Cybersecurity in healthcare is essential to keeping patients safe. For hospitals, a data breach isn’t a mere inconvenience — it can delay life-saving treatments and disrupt vital care. Addressing these risks requires targeted, supportive legislation that makes cybersecurity the foundation of patient safety, empowering healthcare organizations — regardless of size — to meet essential security standards and keep patients safe.
Cyberattacks have direct and immediate consequences for patients, from diagnosis delays and rerouted ambulances to stalled prescriptions. While large healthcare systems in densely populated areas often have the resources to recover quickly and invest in robust cybersecurity in the first place, smaller providers — particularly in rural or underserved regions — face a more challenging battle. Limited budgets, outdated infrastructure, and constant cyber threats make comprehensive protection a persistent challenge for these facilities.
Leaders across healthcare, technology, and policy circles agree that cybersecurity isn’t just a technical necessity — it’s foundational to patient safety. While robust security is essential, targeted policies at state and federal levels are crucial to help healthcare providers meet these standards — especially for those with limited resources — ensuring that cybersecurity protects all patients.
Transforming Patient Care: The Role of AI-Powered Assistants
The progress in artificial intelligence (AI) is reshaping patient care, across various dimensions, from facilitating faster discharge to curating treatment plans and suggesting lifestyle changes.
Why healthcare is a major target for cyberattacks
Due to its sprawling, interconnected infrastructure, healthcare is a prime target for cyberattacks. Electronic health records (EHRs), medical imaging tools, billing systems, medical devices, mobile devices, and more contribute to a vast digital landscape that has expanded rapidly in recent years. Unfortunately, the cybersecurity measures to protect this infrastructure have struggled to keep pace with its rapid growth.
Healthcare data is a goldmine for attackers, as medical records contain highly sensitive protected health information (PHI) that is worth a lot of money on the dark web. Cybercriminals also understand that a hospital’s ability to operate is life-critical, making them more likely to pay the ransom.
As cyberattacks grow in sophistication and scale, more healthcare organizations and the communities they serve are being put at risk. The now infamous Change Healthcare breach is a notable example, which illustrated how a single point of failure can ripple across multiple facilities and impact patient care.
The Funding Model for Cancer Innovation is Broken — We Can Fix It
Closing cancer health equity gaps require medical breakthroughs made possible by new funding approaches.
A compromised billing, claims, and revenue processing network forced hospitals to rely on paper billing — a risky method that delayed patient care. Several hospitals faced financial crises, unable to process claims for months, with smaller hospitals nearly bankrupt when systems came back online. This highlighted the growing challenge of cyber inequity and its implications on public health.
Healthcare challenges posed by cyber inequity
Large healthcare systems in more densely populated areas often have more resources to fully staff IT teams, implement advanced security software, and adopt recovery plans. But frankly, most healthcare organizations, even the largest ones, are understaffed and lagging behind on the digital transformation curve. Those with the least amount of resources suffer the most. Smaller hospitals operate with tighter budgets, forcing them to choose between cybersecurity and other immediate needs in patient care.
In a recent roundtable, one rural hospital administrator highlighted the financial strain on rural hospitals, explaining that limited budgets often force these facilities to prioritize investments that support immediate patient care and day-to-day essential operations, like replacing MRI machines or outdated computers. However, this impacts the amount of budget and resources the organization can allocate specifically towards cybersecurity, creating a gap that introduces risk. Already working with a lot of outdated systems and poorly integrated technologies, the inability to invest in cybersecurity compounds vulnerabilities for under-resourced facilities.
Staffing IT talent is a significant challenge, too. Many hospitals cannot afford specialized cybersecurity professionals, not to mention the massive workload of help desk tickets, tech updates, and other projects burdening an already overwhelmed IT team. So, when a cyberattack hits a rural hospital, it magnifies the impact; patients may be left with no other options for immediate care if their local hospital is unable to open or function.
A study in The Journal of the American Medical Association found that a cyberattack on one healthcare facility triggers a domino effect, straining nearby hospitals as they redirect patients and stretch staff resources. An attack can severely impact smaller, resource-strained hospitals, putting patients’ lives on the line as they face delays in critical care. Sometimes, the next closest hospital is over 100 miles away — which, in a medical emergency, can mean the difference between life or death.
In addition, healthcare’s dependence on technical partnerships exposes the sector to a higher volume of third-party attacks, making them especially vulnerable. This risk is heightened by breaches from software vendors, which can severely impact hospitals that depend on these services, as exemplified by the Change Healthcare incident. Despite initiatives like the CISA pledge, which encourages vendors to meet certain standards by 2025, the absence of enforced repercussions leaves a significant gap in addressing cyber inequity and the vulnerabilities associated with third-party attacks in healthcare.
The shortage of cybersecurity resources for rural hospitals is more than just a logistical issue; it’s a matter of equity. Without intervention, the gap between well-resourced and under-resourced healthcare systems will grow, leading to real disparities in patient safety and care quality.
The case for more government support
The healthcare industry cannot manage cybersecurity alone. While it’s clear that minimum cybersecurity standards are needed, unfunded mandates risk overwhelming small providers already stretched thin. A stronger, more equitable healthcare system requires targeted government support to help close these gaps.
The Health Sector Coordinating Council — a cybersecurity working group of more than 450 healthcare organizations working with the US Department of Health and Human Services (HHS ) — has crafted a cybersecurity framework tailored to healthcare, including guidelines on incident response and continuity of operations.
Attaching cybersecurity funding to existing government programs in the form of incentives could allow more hospitals to access grants or subsidies for cybersecurity measures. Government support would encourage healthcare facilities to invest in their security infrastructure without taking a significant toll on the organization’s finances.
Expanding access to cybersecurity insurance, particularly for high-risk or vulnerable facilities, would also provide hospitals with a safety net in the event of an attack, which is important to consider in any government mandates or incentives for healthcare cybersecurity.
Smart cyber policy is critical for patient safety
There are many factors impacting healthcare’s ability to invest in cybersecurity, but one of the biggest challenges stems from the lack of strategically designed legislative drivers and defined standards. It’s critical that policies not only include incentives to invest, but are also crafted specifically for the unique security, compliance, and workflow demands of healthcare organizations and clinicians.
For instance, implementing passwordless authentication can significantly reduce the risk of credential theft caused by human or clinician error. This approach not only bolsters security by minimizing phishing risks but also reduces clinician burnout and saves time that can be redirected to patient care. Managing vendor and third-party access securely is also crucial to prevent supply chain attacks and should be a fundamental part of any healthcare cyber policy or regulations.
Although we hope to see motivating and meaningful legislation on the horizon, in its absence, collaboration is healthcare’s most powerful tool. Healthcare leaders and vendors must collaborate strategically to develop innovative solutions that meet the sector’s specific security, compliance, and efficiency demands.
Photo: anyaberkut, Getty Images
Dr. Sean Kellyis the Chief Medical Officer (CMO) and Sr. VP of Customer Strategy for Healthcare at Imprivata, where he leads the company’s Clinical Workflow team and advises on the clinical practice of healthcare IT security. In addition, Dr. Kelly practices emergency medicine at Beth Israel Lahey Health and is an Assistant Professor of Emergency Medicine, part time, at Harvard Medical School. Trained at Harvard College, University of Massachusetts Medical School, and Vanderbilt University, Dr. Kelly is board certified in Emergency Medicine and is a Fellow in the American College of Emergency Physicians.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.