With nation-states leveraging a “whole of society” approach to target American critical infrastructure, the defense of our homeland now requires an equally unified response. Healthcare, a sector where disruptions carry life-or-death consequences, sits directly in the crosshairs of these sophisticated adversaries. To shed light on the evolving threat landscape and the practical steps organizations can take, we are speaking with a leading expert in cybersecurity and threat intelligence. Our conversation will explore the FBI’s latest defensive campaigns, the surprisingly simple tactics used by powerful state-sponsored actors, the hidden dangers within our technology supply chains, and the vital importance of building a resilient partnership between the private sector and government agencies to protect patient safety and national security.
You’ve emphasized that Operation Winter Shield requires a “whole of society” approach to national defense. Beyond basic compliance, how can a hospital’s leadership actively partner in this effort? Could you share a step-by-step example of how to implement a key control, like maintaining offline, immutable backups?
The “whole of society” concept is a fundamental shift from the old “whole of government” model. It recognizes that the front lines of our national defense run directly through the private sector, and hospitals are on that front line. Active partnership means leadership must champion security not as an IT cost center, but as a core component of patient safety and national security. For a critical control like backups, it’s not just about having them; it’s about making them resilient. First, you must physically or logically segregate your backups from the primary network. This is the “offline” part—an air gap is ideal. Second, you implement immutability, meaning the backup data cannot be altered or deleted for a set period. This can be achieved through technologies like Write-Once-Read-Many (WORM) storage. The final, and most crucial, step is to regularly test your restoration process. An untested backup is just a prayer, and in a ransomware crisis, you need a proven capability to get critical systems back online and ensure continuity of care.
Sophisticated nation-state actors often target simple vulnerabilities rather than deploying complex tools. Why is this “path of least resistance” so effective against critical infrastructure, and what specific tactics should security teams be looking for from groups associated with China or Russia?
It’s a matter of efficiency and operational security for the adversary. Why burn a sophisticated, expensive zero-day exploit when an unpatched, end-of-life device on the network edge offers an open door? This “path of least resistance” is devastatingly effective because it exploits the basics that are so often overlooked under financial and operational pressure. Chinese state-sponsored campaigns like Vault Typhoon are a perfect example; they specifically target these forgotten edge devices—routers, firewalls—to create a stealthy botnet on trusted U.S. IP space. From there, they can pivot to sensitive targets like hospitals. Security teams need to be hunting for actors leveraging stolen credentials against remote access points that lack multi-factor authentication. Whether it’s an actor from China, Russia, or Iran, they will almost always try this first because it’s simple, effective, and allows them to blend in with legitimate network traffic.
The average cost of a healthcare data breach is over $7 million, and actor dwell time can exceed 270 days. Given these metrics, how can organizations improve early detection of an intruder? Can you describe the initial indicators of a compromise from a group like Scattered Spider?
Those numbers are staggering, and they underscore a critical gap: we focus so much on prevention that we neglect detection. We cannot stop 100% of intrusions, so reducing that 270-day dwell time is paramount to minimizing the blast radius of an attack. Improving early detection requires a shift in mindset. You have to assume a breach is possible and actively hunt for adversaries in your network. For a group like Scattered Spider, the initial indicators are often subtle and exploit the human element. They are masters of social engineering. An alert security team should be looking for unusual help desk activity, like a sudden influx of calls for password resets for high-privilege accounts, followed by successful logins from atypical locations or at odd hours. They might gain access using legitimate credentials, so you can’t just look for malware; you have to look for anomalous, authenticated behavior that deviates from a user’s normal baseline.
Supply chain attacks have a cascading impact on the healthcare ecosystem. How should a hospital CISO analyze and mitigate risks from third-party vendors? Please walk us through a few practical steps for vetting a new technology provider to ensure their security posture aligns with your own.
Supply chain risk is one of the most significant threats we face, as we saw with the Change Healthcare incident. An attacker who compromises one vendor can gain access to hundreds of hospitals. A CISO must treat third-party risk with the same rigor as their own internal security. The first step in vetting a new provider is conducting deep due diligence. Don’t just accept their marketing materials; demand to see their security audits, certifications, and penetration test results. Second, clearly define and contractually obligate the vendor to meet your security standards, including incident notification timelines. Third, you must continuously monitor the relationship. This involves analyzing the third party’s web access to your data and systems—understand precisely what they can see and do. Ask them how they’re implementing the same critical controls you are, like vulnerability management and multi-factor authentication, because their weakness can very quickly become your crisis.
The FBI’s Office of Private Sector serves as a critical bridge. If a hospital suspects a cyber incident, what is the best way to engage their local FBI field office? Could you detail what information is most valuable to share initially and explain how that intelligence helps prevent future victims?
The absolute best way to engage is to simply pick up the phone and call your local FBI field office. Every one of the 56 field offices has a dedicated Private Sector Coordinator whose job is to be that bridge. You don’t need a prior relationship. When you call, the most valuable initial information you can share includes any indicators of compromise you’ve identified—malicious IP addresses, suspicious domains, malware hashes—and a summary of the observed activity on your network. Sharing this information immediately is crucial. It allows the FBI’s cyber division to connect the dots across multiple investigations, identify a broader campaign, and rapidly disseminate that intelligence to warn other potential victims. Your hospital’s data point might be the missing piece of the puzzle that allows the FBI to disrupt the adversary’s infrastructure and prevent the next hospital from getting hit. It’s a two-way partnership; your information helps protect the entire healthcare sector.
What is your forecast for the evolution of cyberthreats targeting the U.S. healthcare sector over the next 18 months?
Over the next 18 months, I foresee an intensification of the threats we’re already seeing, driven by geopolitical tensions. We will see more pre-positioning by nation-states like China and Russia within critical infrastructure, not necessarily for immediate disruption, but to have the capability in place should conflict escalate. Ransomware groups will become even more focused on the supply chain, targeting third-party service providers to maximize their impact and pressure multiple victims with a single breach. We’ll also see a rise in attacks that blend sophisticated social engineering, like what we see from Scattered Spider, with commodity tactics like exploiting unpatched systems. The financial pressure on hospitals isn’t going away, which means adversaries will continue to find success with these “path of least resistance” methods. The defense will hinge on mastering the basics, fostering deep public-private partnerships, and building a culture where cybersecurity is seen as inseparable from patient care.
