The Environment
A privately operated network of primary care clinics and diagnostic imaging centres serves a large regional population across several community locations. Each site runs a combination of clinical workstations accessing a shared electronic health records (EHR) platform, diagnostic imaging equipment (MRI, CT, ultrasound units) connected to a PACS server over the internal network, and standard administrative endpoints for billing, scheduling, and correspondence. Clinical staff have no security awareness training and cannot tolerate interruption to patient-facing systems during operating hours. The organization’s IT function is outsourced to a small managed services partner. There is no internal security capability.
Patient data is among the most valuable and most regulated data in existence. A breach triggers mandatory notification obligations, potential regulatory sanction, and irreversible reputational damage in a sector where patient trust is foundational.
Frostbow Deployment
Frostbow was deployed in the Complete Security Platform configuration across all clinic and imaging sites, with the EHR platform and PACS server treated as priority monitoring surfaces. Diagnostic imaging equipment was monitored passively via network tap — agent installation on clinical devices was ruled out due to medical device certification constraints and vendor requirements. Administrative and clinical workstations received lightweight collector agents. All autonomous response actions were calibrated to isolate threats at the network layer rather than terminating processes on endpoints where clinical software might be affected. Full deployment across all sites was completed in three weeks.
The Scenario: Ransomware Pre-Positioning via Phishing
A billing administrator received a phishing email disguised as a message from the organization’s health records software vendor, prompting a credential update through a convincing spoofed portal. The administrator’s credentials were harvested and used within hours to authenticate to the EHR platform from an external IP. The attacker spent the following 72 hours moving quietly through the environment — enumerating network shares, identifying backup server locations, and staging a ransomware payload on three administrative workstations — all during business hours, deliberately mimicking legitimate administrative activity.
How Frostbow Responded
The initial credential harvest was not visible to Frostbow — it occurred on an external spoofed site. The first signal came when the administrator’s account authenticated to the EHR platform from an IP the account had never previously used. Frostbow scored this as medium-confidence and continued observing.
Over the following 72 hours, Frostbow tracked a slow accumulation of anomalous signals: network share enumeration outside the account’s normal access patterns, a single authenticated query to the backup server (an asset the billing function had no legitimate reason to access), and — on the third day — an executable write to a temporary directory on one of the flagged workstations. No single event was conclusive. Together, they formed a pattern Frostbow recognized as MultiStagePrePositioning — built from the observable signature of ransomware actors in their dwell period.
On detecting the executable write, Frostbow elevated the incident to high-severity: it isolated the three flagged workstations at the network layer, revoked the compromised account’s EHR access, and blocked lateral communication between the administrative network segment and the clinical segment housing the PACS server. The EHR platform and all imaging systems remained fully operational — clinical appointments continued without interruption. The ransomware payload, staged but never executed, was quarantined on all three workstations.
Key Deployment Characteristics
- Passive monitoring of diagnostic imaging equipment via network tap — no agent on certified medical devices
- Autonomous response calibrated to network-layer isolation, preserving clinical software continuity
- Multi-day dwell period detected through cumulative behavioral pattern recognition
- EHR and PACS server designated as priority monitoring surfaces
- Full forensic timeline generated across 72-hour attack window
- Zero clinical disruption throughout detection, response, and containment