Back to Intelligence

How to Defend Against Risks from the Healthcare Cybersecurity Skills Gap

SA
Security Arsenal Team
April 1, 2026
5 min read

The recent collaboration between HIMSS and educators highlights a critical reality in healthcare: the cybersecurity workforce is struggling to keep pace with evolving threats. While the initiative focuses on helping educators stay current with industry trends, defensive security teams must recognize the immediate risk posed by the skills gap. In healthcare, where patient safety and data privacy are paramount, an under-trained workforce acts as a significant vulnerability. Defenders must compensate for this human factor by implementing technical controls that detect the mistakes and exploitation attempts that inevitably occur when staff lack specialized security training.

Executive Takeaways

  • The Human Perimeter: As reported by Healthcare IT News, industry collaboration is vital for workforce development. However, current staff may lack awareness of modern attack vectors, increasing the organization's attack surface.
  • Automation as a Force Multiplier: With a shortage of skilled analysts, security operations must rely on automated detection rules (SIGMA) and orchestration to catch threats that manual analysis might miss.
  • Continuous Verification: Defensive strategies must move beyond annual compliance training to real-time behavioral monitoring and technical enforcement of least privilege.

Technical Analysis: The "Human Vulnerability" Class

While this news item focuses on policy, the underlying technical risk is the "Human Vulnerability." In a healthcare environment, this manifests as susceptibility to social engineering, phishing, and credential harvesting. Attackers target healthcare organizations specifically because they know the workforce is focused on patient care, often bypassing security alerts to maintain operational efficiency.

  • Affected Systems: Electronic Health Records (EHR), email gateways, remote access solutions (VPN/RDP), and endpoint workstations.
  • Threat Class: Initial Access (Social Engineering), Credential Access, and Execution.
  • Severity: High. Human error is the primary entry point for ransomware in healthcare.
  • Remediation Strategy: Technical patching is not applicable; the "fix" is defensive monitoring, robust multi-factor authentication (MFA), and automated enforcement of security policies.

Defensive Monitoring

To protect against the risks associated with an under-trained workforce, security teams should deploy detection rules that identify common exploitation techniques used against untrained users, such as phishing-driven PowerShell execution or credential theft attempts.

SIGMA Rules

YAML
---
title: Potential Phishing Payload Execution via PowerShell
id: 4e8f3a21-1b4c-4f2d-9a1e-3c7f6b5d8a9e
status: experimental
description: Detects execution of PowerShell scripts often used in phishing campaigns, such as those downloading files from the internet or encoding commands to avoid detection.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/05/21
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'FromBase64String'
      - 'Invoke-Expression'
  filter:
    CommandLine|contains: 'SignedScripts'
condition: selection and not filter
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Suspicious Multiple Failed Logon Attempts
id: 7a2d8e4f-9c1b-4532-8b7a-1d4e5f6a7b8c
status: experimental
description: Detects multiple failed logon attempts from a single source, which may indicate a brute-force attack or password spraying targeting users with weak password hygiene.
references:
  - https://attack.mitre.org/techniques/T1110/
author: Security Arsenal
date: 2024/05/21
tags:
  - attack.credential_access
  - attack.t1110.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'net use'
      - 'psexec'
      - 'wmic'
      - 'tasklist'
  condition: selection
falsepositives:
  - Administrative troubleshooting
level: medium

KQL (Microsoft Sentinel/Defender)

KQL — Microsoft Sentinel / Defender
// Identify potential credential stuffing or password spraying attempts
SigninLogs
| where ResultType == "50126" // Invalid username or password
| summarize FailedLogons = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m)
| where FailedLogons > 5
| project UserPrincipalName, IPAddress, FailedLogons, TimeGenerated
| extend Timestamp = TimeGenerated

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious browser history patterns indicative of phishing sites
-- This helps identify users who may have clicked malicious links
SELECT * FROM foreach(
  row={
    SELECT User, Sid FROM artifact_info()
  },
  query={
    SELECT * FROM foreach(
      row={
        SELECT FullPath FROM glob(globs=urlencoding.expand(path='%%AppData%%/Google/Chrome/User Data/*/History'))
      },
      query={
        SELECT
          url.url AS URL,
          url.title AS Title,
          url.visit_time AS LastVisited,
          url.typed_count AS TypedCount
        FROM sqlite(file=FullPath, query="SELECT url, title, last_visit_time, typed_count FROM urls")
        WHERE URL =~ "(login|signin|account|verify|update|secure)" 
          AND Title =~ "(Microsoft 365|Office 365|Google Workspace|Epic|Cerner)"
          AND URL !~ "(microsoft.com|google.com|epic.com|cerner.com)"
      }
    )
  }
)

Remediation Scripts (PowerShell)

PowerShell
# Audit Local Admin Group Members to detect potential unauthorized privilege escalation
# Often, untrained staff share local admin credentials to bypass application issues.
$computers = Get-Content -Path "C:\temp\server_list.txt"
foreach ($computer in $computers) {
    try {
        $groupMembers = Get-LocalGroupMember -Group "Administrators" -ComputerName $computer -ErrorAction Stop
        Write-Output "Checking $computer"
        foreach ($member in $groupMembers) {
            # Flag accounts that look like standard users, not service accounts
            if ($member.SID.Value -notmatch "^S-1-5-21-.*-500" -and $member.SID.Value -notmatch "^S-1-5-21-.*-512") {
                Write-Warning "Potential unauthorized admin found: $($member.Name) on $computer"
            }
        }
    } catch {
        Write-Error "Failed to connect to $computer"
    }
}

Remediation and Strategic Defense

To mitigate the risks highlighted by the cybersecurity skills gap, healthcare organizations should take the following specific steps:

  1. Implement Technical Phishing Controls: Deploy DMARC, SPF, and DKIM strictly to block email spoofing. Use Safe Links and Safe Attachments in Microsoft 365 to detonate files before they reach untrained users.
  2. Enforce MFA Everywhere: Ensure that phishing-resistant MFA (FIDO2) is enforced for all remote access (VPN/VDI) and critical applications (EHR portals). This compensates for users who might unknowingly reveal passwords.
  3. Application Allowlisting: Transition from antivirus-only endpoints to application allowlisting. This prevents untrained users from executing unauthorized installers or malware payloads, even if they have admin rights locally.
  4. Partner for Managed Detection: As HIMSS suggests, collaboration is key. If building an internal team is difficult due to the talent shortage, partner with an MSSP (like Security Arsenal) to provide 24/7 monitoring and incident response capabilities.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwareworkforce-developmentphishingsecurity-trainingcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action