In our May 2025 CISO Brief, we saw threat actors sharpening their techniques and targeting healthcare organizations in ways that challenge our traditional security assumptions. New endpoint evasion tactics, a shift in ransomware strategy targets, and the ransomware group that targeted DaVita may have struck again. This time, it was a different healthcare organization.  

In this month’s CISO brief, we’ll examine key threat bulletins and the Kettering Health breach, a real-world reminder of why cyber resilience must be central to every healthcare security strategy. 

Hackers Bypass Endpoint Defenses to Compromise Environments 

Overview:

One of the more concerning developments this month was a rise in endpoint bypass attacks. Fortified’s latest threat bulletin outlines that threat actors are refining their techniques, using “living-off-the-land” tactics — leveraging legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) to move stealthily across environments. These techniques render traditional endpoint defenses less effective, allowing attackers to escalate privileges or exfiltrate data undetected. 

Healthcare Impact:

Healthcare is particularly vulnerable to these attacks due to its reliance on layered security strategies that often emphasize endpoint protection platforms (EPPs). Once adversaries are inside, lateral movement becomes much harder to detect, especially across networks that include legacy systems, connected medical devices, and fragmented IT environments. 

Recommendations: 

  • Ensure your Endpoint Detection and Response (EDR) tools are configured to detect behavioral anomalies, not just malware signatures. 
  • Audit and lock down administrative tool access — tools like PowerShell should have limited use cases and tight controls. 
  • Continue educating staff on social engineering and phishing, as human error remains a major entry point. 
  • Require multi-factor authentication (MFA) across all endpoints and remote access points. 

Questions to Ask Your Team: 

  • Are we capable of detecting fileless malware and living-off-the-land attacks in real time? 
  • How are we monitoring for lateral movement across critical systems? 
  • Are our EDR platforms integrated with our SOC workflows to prioritize real threats? 

Hackers Declare Medium is the New Critical 

Overview:

Another trend that caught my attention was the strategic pivot by ransomware groups, who are increasingly targeting “medium-priority” systems instead of immediately going after high-value targets. As detailed in Fortified’s May 12, 2025 threat bulletin, attackers are focusing on assets like scheduling software, HR systems, and other business applications that are essential for hospital operations but may not have the same level of cybersecurity hardening as clinical systems. 

Healthcare Impact:

In healthcare, we often categorize systems based on risk, and too often, systems supporting non-clinical functions don’t get the same security attention as EHR platforms or PACS. Attackers know this. By targeting these overlooked assets, they can disrupt the entire business operation: no schedules, no payroll, no access to support systems that keep hospitals running smoothly. 

Recommendations: 

  • Reassess your IT asset classifications: what you consider medium-priority might be business-critical. 
  • Expand disaster recovery and incident response plans to include less obvious but vital systems. 
  • Tighten network segmentation to prevent attackers from pivoting from administrative systems into clinical environments. 

Questions to Ask Your Team: 

  • When was the last time we reviewed the risk ratings for all our systems? 
  • Are our business continuity plans robust enough to account for secondary system outages? 
  • How quickly can we restore “non-critical” systems if targeted by ransomware? 

Kettering Health Breach 

Overview:

Kettering Health, a large health system based in Ohio, experienced a major cyberattack this month that forced internal health records offline, disabled phones, and disrupted patient care operations for nearly two weeks. While the organization has not confirmed the nature of the attack, reports strongly suggest a ransomware event, potentially linked to the same threat actor responsible for the DaVita breach last month. 

During the outage, Kettering had to cancel surgeries, divert ambulances, and manually handle critical operations without access to EHR systems. Dayton Daily News and Chief Healthcare Executive reported that while internal records access was partially restored by early June, work continues fully restoring systems like patient portals and communication networks. 

Healthcare Impact:

This incident is yet another wake-up call for healthcare. The impact at Kettering (i.e., canceled surgeries, diverted ambulances, and disruptions to critical services) shows that cyberattacks are no longer just IT issues; they are patient safety issues. Healthcare providers must recognize that it’s not a matter of if an attack will happen, but when. The stakes are simply too high. To protect our patients, we must double down on the fundamentals: build stronger network defenses, maintain 24/7 monitoring, train staff rigorously, and regularly test incident response plans that ensure the business of saving lives continues even during a crisis. 

The takeaway here is the urgency to modernize security defenses, foster a culture of cyber readiness, and treat cybersecurity as a shared responsibility across the healthcare ecosystem. We also must work together: sharing threat intelligence, strengthening partnerships with government agencies, and preparing not just for attacks, but for rapid, coordinated recovery. 

Recommendations: 

  • Strengthen ransomware defenses with advanced network segmentation, isolated and immutable backups, and continuous security monitoring. 
  • Ensure all business continuity and disaster recovery plans are tested under ransomware and extended outage scenarios. 
  • Actively participate in healthcare-focused threat intelligence sharing programs like ISACs to improve collective defense. 

Questions to Ask Your Team: 

  • How quickly can we restore critical clinical and communication systems if hit by ransomware? 
  • Are our backups truly isolated and recoverable without risking reinfection? 
  • Are we continuously refining our incident response and cyber resilience strategies based on lessons from real-world healthcare breaches? 

Looking Ahead. 

If May showed us anything, it’s that ransomware groups are adapting fast and still view healthcare as prime territory. The playbook is shifting from endpoint bypass tactics to attacks on mid-tier systems. Yet, the impact is increasingly personal: patient care disruptions, operational chaos, and trust are on the line. 

 The Kettering Health breach is not an outlier; it’s a preview of what’s to come. As we look ahead, strengthening defenses isn’t optional but imperative. We must move beyond reactive security to build true resilience, refining incident response, hardening overlooked systems, and closing the visibility gaps that threat actors continue to exploit.