the attack groups will change, the ransomware brands will shift, and the exploit chains will evolve. The common thread is that attackers continue to move toward systems, accounts, and access paths that are visible, trusted, subject to delayed remediation, or weakly governed.
A Look at Medusa
Medusa has become one of the ransomware threats healthcare leaders should be watching closely. Unlike a single closed threat group, Medusa operates as a Ransomware-as-a-Service (RaaS) model, allowing affiliates and other actors to leverage the ransomware as part of broader intrusion and extortion activity.
In many cases, threat actors do not need to start from scratch. They can purchase access to compromised devices and accounts from Initial Access Brokers (IABs). Once inside, Medusa-linked activity was associated with exploitation of vulnerable web-facing systems, remote access tools, file transfer platforms, and enterprise management systems.
This matters because the initial access path is often not exotic. It is often something familiar: exposed remote access, weak identity controls, unpatched perimeter systems, legacy infrastructure, or trusted tools insufficiently governed.
Why It Matters Now
With over 300 victims already, Medusa ransomware appears to be expanding, and the broader ransomware ecosystem is becoming more fluid. Cybercriminal infrastructure is increasingly being used by actors with different motivations, including financially motivated affiliates and state-aligned groups. That convergence creates a more complex operating environment for healthcare organizations because the same ransomware platform can be used for financial extortion, disruption, intelligence collection, or geopolitical pressure.
This convergence of cybercriminal infrastructure and state-sponsored threat actors often leads to more sophisticated and more frequent attacks, motivated by both financial and geopolitical interests.
Microsoft has reported that Storm-1175, a financially motivated actor, has used the Medusa ransomware in high-tempo operations to rapidly exploit newly disclosed vulnerabilities. In some cases, the time between public disclosure and observed exploitation has been measured in days, and in certain cases, within hours.
That is the real lesson for healthcare leaders. The window between disclosure, exposure, exploitation, and impact is shrinking. Traditional patch cycles, slow escalation paths, and unclear ownership models are no longer sufficient for internet-facing and high-risk systems.
What Leaders Should Ask
- How quickly can we identify and respond to newly disclosed vulnerabilities in our perimeter systems?
- Which system would take the longest to patch, isolate, or place behind stronger controls?
- Where is MFA still not mandatory, weakly enforced, or being bypassed?
- Do we have exposed remote access, file transfers, or administrative platforms that should be restricted, isolated, or protected?
- Do we understand which vulnerabilities are known to be exploited by Medusa’s RaaS or active ransomware campaigns?
Threats To Be Aware Of
Critical Zero-Interaction Outlook/Word RCE
Overview:
Microsoft patched CVE-2026-40361, a high-severity code-execution vulnerability in Microsoft Office / Word. The vulnerability reinforces the continued risk of productivity platforms being used as an initial access path, especially when paired with email delivery, malicious documents, or user interaction scenarios.
Healthcare Impact:
Healthcare organizations remain especially exposed to email-borne threats because Outlook and Office documents remain core to communication with referrals, payers, vendors, partners, and other external entities. A single malicious document or crafted email could give an attacker an initial foothold inside hospital systems.
Recommended Actions:
Treat high-severity Microsoft Office and Outlook-related vulnerabilities as priority patching events, especially across clinical workstations, shared devices, administrative endpoints, and systems used by users with elevated access. Validate that Microsoft 365 Apps and supported Office versions are up-to-date and confirm whether any unsupported or unmanaged Office installations remain in the environment.
Apply the May 2026 Patch Tuesday updates across affected Microsoft 365 Apps and Office 2024/2021/2019/2016 systems immediately. Treat this as a P1 patching priority, not a routine update cycle.
Questions to Ask Your Team:
- If a malicious email or document reached a clinical or administrative workstation today, how quickly could we detect and contain abnormal Outlook, Word, PowerShell, or credential access activity?
- Are any Office or Outlook endpoints still unpatched, and when will remediation be completed?
- Do we have visibility into unmanaged, shared, or legacy endpoints running Office applications?
Peer Pulse: T.J. Ramsey, Senior Director, Threat Operations, Fortified
Russell: When you look at current threat groups, what exploit patterns matter most for healthcare organizations?
T.J.: Geopolitical instability and U.S. holiday windows are two of the most reliable predictors of heightened threat activity, and neither shows up in a threat group profile. That’s the pattern worth watching.
Tracking individual groups matters less than people think; threat actors operate opportunistically almost as much as they operate strategically, and while some groups favor healthcare, all of them can target healthcare. The more useful lens is the macro one: when the World is tense, or defenders are distracted, activity increases. That consistency cuts across all groups, motives, and geographies.
Russell: Where are threat actors still finding the easiest path into healthcare organizations?
T.J.: Social engineering and credential attacks still reign supreme, not because organizations aren’t trying, but because the attack surface is people, and people are hard to patch. Vulnerability exploitation does occur, but user access and the configuration of their access remain the preferred initial access vector. It’s a simpler, lower-cost path for the attacker, and healthcare’s broad user base and federated access environments make it reliably exploitable.
Russell: How should leaders decide which vulnerabilities matter most?
T.J.: First, we need to clarify that ‘vulnerability’ isn’t limited to scanner output; a user with a weak password qualifies as vulnerable. Start with visibility: what you can see and what you can’t see that a threat actor needs to be successful.
Ask yourself and your team questions like:
- Does nursing staff really need remote email and Citrix access?
- Is RDP open to users by default?
- Is there anything internet-facing that could sit behind an MFA-protected VPN?
Each of those is an exposure that predates any CVE and rarely shows up in a scan report. Layer known, exploited vulnerabilities on top of that foundation, and you have a prioritization model that reflects your true risk surface.
Remember, threat actors can’t break into a system or network they can’t see or interact with.
Russell: What separates active threat hunting from routine monitoring or alert review?
T.J.: The difference is being told about a crime in progress versus looking for the suspect before anything happens. Monitoring waits for someone to call out, ‘This is a robbery.’ Hunting means profiling a person wearing heavy winter clothes in June and proactively questioning them before they may do something nefarious.
In practice, that means looking for anomalous process execution, staged tooling, or living-off-the-land techniques before any alert triggers. You might not always find the bad actor, but you might find the tools they stashed to get past security, and that’s often more valuable.
Russell: How do threat hunting and vulnerability management work best together?
T.J.: They look for different things, and that’s exactly why they complement each other. A threat hunt might uncover a malicious process; vulnerability data tells the hunter how many paths the threat actor may have accessed.
Under optimal conditions, during a threat hunt, any system that reveals suspicious activity should be patched for known vulnerabilities, not just cleared of the suspicious evidence. That fixed system also serves as proof of concept for broader deployment for cyber teams. If it remains stable post-patch, you’ve validated the approach before pushing it enterprise-wide. The hunt informs and the patch closes the door the hunt finds open.
Russell: How should organizations balance vulnerability management across traditional IT, clinical, and harder-to-patch environments?
T.J.: Healthcare will always have systems that can’t be patched on the same cadence as traditional IT; clinical uptime requirements and vendor constraints are real. Tackle what you can, when you can. But the more important question is: even if you could patch everything, are your processes and people aligned to execute as quickly as your SLAs or the situation requires? Prioritization, intelligence, and execution discipline matter more than patch coverage alone. A program that patches 60% of critical findings on time is more mature than one that patches 90% of findings three months later.
Closing Perspective
The threat groups and attack names will keep changing, but their pressure points will not. Healthcare leaders should focus less on memorizing every actor’s name and more on understanding the patterns those actors repeatedly exploit: trusted identities, exposed systems, remote access, delayed remediation, and unclear ownership.
Start with what is trusted, what is exposed, and what remains unaddressed. That is where risk becomes real. It is also where leadership can make the greatest impact.
