We’re back for another episode of a CISO’s guide to red teaming. Last week, we looked at red teaming in the finance and insurance sector. Today, we’ll look at healthcare and pharmaceuticals.
Organizations in healthcare and pharmaceuticals face a dual-edged challenge: they hold extremely sensitive personal data and life-critical systems, yet often operate with legacy technology and tight resource constraints. Nation-state actors regularly target pharmaceutical companies and research institutions to steal intellectual property, including vaccine research, drug formulas, or clinical trial data (Chinese APT groups like APT41 and APT10 have a history of espionage against pharma and biotech firms). Geopolitical competition (as seen during the race for a COVID-19 vaccine) drives such intrusions, as does the strategic value of medical advancements. In healthcare delivery (hospitals and clinics), the prevalent threat comes from cybercriminal and ransomware gangs. Hospital networks with outdated IT and medical IoT devices have been devastated by ransomware attacks (e.g., the notorious Ryuk or Conti ransomware strains), which encrypted patient records and disrupted services. These attackers know that hospitals, under pressure to keep patients safe, are more likely to pay ransoms quickly. Furthermore, the impact is not just financial but also potentially life-threatening, a fact that unfortunately gives criminals leverage. Additionally, personal health information (PHI) is highly valued on the black market; organized crime rings breach healthcare databases to steal patient records and sell them for identity theft or insurance fraud schemes. Insiders can be a threat too: there have been cases of employees or contractors snooping on high-profile patient records (e.g., celebrities) or tampering with data. The overarching risk in healthcare is that a cyberattack can literally put lives at risk by impeding patient care, so the availability and integrity of systems are paramount. At the same time, privacy regulations like HIPAA impose heavy penalties for data breaches, adding compliance urgency to security efforts.
Given these stakes, CISOs in healthcare and pharma design red team exercises to stress-test the resilience of critical healthcare operations and data protections. When it comes to healthcare providers, a red team might attempt to access medical devices or interfere with operations.
For instance, testing whether they can pivot from the IT network into the operational technology (OT) side (like an MRI machine network or an IV pump management system) could reveal dangerous flat networks or default credentials in medical devices.
Compromising a cloud-based patient portal or IoT health device is another contemporary objective, coinciding with the rise of telehealth and remote monitoring. If a red team can break into a patient portal (perhaps via a web app vulnerability or by subverting authentication flows), it could attempt to view or manipulate patient records, information which, if altered or leaked, has high regulatory and safety implications.
When it comes to a pharmaceutical company, a red team might emulate an APT by trying to exfiltrate drug research data from R&D labs or cloud storage. This tests the controls around sensitive data, including network egress monitoring, data loss prevention (DLP), and whether security teams notice unusually large transfers of data. It also highlights whether sensitive data is properly segmented and encrypted.
Ultimately, healthcare-focused red teaming is about ensuring that the myriad legacy systems, third-party tools, and life-critical devices are not providing unguarded pathways for attackers. Many hospitals have not had the luxury of establishing a ground-up security program; thus, a red team’s findings often feed directly into prioritizing fundamental controls (like expanding network segmentation, enforcing MFA on clinical systems, or patching high-severity vulnerabilities in medical software). Perhaps one of the most sobering outcomes a red team can demonstrate to a healthcare board is how quickly an undetected attacker could move from a phishing email to having domain-wide impact that threatens patient care. This is often a catalyst for budget approvals; seeing a timed exercise where, say, within 48 hours, a red team could effectively “ransom” a hospital motivates rapid investment in defenses.
For our final blog in this series, tune in next week for our spotlight of the manufacturing and industrial sectors.