How precise email analysis reduces healthcare ransomware threats

When health-care organizations face ransomware attacks, patients ultimately pay the price. Data-informed cyber defense strategies can help mitigate those risks.
health care
(Getty Images)

Ryan Witt is an industries solutions and strategy leader at Proofpoint, specializing in healthcare and cybersecurity. He has over 15 years of experience advising healthcare institutions on the value of robust data protection.

The healthcare industry has come under intensified attacks by malicious actors over the last year amid new opportunities to target institutions during the COVID-19 pandemic.

health care

Ryan Witt, Industry Solutions and Strategy Leader, Proofpoint

Among various cyberthreats the healthcare industry faces, ransomware poses particular risks to the patients these institutions are serving. While the goal of ransomware attacks is to extract a payment, the consequences of holding health organizations’ IT systems hostage puts patient safety and critical care at risk.


Earlier this year, for example, one university medical system which offered important oncology services in their region was victim to a ransomware attack that blocked access to its electronic medical record systems (EMRs). That institution was forced to turn away some oncology patients as a result of not being able to reliably access patients’ records; or in other circumstances, they could offer only skeletal services with staff reduced to recreating patient records on pen and paper.

It took the institution roughly a month to essentially reconstitute their medical records and fully eradicate the ransomware from their system at an untold cost in patient safety and lost productivity. This kind of ransomware attack illustrates a large and growing problem occurring throughout the country, where unseen criminals are holding public and private healthcare organizations hostage.

While many organizations have built up an ecosystem of security tools to monitor network activity and firewalls to block malicious traffic, often their greatest security and compliance risk comes from their employees and business associates who inadvertently fall victim to phishing emails or stolen credential dumps.

Cybercriminals have shifted their focus from targeting technical deficiencies to human vulnerabilities: the busy clinician who clicks on an email attachment; the eager patient who fills in credentials to claim a fake offer; an employee who interacts with emails from their suppliers, not realizing it is an imposter account.

Growing threats against the healthcare sector


The Healthcare Information and Management Systems Society (HIMSS) released a 2020 Cybersecurity Survey in which they concluded that 89% of all cyberattacks, including ransomware attacks, start on email. Cybercriminals today are adapting their techniques to strategically target people within the organization, using social engineering techniques that are designed to trick users into making security mistakes.

Threat actors approach these email-based attacks with same effort, time and resources they used to put in to understanding network vulnerabilities. And there is enough actionable research from Proofpoint that clearly states who is being targeted within the healthcare sector.

For example, if an institution has a clinical research component, it is being attacked to gain access to intellectual property. Employees that deal with supply chain — those who are downloading invoices, paying invoices or approving quotes — are being targeted because they are more prone to click on a malicious link. If the organization deals with controlled substances that have monetizable value on the black market, those employees are at high risk as well.

Proofpoint conservatively analyzes 5 billion-plus emails per day with a significant portion of those being sent to health institutions. Our data shows that up to 90% of emails that are sent to healthcare institutions are being blocked by email filters. The rest is composed of targeted emails which appear to come from a known person or entity. Attackers do their homework, targeting people based on data readily available to them. Caught off guard, an employee may click on something without thinking, leaving the network open to risk.

The resulting ransomware attack may not happen immediately after a compromised credential. Once a cybercriminal gets access to the system, they can take their time gathering information about the organization to navigate their way to a part of the architecture where they can launch their exploits.


Though many security leaders today talk about upcoming security threats, such as medical device vulnerability, the data shows ransomware, phishing and imposter emails still work, and these are low investment and high-return attacks for cybercriminals. Certainly, medical devices have very valid weaknesses, but we do not anticipate a significant shift in how criminals invest in attacks until the email-based attacks become less profitable.

The good news is that healthcare organizations don’t have to wait for tools to be developed to address this problem. Modern security platforms, like Proofpoint’s, give security leaders the insights they need to make strategic investments that protect the organization’s people.

Building a security strategy informed by data

At Proofpoint, we believe that if organizations can see the data behind who is being attacked, they can better anticipate and mitigate the risks on their threat landscape. A people-centric security approach provides institutions with the ability to apply risk-based controls based who is being targeted and why they are being targeted.

We understand the value of protecting people. With Proofpoint’s research, tools, capabilities and technology, we give organizations the means to keep the bare minimum of exploits away from their targets.


If an organization has 50,000 email addresses, for example, and only 10% or those are being significantly targeted, it wouldn’t be appropriate or cost effective to set up the gold standard of security tools against all 50,000 email addresses. Instead of treating everyone the same, the institution can apply adaptive controls on those people who are most at risk.

Our Targeted Attack Protection solution provides visibility to an organization’s “Very Attacked People” (VAP), which allows the institution to identify which job functions are under attack and why. Once that is known, the organization can decide which adaptive controls should be used to offer enhanced protection such as fine tuning their sandboxing so that any emails that come to those individuals can be directed into a sandbox for further analysis.

They can also place certain exchanges in an isolated environment, so that whole email interchange exists within a container to prevent seepage onto the enterprise network. All of the activity exists in a containerized environment which can significantly improve the ability to prevent data losses.

Finally, we always recommend that organizations continuously update their security training. Understanding which departments are at greatest risk will help leaders make strategic decisions on who has greater exposure to security awareness training. Ultimately, minimizing risk will come down to making sure that these people are best equipped to understand what a suspicious email would look like.

Learn more about how Proofpoint can help protect your organization, and your people, against malicious attackers.

Latest Podcasts