Cybersecurity for Healthcare: Strategies to Mitigate Risks

Richard F. Cahill, JD, Vice President and Associate General Counsel, The Doctors Company, Part of TDC Group

Summary

Healthcare organizations can protect their patients, assets, and reputations by working with subject matter experts to mitigate potential cybersecurity risks.

Complex attacks using ransomware are among the most problematic cybersecurity concerns for healthcare practices and systems. Malicious software can prevent an affected organization from accessing its data unless monetary payments are made, which can interfere with the delivery of patient treatment.

In addition to immediate patient safety risks, a ransomware attack creates long-term enterprise risks. Patients’ protected information is attractive to cybercriminals for its substantial value on the black market, and therefore data breaches, also referred to as crypto-extortion, are a typical collateral consequence of ransomware attacks. Healthcare organizations across the country have experienced data breaches, whether through ransomware or through other threats. Following a crypto-extortion incident, a covered entity’s inadvertent violations of federal and state privacy laws may result in a multitude of civil, criminal, and administrative dangers. The results can be financially devastating.

Through a combination of advance planning and collaboration with trusted business partners, healthcare organizations can mitigate their cybersecurity risks, including risks amplified by overseas events, third-party vendor relationships, agency oversight, and technological advancements.

Geopolitical Risks

Some cybersecurity attacks are sponsored by foreign governments, and such threats increase in intensity whenever the U.S. engages in overseas conflicts. In spring 2026, pro-Iranian hackers turned their attention to vendors connected to U.S. power, water, and healthcare. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other agencies have repeatedly implored U.S. healthcare entities to amplify their cybersecurity.

Covered entities cannot predict international events, but they can predict that geopolitical shifts will at times increase their enterprise risks, and they can strengthen their cybersecurity postures accordingly.

Third-Party Risks

Cybercriminals may aggressively strike third-party vendors that support medical and dental practitioners. This threat demands careful deliberation and proactive, preemptive correction of vulnerabilities, because when data breaches begin through a third party, they can take longer to identify, cause more disruption, and cost more to contain than a direct attack.

Regulatory and Compliance Risks

When patient records are violated in large online assaults, federal and state privacy laws create an added risk to clinicians, practices, and systems. Understanding these risks is the first step to mitigating them. They include:

  • Complaints from government agencies: Data breaches often lead to complaints initiated by government oversight and licensing agencies, including the Office for Civil Rights, with possible investigations subsequently resulting in fines, sanctions, and related administrative penalties.
  • Damage to reputation: An inadvertent disclosure may also create negative publicity on social media, which may damage the professional reputations of individual or institutional providers and thereby impair the clinicians’ ability to practice and even to earn a living. 
  • Loss of privileges: Harm to affected clinicians may include limitations to, or a complete loss of, admitting and surgical privileges at a medical facility or possibly exclusion from third-party payer networks, including CMS.

AI Risks—and Rewards

AI adds new weapons to the cybersecurity fight, with some experts espousing an advantage to defenders. Nevertheless, AI facilitates novel forms of cyberattack. It also expedites or enhances some familiar forms of cyberattack: 

  • Some cybercriminals find an entity’s vulnerabilities, then sell their access to other bad actors, who carry out the actual malicious strike. The time window for handing over these access points has shrunk from hours down to seconds.
  • Technological advancements are also enabling malicious actors to produce more and more convincing phishing attempts: A large proportion of serious cyber threats to healthcare come through contact with employees.

Strategies to Mitigate Cybersecurity Risks

Healthcare organizations should work proactively with experts in the relevant domains to recognize and mitigate potential cybersecurity risks. Healthcare professionals can:

Identify risky circumstances: The U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) recently reported that a “large Southeastern hospital” had conspicuous weaknesses in its cyber defenses. For example, multifactor authentication (MFA) was not enabled on an account management platform, and a mock phishing campaign was able to capture credentials that should have been secure. Cybersecurity experts can help healthcare practices identify open digital doors that will be obvious to cybercriminals and that need to be swiftly closed, such as by enabling existing software capabilities.

Cybersecurity experts can also identify other digital risks that may result in economic damage or otherwise impede the operation of the practice. The goal is to avoid potential negative events, including those related to civil liability; contract violations; and administrative complaints to governmental oversight agencies, which can result in administrative investigations; along with highly detrimental and often defamatory social media postings, which can potentially injure the reputation and ongoing financial stability of the practice or institution. 

Provide training across the enterprise: A recent survey of cybersecurity professionals identified AI-driven social engineering as one of their top concerns. Appropriately, a senior leader at the American Hospital Association has described “a patient safety-focused culture of cybersecurity” as an organization’s “most important defense.”

Design in-house patient safety precautions: Distributed denial of service (DDOS) attacks can lock legitimate users out of a hospital’s computer systems, including its EHRs, presenting a swarm of simultaneous threats to patient safety. For this reason, in addition to developing and periodically auditing internal protocols implemented to help limit ongoing cybersecurity threats, healthcare organizations are urged to design and execute in-house patient safety precautions in conjunction with onsite risk managers and facility administrators. Defensive measures should be uniformly compatible with applicable community standards to best ensure continuity of care, as well as the delivery of optimum clinical outcomes.

Investigate insurance coverage: Corporate counsel, agents, brokers, and liability carriers can help organizations consider the nature, scope, and amount of business protection that may be advisable. Practitioners can coordinate with these insurance professionals to complete a risk evaluation to include assessments of exposure from numerous sources, such as medical malpractice claims, general premises liability, corporate errors and omissions, workers’ compensation, and cybersecurity. In addition, related coverages are designed to protect against complications that may impair a clinician’s ability to continue practicing medicine or dentistry unimpeded by administrative restrictions or monetary sanctions. Developing a comprehensive risk assessment before a crisis occurs is critical to ensure continuity of professional services and operational integrity in the event of an unforeseen adverse event. 

Coordinate with business partners: Healthcare providers, working closely with their insurance carriers, can coordinate with business partners to develop policies and procedures to evaluate and address risks. A proactive analysis can help the organization target its efforts to implement best practices while remaining consistent with prevailing community standards, which will evolve over time. Clinicians and their practice management teams should institute routine periodic audits of office policies to help ensure that practice protocols are being applied uniformly, are being updated at regular intervals to comply with evolving standards, and are properly and timely documented in administrative files. Such documentation ensures that the facility can prove with competent and convincing evidence that due diligence was exercised to protect patients and business associates in the event that a security breach results in civil or administrative proceedings that seek monetary damages or other institutional sanctions. Following such a strategy will decrease the likelihood of the enterprise suffering harm from either existing or yet unknown potential threats, while enhancing the quality of transactional efficiency.

Through vendor agreements and other cooperative arrangements, U.S. healthcare organizations and the businesses that support them are inextricably connected, and this chain is only as strong as its weakest link. Each healthcare system that mounts a vigorous and vigilant cybersecurity defense shields itself, its patients, and the U.S. healthcare system.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J03082 04/26

Stay in the Know

Our e-newsletters feature timely articles, videos, and guides on a range of patient safety topics.

The Doctor’s Practice

Medical Icon Clipart Subscribe

The Dentist’s Advocate

Tooth Clipart Subscribe

The Practitioner

Man and Two Women Doctors Clipart Subscribe