In a hospital or healthcare organization, everything now depends on the information system: patient records, admissions, pharmacy, imaging, payroll, team coordination, etc.
When ransomware encrypts servers or a single workstation serves as a gateway for an attacker, the continuity of care is at stake.
That’s why protecting workstations (PCs, clinical workstations, laptops) and the “machines” that run them (servers, network, storage) has become a strategic issue, not just an IT one.
Why posts and infrastructure are at the heart of the risk
Almost all recent attacks in the healthcare sector follow the same pattern:
A user workstation is compromised (phishing email, malicious website, USB drive).
The attacker obtains credentials, gains access, and reaches the directory and servers.
They encrypt or steal data, shut down critical applications, and paralyze the hospital.
In other words:
- the workstation is the entry point,
- the infrastructure is the ultimate target.
Strengthening these two levels significantly reduces the risk of massive disruption.
Best practices for securing workstations
The idea here is to build a simple, consistent, and controllable foundation for workstations.
Consistent and controlled workstations
We define a few workstation profiles (caregiver, administrative, management, etc.) based on common images with the same basic settings.
We take this opportunity to remove unnecessary software that increases the attack surface and complicates management.
The more similar the workstations are, the easier it is to manage, correct, and monitor them.
Limited rights to limit damage
Users remain on standard accounts, without administrative rights on their workstations.
Technical teams use separate admin accounts only when necessary.
This means that if a user account is stolen, the attacker cannot take complete control of the workstation in just a few clicks.
Protect and detect on every workstation
Each workstation has centrally managed anti-malware software.
Where possible, a more advanced component (such as EDR/XDR) is added to monitor machine behavior and raise alerts in the event of suspicious activity (massive encryption, unusual execution, etc.).
In practice, this acts as an “alarm system” for each workstation.
Keep workstations up to date
We implement a regular update process for the system and key software:
- rapid testing on a small scale,
- then deployment across the rest of the network.
This is not very visible to users, but it is one of the most effective ways to close doors that are already known to attackers.
Protect laptops and data
All laptops should have encrypted hard drives.
In the event of loss or theft, this prevents third parties from directly accessing patient data on the hard drive.
Train and coach users
Finally, the technical foundation is not enough without the right human reflexes.
We plan to provide short, job-specific awareness training (for caregivers, secretaries, managers, etc.) and simulated phishing emails to reinforce the right responses: don’t click, alert someone, forward to support.
The set forms a workstation base that is both realistic for the field and robust against the most common attacks.
Best practices for securing infrastructure (servers, network, etc.)
On the “machines” side, the objective is twofold: to make compromise more difficult and to limit propagation if something goes wrong.
Controlled directory (Active Directory)
- Separate administration accounts from “everyday” accounts.
- Limit the number of people with very high privileges.
- Monitor sensitive operations (adding to admin groups, changing policies, etc.).
When the directory is compromised, everything else is within reach for the attacker: it deserves special attention.
Segmented network
- Separate networks: users, servers, biomedical equipment, guests, etc.
- Instead of connecting everything to everything, only allow necessary traffic.
The idea: if one workstation is infected, it should not be able to reach all critical servers in a matter of seconds.
Hardened and monitored servers
- Apply consistent security settings to all servers (unnecessary services disabled, logs enabled, filtered access).
- Keep systems and technical components up to date.
- Centralize logs to identify abnormal activity.
Reliable and isolated backups
- Regularly tested backups (verify that you can actually restore them).
- Keep some of the backups isolated from the network so that ransomware cannot encrypt them as well.
- Clear prioritization: which systems to restore first in order to restart clinical activity.
Monitoring and response
- Gather logs from workstations, servers, firewalls, etc. in one place.
- Use a monitoring center (internal or external) to analyze alerts.
- Document response procedures: isolate a workstation, cut off a network segment, switch to degraded mode, inform the authorities.
How Phishia provides concrete assistance to hospitals and associations
Phishia acts as a field partner to transform these principles into operational reality:
- Targeted diagnosis: mapping of critical workstations, servers, and data flows, analysis of the most significant weaknesses.
- Definition of a realistic foundation: workstation profiles, adjustment of rights, update policy, simple but effective network segmentation.
- Implementation support: support for internal teams and your service providers to deploy measures without disrupting care.
- Awareness and exercises: email attack simulation campaigns, crisis management exercises, updating the BCP/DRP to incorporate these protections.
The goal is not to sell you yet another layer of technology, but to build consistent and actionable protection with your resources.
How about we talk about your positions and your infrastructure?
Do you manage a hospital, healthcare group, or association, and feel that your positions or infrastructure are vulnerable?
Let’s discuss it: in just a few exchanges, we can identify your priorities and build a tailored action plan.
