Maximizing Healthcare Security with NDR: Best Practices and Buying Tips

Discover how this new NDR technology can help secure your network

RMM Tools in Healthcare

Balancing Access and Risk: The Growing Cybersecurity Challenge of RMM Tools in Healthcare
Roey Vilnai, VP Data at Cynerio
Apr 23, 2025
Blog

On December 17th 2024, a vulnerability was published on BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). PRA and RS are software solutions designed to enable secure, controlled remote access to critical systems and applications. They belong to a group of applications known as RMM - remote management and monitoring.

On December 19th 2024, two days after the initial publication of the vulnerability, known as CVE-2024-12356, it was added to CISA’s Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). According to BeyondTrust, the vulnerability was identified during a forensic investigation into a recent security incident involving unauthorized access to a “limited number” of customers’ Remote Support SaaS instances (https://www.securityweek.com/beyondtrust-patches-critical-vulnerability-discovered-during-security-incident-probe/).

What are RMM tools

Remote management and monitoring (RMM) tools are software platforms used primarily by IT service providers to monitor, manage, and maintain their clients' IT infrastructure remotely. These tools allow IT teams to save costs and allow external contractors to access on-premise equipment. This is especially true in the healthcare sector, where having biomedical equipment managed by external providers is a very common practice. RMM tools have become even more popular after the COVID-19 pandemic (https://www.businessresearchinsights.com/market-reports/remote-monitoring-management-rmm-tools-market-109443), as more and more teams transitioned to remote work.

The risks of RMM tools

RMM tools offer many benefits, from easy access to numerous systems remotely, to significant savings in cost and response times. However, as with almost everything in cybersecurity, the benefits come with an inherent risk. 

In every beginner’s class on cybersecurity the term RAT is taught. The term RAT stands for Remote Access Trojan, and is used to describe malware that an attacker uses to gain administrative access to a remote host. In essence, RATs and RMMs are two sides of the same coin. Both allow an external party access to a remote host, with the former doing it maliciously without the consent of the host’s legitimate owner, and the latter doing it with the owner’s knowledge and consent. 

With this analogy in mind, it’s clear to see the risk posed by RMM tools. As they become more commonplace, attackers have been leaning more towards using these legitimate tools in illegitimate ways. This technique is known as Living-off-the-Land (LOTL), and essentially it describes how attackers are leveraging existing legitimate tools for malicious purposes. Detecting the usage of this technique is challenging compared to the detection of known malicious tools. While cybersecurity tools are tuned to detect activity by known malicious software, such as AsyncRAT, a commonly used malicious RAT, they usually do not alert on activity by known RMMs, since they are considered legitimate. 

In May 2023, CISA (the US Cybersecurity and Infrastructure Security Agency) published an advisory on Chinese threat actors using LOTL techniques to evade detection (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a). In February 2024, it complemented this advisory with an official guide about how to identify and mitigate LOTL techniques (https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf). In this guide, CISA described 3 reasons that make this technique effective:

  1. Many organizations lack tools to identify malicious activity and distinguish it from legitimate activity
  2. Lack of conventional indicators of compromise (IOCs) associated with this activity
  3. It enabled threat actors to avoid investing time in developing custom tools

Threat actors have been observed using this technique in two common ways:

  1. Leveraging existing RMM tools - attackers use tools that are already installed on the host to gain initial access to the network or for lateral movement. This is usually done by exploiting existing vulnerabilities or via compromised credentials.
  2. Installing new RMM tools to be used as backdoors - after gaining access and compromising a host, an RMM tool is installed to enable future access to the host.

In a recent report by Rapid7 (https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/) about the Black Basta ransomware group, it was reported that threat actors managed to trick users into installing RMM tools such as AnyDesk, TeamViewer and ScreenConnect. These tools were then used to install additional malware on the compromised hosts.

Healthcare is a prime target

One of the most prominent ransomware attacks of 2024 was the one that targeted Change Healthcare in February. Attackers moved through the network for 9 days before encrypting files and executing the ransomware attack. Even though Change Healthcare paid a $22 million ransom to prevent the publication of the files, the payment did not secure the stolen data. As of October 2024, it is estimated that over 100 million individuals had their data compromised in the attack. It is estimated that the cost of the attack is $2.87 billion.

Although not officially confirmed, it’s widely assumed that the attack involved exploitation of two vulnerabilities related to Connectwise’s ScreenConnect, a common remote desktop access product. These vulnerabilities, dubbed as SlashAndGrab, can give an attacker RCE on a vulnerable host. While ConnectWise stated that Change Healthcare are not a direct customer of theirs, it is estimated that the tool was used by a managed service provider (MSP) (https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/). 

This attack demonstrated the unique vulnerability of healthcare providers when defending themselves from cyber attacks. Given that Change Healthcare were not a direct customer, it is highly likely that their IT and security teams were not even aware of ScreenConnect being used within their network, and so did not have adequate controls in place to identify nefarious use of it. 

How common are RMM tools in healthcare

Due to the wide variety of devices and systems usually found in healthcare networks, including medical devices, IoT, and OT devices, it is very common to find numerous RMM tools being used in a single network. 

CynerioLive, Cynerio’s cyber research group, investigated the data from our various customers. It has been found that on average, a single hospital has 8-9 different RMM tools active in their network, installed on 12 different types of devices. These can range from information systems, such as a Picture Archiving and Communication System (PACS) to medical devices ultrasound systems. 

We also found the top 5 most common RMM tools to be LogMeIn, Splashtop, TeamViewer,  ConnectWise, and Atera, with ZohoAssist coming in at 6th place.

The most common devices to use RMM tools are radiology devices. These are often managed by remote teams and commonly run a Windows operating system, which makes installing an agent easy. That is compared to smaller medical devices, such as infusion pumps or patient monitors, which usually run other operating systems. On average, we found that 40% of networked radiology devices, including acquisition devices, workstations, and information systems, are running some sort of RMM software. However, it is important to note we observed great variability when looking at data across different customers. For hospitals that mostly manage their network in-house, that number can be as low as 5% of devices. In hospitals that heavily rely on managed service providers, this figure can be as high as 60%.

What can you do

Having a clear picture of what tools are used in your environment is the first step in developing an effective defense strategy against illicit use of RMM tools. Having an ongoing monitoring capability on the usage of these tools will allow detection of irregularities, such as a new tool being used on a new host. 

Attackers commonly use evasion techniques to make these tools as invisible as possible from endpoint monitoring tools and logs. This can be done by renaming the executable file used for installation, and even deleting logs to remove traces of the activity. However, network detection tools, such as Cynerio’s NDR-H, are more resilient to these techniques since they rely on identifying the network activity generated by these tools. 

It is important to remember that RMM tools can be great assets for a hospital, and the risks mentioned do not necessarily outweigh the benefits of these tools. Utilizing security tools that monitor activity by these tools, and can alert on anomalies and on new tools being deployed in the network, can help in reducing the risk. 

read next

Detecting Domain Generation Algorithms (DGAs): A Healthcare Perspective

Reut Ginat Eliash, Data Scientist
Mar 13, 2025

ICSMA-25-030-01 - Contec Health CMS8000 Patient Monitor

Roey Vilnai, VP Data
Jan 31, 2025
Go Back to Blog

Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability

Product
Healthcare Cybersecurity PlatformNetwork Detection + ResponseComplete Asset VisibilityMedical Device SecurityCynerioLive
Resources
BlogDatasheetsWhite PapersUse CasesPartnershipsInfographicsMediaVideosWebinars
Company
About UsLeadershipPress ReleasesCareersContact Us
Partners
ResellersDistributorsTechnology & Alliance PartnersMSSPReferral Partners
Follow us
Facebook
LinkedIn
X
© Copyrights Cynerio 2025
Privacy Policy
SOC 2 Badge
The Standards of Institution of Israel Badge