Skip to content
Opinion / Commentary

Healthcare Ransomware Is a Structural Problem. The Gentelman Surge Is Not a Surprise.

The Gentelman ransomware surge hitting healthcare this week follows a pattern that has repeated with near-mechanical regularity for five years. The security industry has correctly diagnosed the problem: legacy infrastructure, high willingness to pay, broad RMM attack surface, and regulatory environments that prioritise availability over security. The diagnosis is correct. The treatment is not happening fast enough.

CipherWatch Editorial Β· Security Intelligence Platform
4 min read
Commentary

When the next healthcare ransomware surge is reported β€” and it will be reported, because it happens with cyclical regularity β€” the coverage will include the same elements it always does: the victim names, the ransom amounts, the disruption to patient services, the advice to patch RMM tools and segment networks. Advisories will be published. Security teams will be reminded to update ConnectWise ScreenConnect, or whatever the current favoured initial access vector is. And approximately six months later, the cycle will repeat.

This is not a criticism of the coverage. The diagnosis is correct. The problem is structural, and structures are not fixed by repeating the diagnosis more loudly.

The Economics Are Broken

Healthcare organisations are attractive ransomware targets for the same reason they always have been: the cost-benefit calculation for attackers is exceptionally favourable. Healthcare providers face immediate patient safety and regulatory consequences if clinical systems are unavailable. The pressure to restore access quickly β€” measured in hours, not days β€” is more acute than in almost any other sector. Ransomware operators know this, and they price their demands accordingly.

The counterforce to this β€” robust security investment that raises the cost of attack to unprofitable levels β€” requires sustained capital allocation to security infrastructure, patching, and personnel. Healthcare organisations are structurally constrained in making this investment. Margins are thin. Capital expenditure competes with clinical equipment. Information technology is categorised as overhead. Security is a subset of IT.

The economics that create healthcare as an attractive target cannot be changed by any individual healthcare organisation acting alone. They can be partially addressed by sector-specific regulatory requirements that mandate minimum security standards β€” but the regulatory environment for healthcare cybersecurity has been evolving slowly relative to the threat trajectory.

The RMM Problem Is Structural Too

The Gentelman group, like several ransomware operators before it, uses remote monitoring and management tools as its preferred initial access vector. ConnectWise ScreenConnect CVE-2024-1708 β€” a path traversal vulnerability patched in February 2024 β€” is reportedly being exploited in the current campaign. More than two years after the patch was published.

This is not an anomaly. The RMM tool attack surface is structurally difficult for healthcare organisations to manage:

Healthcare IT environments deploy RMM tools across clinical and administrative systems because they need to. Distributed hospital systems, remote clinics, and telehealth infrastructure require remote management. Multiple managed service providers often have RMM access to different segments of the same healthcare network. Each MSP has its own patch management cadence and security posture.

The result is that a healthcare organisation’s actual internet attack surface includes not just the RMM tools it directly manages, but every RMM tool deployed by every MSP with access to the environment. A healthcare provider that has updated all its own RMM installations is still exposed if an MSP with access to its systems has not.

Fixing this requires either direct contractual oversight of MSP security posture (which exists in some relationships but not consistently) or regulatory requirements that mandate MSP security standards for healthcare-adjacent managed service providers. Neither is moving at the speed the threat requires.

What Would Actually Help

Sector-wide minimum security requirements for healthcare IT β€” not suggested frameworks, but mandatory baselines β€” would raise the floor. HHS guidance and HIPAA Security Rule requirements have produced some baseline standardisation, but the specificity required to address the RMM attack surface, the kernel patch cadence, and the backup isolation requirements that would contain ransomware impact is not present in current regulatory frameworks.

This is not unique to healthcare. Critical infrastructure sectors broadly face the same structural tension between operational requirements, capital constraints, and security investment. Healthcare is simply the most visible example because the consequences of a ransomware outage in a hospital are human safety consequences, not just financial ones.

The Gentelman surge this week is not a new problem. It is the current expression of a problem that has existed for years and that will continue to express itself until the structural conditions change. The immediate response β€” patch CVE-2024-1708, isolate backups, review RMM exposure β€” is correct and necessary. It is also insufficient as a long-term answer to a long-term structural problem.

Share this article