The INC ransomware group has sustained a damaging run against healthcare targets not through technical sophistication but through deliberate sector selection and disciplined execution of well-understood attack techniques. A Dark Reading analysis published June 17 describes a threat actor that has identified healthcare as a high-pressure environment where service disruption translates directly into willingness to pay, then systematically exploited that pressure.

Why healthcare is the preferred target

INC's operators appear to have made a calculated assessment: healthcare organizations cannot absorb extended downtime the way other sectors might. Clinical workflows, patient scheduling, pharmacy dispensing, and billing systems are deeply interdependent, and even partial disruption to one layer creates cascading problems that administrators feel within hours, not days.

That urgency shortens the negotiation window for victims and increases the probability of payment. Ransomware groups have increasingly recognized that targeting sectors with low tolerance for outages — hospitals, specialty clinics, long-term care facilities — improves their return on investment without requiring them to develop novel malware capabilities.

The tactics that make basic work

The group's approach, according to the Dark Reading analysis, centers on techniques that have appeared in threat intelligence reports for years: exploiting public-facing applications, using legitimate remote access tools to move through networks without triggering signature-based detections, and disabling or deleting backup infrastructure before deploying the encryption payload.

Each of those steps is individually well-documented. What INC demonstrates is that consistent, patient execution of a repeatable playbook — against organizations that have not closed foundational gaps — remains highly effective. The implication for independent practices is direct: the threat does not require a zero-day exploit to succeed. It requires finding a network where multi-factor authentication is absent, remote desktop services are exposed, or backup systems are reachable from the same network segment as production data.

Where independent practices are most exposed

Smaller healthcare organizations carry a particular structural risk. They often rely on a single IT generalist or a managed service provider with a broad client base, meaning that monitoring depth and patch cadence may lag behind larger health systems. Remote access proliferated during telehealth expansion and has not always been reviewed or hardened since.

The attack chain INC uses maps closely onto gaps that appear repeatedly in HHS Office for Civil Rights breach disclosures: unpatched external-facing systems, weak or absent access controls on remote management tools, and backup environments that are not isolated from the primary network. None of those gaps require a sophisticated adversary to exploit.

What this signals about the next 12 months

The INC group's continued activity suggests that ransomware operators see no reason to change their approach to healthcare as long as foundational controls remain inconsistently applied across the sector. HHS has signaled through its updated HIPAA Security Rule proposals that it expects covered entities and business associates to treat recognized attack vectors — including unprotected remote access and inadequate backup isolation — as addressable requirements rather than aspirational standards.

Practices that audit remote access configurations, enforce phishing-resistant authentication, and maintain tested offline or immutable backups reduce their exposure to the INC playbook and to the broader class of ransomware actors using the same methods. The techniques are not new; the organizations that close those gaps stop being the easiest targets.