Skip to content
.ca
sign in
4 minmedium

Compliance Won’t Save Healthcare: Reducing the Blast Radius Will

The U.S. Department of Health and Human Services (HHS) Notice of Proposed Rulemaking (NPRM) emphasizes that healthcare organizations must move beyond basic HIPAA compliance to achieve true cybersecurity resilience. To combat the rising threat of ransomware, organizations are urged to implement continuous asset monitoring and microsegmentation to contain lateral movement, reduce the blast radius of attacks, and protect electronic protected health information (ePHI).

Analyzed:2026-04-03reports
ActorsRansomware operators targeting healthcare
ComplianceHealthcareRansomwareHIPAAMicrosegmentation

Source:Akamai

Key Takeaways

  • The HHS Notice of Proposed Rulemaking (NPRM) signals a shift in healthcare cybersecurity from static compliance to dynamic resilience.
  • Compliance alone is insufficient; healthcare organizations must focus on containing cyberattacks and reducing the blast radius.
  • Network segmentation and microsegmentation are critical technical controls to limit lateral movement and protect ePHI.
  • Continuous asset inventory visibility, including Internet of Medical Things (IoMT) devices, is required for modern risk management.
  • Ransomware impact is determined by containment; limiting the scope of an attack enables faster recovery and protects patient safety.

Affected Systems

  • Healthcare Infrastructure
  • Electronic Protected Health Information (ePHI) Systems
  • Internet of Medical Things (IoMT)
  • Hybrid Cloud Environments

Attack Chain

Threat actors target healthcare environments by exploiting trust relationships, network reachability, and vulnerable connected devices to gain initial access. Once inside, they leverage flat network architectures and a lack of microsegmentation to move laterally across systems. This unrestricted lateral movement allows ransomware to deploy widely across electronic information systems, disrupting operations, compromising patient safety, and exfiltrating ePHI.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in this strategic advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect ransomware execution and some lateral movement on supported endpoints, but network-level segmentation gaps and unmanaged IoMT devices require network telemetry to fully monitor. Network Visibility: High — Network telemetry is essential for identifying lateral movement, mapping asset communications, and enforcing microsegmentation policies across hybrid healthcare environments. Detection Difficulty: Moderate — Identifying anomalous lateral movement in complex, hybrid healthcare environments requires well-tuned baselines, comprehensive asset visibility, and continuous monitoring.

Required Log Sources

  • Firewall logs
  • Network flow logs
  • Asset inventory databases
  • Identity and Access Management (IAM) logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected network connections originating from IoMT devices to internal servers storing ePHI, indicating potential lateral movement or compromised devices.Network flow logs, Firewall logsLateral MovementMedium

Control Gaps

  • Lack of microsegmentation
  • Flat network architectures
  • Incomplete asset inventory (shadow IT and unmanaged IoMT)

Key Behavioral Indicators

  • Anomalous lateral traffic between distinct network segments
  • Unauthorized access attempts to ePHI databases from non-standard assets

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Conduct a comprehensive asset inventory, including all IoMT devices, cloud services, and hybrid infrastructure components.
  • Map existing network communication flows to identify unnecessary trust relationships and exposure pathways.

Infrastructure Hardening

  • Implement network segmentation and microsegmentation to isolate ePHI systems and restrict lateral movement.
  • Enforce Multi-Factor Authentication (MFA) across all access points and applications.
  • Deploy continuous vulnerability scanning and anti-malware protections across all compatible assets.

User Protection

  • Restrict access to ePHI based on the principle of least privilege and monitor for anomalous access patterns.

Security Awareness

  • Train staff on the updated HIPAA security rule requirements and the importance of incident response plans.
  • Conduct tabletop exercises focusing on ransomware containment, blast radius reduction, and recovery timelines.

MITRE ATT&CK Mapping

  • T1021 - Remote Services
  • T1486 - Data Encrypted for Impact

Related