Live from HIMSS25: Understanding the Ransomware Attack Chain

The annual HIMSS (Healthcare Information and Management Systems Society) 2025 conference kicked off with pre-conference forums on March 3 in Las Vegas, Nevada. With many forums to choose from, about 400 attendees sat down over coffee and pastries to listen to the cybersecurity forum.

Cybersecurity has been a much-discussed topic, especially considering several major breaches within health systems this past year. Organizations are actively thinking about how to protect themselves from attackers.

In a technical talk entitled Adversarial Mindset: Breaking the Ransomware Attack Chain, Erik Decker, VP and CISO of Intermountain Health, discussed the question of how these attacks really are occurring. Shawn Anderson, cybersecurity director with Intermountain Health, joined Decker in the discussion.

Decker mentioned that the pathways attackers get in are no surprise. This includes social engineering, third-party compromises, and system vulnerability compromises. The majority of intrusions happen through logging in with compromised login information. “Vulnerabilities exposed to 10 billion people should be fixed at 72 hours max,” Decker cautioned.

“If you want to cause damage, you need to get to the control systems,” Decker continued. This is the active directory. This is how attackers get to the privileges. “They're getting to those super user rights, privilege access rights that your IT people have. Then, they log in and grab all the data. Then they push all the malware. That is the playbook every time.”

Anderson enforced the importance of keeping up with patching and continuing to test the systems.