The INC ransomware group has built a track record of successful extortion not through technical sophistication but through deliberate sector selection and disciplined execution of well-understood attack techniques. Healthcare sits near the top of its target list precisely because clinical downtime carries consequences that other industries do not face — delayed care, diverted patients, and regulatory exposure that compound the pressure to restore operations quickly.
Why healthcare is structurally attractive to INC
Ransomware operators evaluate targets through an economic lens: how much disruption does an encryption event cause, and how quickly does that disruption translate into payment? Healthcare answers both questions favorably for attackers.
Hospitals and clinics depend on continuous access to scheduling, records, pharmacy, and imaging systems. A multi-day outage is not an inconvenience — it forces patient diversion, manual workarounds, and potential harm to care delivery. That operational dependency shortens the window an organization will tolerate before considering payment, which is exactly the dynamic INC is reported to exploit.
The group also benefits from the sector's uneven technical maturity. Larger health systems have dedicated security teams; independent practices and smaller regional hospitals often do not. INC does not need to find the hardest targets — it finds the ones where basic controls are absent.
What "mastering the basics" means in practice
Dark Reading's analysis describes INC's methods as disciplined rather than novel. The group is reported to rely on:
- Valid credential abuse. Phishing and credential theft give attackers authenticated access that blends with normal traffic and bypasses perimeter controls that watch for malware signatures.
- Living-off-the-land techniques. Using built-in system tools rather than custom malware reduces the chance of detection by endpoint monitoring that focuses on known-bad files.
- Deliberate lateral movement. Rather than encrypting immediately after initial access, INC operators reportedly move through networks to identify backup systems and administrative accounts before detonating the payload — maximizing the scope of disruption.
- Double extortion. Data exfiltration before encryption creates a second lever: even organizations that restore from backups face the threat of patient data publication, which carries its own HIPAA exposure.
None of these techniques are new. Their continued effectiveness reflects a gap between what defenders know they should do and what is actually implemented and maintained.
Where independent practices are most exposed
The INC playbook maps directly onto control gaps that are common in smaller and mid-sized healthcare organizations.
Phishing-resistant authentication — hardware tokens or passkey-based methods — significantly reduces the value of stolen passwords, but adoption in independent practices remains limited. Network segmentation that isolates clinical systems from administrative ones can contain lateral movement, but flat networks are still common. Offline or immutable backups defeat encryption-only attacks; however, backup discipline that includes regular restoration testing is inconsistent across the sector.
The double-extortion dimension deserves specific attention from compliance officers. Exfiltration of protected health information before encryption means a ransomware incident is very likely a reportable breach under HIPAA, regardless of whether the organization pays or restores from backup. Breach notification timelines begin at the point of discovery, not at the point of payment or recovery — a distinction that practices sometimes misunderstand when managing incident response.
What this signals about the next 12 months
INC's reported success demonstrates that the threat environment does not require novel techniques to be effective against healthcare targets. The implication is that investment in foundational controls — credential hygiene, network segmentation, tested backup recovery, and staff phishing awareness — addresses the actual attack surface more directly than chasing emerging threat categories.
The sector's continued attractiveness to ransomware groups also suggests that HHS and OCR scrutiny of security rule compliance at smaller covered entities is unlikely to ease. The updated HIPAA Security Rule, which HHS proposed in late 2024 and finalized in early 2025, added specificity around exactly the controls that INC's methods circumvent: multifactor authentication requirements, network segmentation standards, and backup and recovery documentation. Practices that treat those requirements as a compliance checklist rather than an operational discipline remain exposed to the same economics that INC is exploiting.