Ransomware’s ability to cause widespread damage in an enterprise environment is a function of two variables: how much of the network the initial compromised account can reach, and how quickly lateral movement can occur before defences detect and contain the intrusion. Identity and access management controls directly govern the first variable — and in many healthcare ransomware incidents, IAM weaknesses are what converts a single compromised RMM credential into an organisation-wide encryption event.
The Gentelman ransomware group’s worm module performs automated lateral movement via SMB share enumeration, spreading to network-connected systems without requiring additional attacker interaction. This module’s effectiveness depends entirely on what the initially compromised identity is authorised to access.
Privileged Access Segmentation
The most consequential IAM control for ransomware resilience is separation of administrative identities from standard user identities.
In many healthcare IT environments, a single account is used for both administrative tasks (managing servers, configuring network devices) and normal operational tasks (accessing email, browsing the web, remote desktop sessions). When that account is compromised — via phishing, credential stuffing, or exploitation of an RMM tool — the attacker inherits full administrative capability.
Privileged Access Management (PAM) separates these roles: standard user accounts are used for normal operations, privileged accounts (which can authenticate to servers and network devices) are used only for specific administrative tasks and are subject to additional controls. The Gentelman worm module spreading via SMB cannot reach servers it is not authorised to access from the compromised account.
Implementation minimum:
- Dedicated privileged accounts for Windows Server administration, domain controller management, and RMM tool access
- Standard user accounts for email, clinical applications, and internet access — these should not have local administrator rights or SMB access to server shares
- Privileged accounts should not receive email or browse the internet
MFA on All Administrative and RMM Access
The Gentelman initial access vector (ConnectWise ScreenConnect exploitation via CVE-2024-1708) bypasses authentication entirely in unpatched instances. But for RMM tools that are patched, credential theft via phishing or password spray remains an access path.
Multi-factor authentication on all RMM tool access — and all privileged account authentication — significantly raises the cost of credential-based initial access. For healthcare organisations that rely on managed service providers with RMM access, verifying that the MSP enforces MFA on all personnel who access healthcare client environments is a direct control on the supply chain access path.
MFA enforcement checklist for healthcare IAM:
- All RMM tool console access (ConnectWise, TeamViewer, AnyDesk, N-able, Kaseya) requires MFA
- All Windows domain administrative account authentication requires MFA (via Entra ID Conditional Access, or RADIUS MFA for on-premises AD)
- All clinical application administrative access requires MFA
- MSP access to healthcare networks requires MFA — verified contractually and technically
Service Account Restrictions
The Gentelman worm module spreads via SMB. Service accounts — accounts used by applications and services to authenticate to resources — frequently have SMB access to multiple server shares because they were provisioned with broad access for operational convenience.
A service account used by a scheduling application to write appointment data to a file share should not also have access to the backup repository, the clinical image archive, and the financial system file share. But in many healthcare IT environments, service accounts are provisioned with Domain Users group membership and inherit broad SMB access from permissive default share permissions.
Service account hardening:
- Enumerate all service accounts in Active Directory and map their current resource access (use BloodHound CE or PowerView’s
Get-DomainObjectAcl) - Remove service account permissions from all shares and resources not required by the specific application
- Apply Group Policy restrictions: service accounts should not be permitted to interactively log on, should be restricted to specific source IP addresses where feasible, and should use managed service accounts (gMSA) rather than password-based accounts where supported
- Monitor service account authentication for anomalies: a scheduling application service account authenticating to the HR document share at 3am is a behavioural anomaly worth an alert
Just-in-Time Access for Healthcare IT Administration
For healthcare IT environments that have implemented or are implementing PAM platforms (CyberArk, BeyondTrust, Delinea), just-in-time (JIT) privileged access controls are the most effective tool for limiting ransomware blast radius:
- Privileged credentials are checked out per session and expire after a defined period
- No standing privileged access means compromised credentials cannot be used for silent lateral movement — every privileged access event generates an alert
- Session recording provides forensic capability for post-incident investigation
JIT access does not prevent ransomware from initially executing on the compromised workstation. It prevents the escalation from single-workstation compromise to domain-wide encryption event.
The Containment Value of IAM
Healthcare ransomware incidents that are contained to a single system or small number of systems are a different category of event from those that produce organisation-wide encryption. The difference is almost always IAM. A single compromised clinical workstation where the user account has standard user rights, where administrative accounts are separate and protected by MFA, and where service accounts have minimal required access is a contained incident. The same initial compromise in an environment with shared admin accounts, no MFA on RMM tools, and service accounts with Domain Admin rights is a disaster.
IAM investment in healthcare does not prevent the initial compromise. It determines whether the initial compromise becomes the disaster.
Share this article