Strengthening cybersecurity: 5 critical areas for healthcare leaders
Building a cyber-resilient culture in healthcare organizations involves increased focus on threats, powered by a shift in mindset and exec leadership.
A cyber-resilient culture requires more than compliance checklists — it demands a shift in mindset and leadership commitment.
To build true cyber resilience, healthcare organizations need to embed security into both executive oversight and daily operations. This requires significant investment, with many organizations typically allocating 5 percent to 10 percent of their IT budgets to cybersecurity, with 10 percent being the minimum recommended. Spending aside, the journey begins with a shift in culture.
This article explores five necessary conversations that healthcare organizations must have to strengthen their cybersecurity posture.
Beyond compliance: A cyber-resilient culture
Cybersecurity failures don’t just impact IT; they threaten the entire organization. Employees need to understand the consequences of security lapses, whether from phishing attacks or from a lapse in protocols.
Leaders should encourage open reporting without fear of blame. Characteristics of organizations with a strong cybersecurity culture include HIPAA compliance, adherence to frameworks such as HITRUST, NIST CSF and other regulatory standards. These organizations often have dedicated cybersecurity executives, committees and regular behavior training, with cybersecurity being embedded in procurement and vendor management processes.
It is essential for executive leadership to be engaged, with active security champions advocating for cyber resilience as a key component of business strategy. Cybersecurity training is regular and robust, empowering employees to report incidents.
Steps to strengthen cybersecurity culture include the following.
Lead by example. Leaders must demonstrate that cybersecurity is about protecting patient safety, not just fulfilling a compliance requirement.
Regular training. Continuous education on threat awareness and response is essential.
Recognition for good practices. Acknowledge secure behaviors and outcomes associated with a cybersecurity ambassador program. Ambassadors help increase awareness, foster better communication and provide an immediate response to security incidents. This can create a proactive, security-first mindset across the organization. Recognize their contributions in newsletters, meetings or employee communications to boost morale and highlight the program’s value.
Cyber resilience starts with a culture where security is a shared priority involving all levels of the organization. Typically, a cybersecurity council or similar body helps oversee and guide these efforts. While the current HIPAA regulations do not mandate specific cybersecurity oversight appointments, the proposed changes under review would require organizations to appoint a security officer for program oversight.
AI: Cybersecurity’s double-edged sword
Artificial intelligence is both a powerful security tool and a weapon for attackers. To understand the risks and uses of AI in cybersecurity, organizations can refer to the NIST AI Risk Management Framework and resources from CAIS, a nonprofit dedicated to promoting the safe development and deployment of AI.
Organizations need to learn how to balance its benefits and risks.
Detection and threats. Use AI to monitor network activity continuously, but also implement systems designed to detect AI-driven threats, such as sophisticated phishing attempts. This helps protect against both attacks and AI misuse.
Prediction and adaptability. AI can predict and identify new threats, but attackers may use AI to adapt their strategies. Regular updates to detection systems and threat intelligence are crucial to stay ahead of risks.
Automation and attack speed. While AI can automate routine security tasks and reduce workload, it also speeds up attack processes. Routinely evaluate system vulnerabilities, conduct penetration testing, and refine security protocols to maintain effectiveness and address any new weaknesses that may arise.
As AI reshapes cybersecurity, healthcare organizations must also consider another growing concern: the security of life-critical medical devices.
Cyber-physical attacks on medical devices
As healthcare technology advances, the interconnectedness of medical devices like infusion pumps, pacemakers and ventilators creates new vulnerabilities. These devices, along with the broader smart hospital infrastructure, are increasingly targeted by cybercriminals.
Attacks on medical devices or hospital networks can disrupt treatment, endanger patients and compromise sensitive data.
To mitigate these risks, healthcare organizations must:
• Regularly update device software to patch vulnerabilities.
• Monitor devices and networks for unusual activity to detect threats early.
• Implement strong access controls and perform regular security assessments to identify and address vulnerabilities.
• Ensure cybersecurity is embedded into device design through collaboration with manufacturers.
Without full network visibility, hospitals remain exposed to cyber threats that could compromise both patient data and medical equipment.
The unmonitored back door
Healthcare organizations rely on vendors for cloud storage, billing and medical software. Each vendor connection increases risk, which makes third-party security a critical concern.
The increasing number of vendors expands the attack surface and introduces more potential vulnerabilities. Many organizations also lack full visibility into how vendors handle sensitive data, which makes security management more difficult. Compliance requirements for vendors pose another challenge, as enforcement remains difficult, and organizations face the risk of non-compliance despite their best efforts.
To reduce third-party risk, health systems should consider these three best practices.
Stronger vendor assessments. Organizations must evaluate vendor security protocols such as access controls, data protection and incident response before granting system access. Incident response is especially critical, as highlighted by the recent Change Healthcare breach.
Clear contracts. Vendor agreements should outline data protection, breach response and compliance expectations.
Continuous monitoring. Security checks such as routine vulnerability scans and penetration tests help prevent weak links. While some organizations may rely on basic checks, these are often not enough. A more comprehensive approach, such as using a service for continuous monitoring, offers better protection. The cost is often justified by comparing it with the potential impact of a breach or by considering it as a service rather than a hiring full-time equivalent.
Cybercriminals look for the easiest entry point. This is too often an unsecured vendor connection, such as with valet car software, vending machines or lighting systems.
Cybersecurity workforce shortages
The demand for cybersecurity professionals exceeds supply. This leaves healthcare organizations vulnerable. A multi-faceted approach is needed to address this problem. Here are two strategies to close the gap.
Expand recruitment strategies. Diversify the talent pool and consider non-traditional hiring paths including apprenticeships and partnerships with cybersecurity educational programs to build the workforce.
Tap managed security service providers. Organizations struggling to hire can outsource security functions to MSSPs, gaining access to specialized expertise and strategic guidance. A virtual Chief Information Security Officer (vCISO), a service often provided by MSSPs, can assess an organization's current security program, align strategy with compliance and business needs and implement frameworks like NIST CSF 2.0.
A vCISO can also improve cybersecurity posture by developing action plans and roadmaps to strengthen security protocols over time; enhance cybersecurity awareness by monitoring healthcare security trends and alerts from sources like InfraGard, CISA and HHS, keeping leadership informed of evolving threats; and support incident response by guiding organizations through cybersecurity events, helping mitigate risks and accelerate recovery.
Failure to address workforce shortages leads to increased data breaches and legal consequences with subsequent financial losses outpacing the cost of hiring cybersecurity professionals.
Cybersecurity isn’t just about preventing attacks — it’s about resilience and rapid recovery. When was the last time you tested your response and recovery plan? How do you monitor emerging threats? What investments are you making in resilience?
Cyber threats in healthcare won’t disappear, but organizations that take cybersecurity seriously can mitigate risks and protect patient safety. Without action, healthcare organizations remain prime targets.
Ryan Finlay, CISSP, FACHDM, is principal chief information security officer at CereCore and leads its cybersecurity advisory practice. He is a Certified Information Systems Security Professional (CISSP) and previously was CISO at Optum Health.