By Errol Weiss, Contributing Writer

Healthcare has become one of the most heavily targeted sectors for cyberattacks, with consequences that reach far beyond lost data or financial penalties. In the past year, 92 percent of U.S. healthcare organizations experienced at least one cyberattack, according to a report from the Ponemon Institute, which supports the responsible use of information and privacy management practices in business and government. Sixty-nine percent of organizations reported that those attacks disrupted patient care. For these facilities, that disruption means delayed test results, canceled procedures or critical systems locked at the very moment they’re needed most. 

Despite this situation, many healthcare organizations still operate with a reactive incident response mindset. Cybersecurity plans too often consist of deploying IT teams after a breach, issuing hurried updates and relying on staff to manually improvise until systems are restored. That might contain one incident, but it does little to prepare for the next one, and it certainly does not scale well for the long term. 

A different model is necessary: proactive defense. Instead of waiting for disruption, healthcare organizations can adopt proactive defense — embedding resilience into everyday operations through realistic drills, well-defined communication protocols and a culture that anticipates threats before they escalate. The goal is simple but critical: Keep patients safe when crucial IT systems are not available. 

Drills and scenario planning 

Readiness begins with practice. Many healthcare organizations are expanding tabletop exercises beyond IT to include clinical staff, legal, communications and administration. These cross-department drills reveal weaknesses that no audit or firewall can expose. Yet they remain underused. Among hospitals that have activated their emergency response for a cyber incident, only 57 percent had conducted a full-scale drill or tabletop exercise, according to the report. 

The point of these drills is to stretch the system. Whether it is a ransomware attack freezing records, a supply chain collapse cutting off ventilators or an insider altering data, each scenario reveals not only staff readiness but whether leadership strategies and backup systems can withstand the pressure. 

For drills to have real impact, they need to become routine. Healthcare organizations should create an after-action report following every drill with mandatory reviews, tracking lessons learned and turning them into updated policies and training. 

Every department should be expected to address the gaps uncovered, whether that means clarifying who makes decisions in a crisis, validating backup systems or ensuring staff can fall back on manual processes. When healthcare organizations practice these exercises consistently, the process turns planning into true preparedness. 

Communication protocols 

Healthcare organizations rely heavily on IT systems. A cyberattack attack means clinical operations can grind to a halt, appointments back up and lab systems stall. In the worst cases, the attacks compromise emergency care. The consequences are clear in facilities that have been attacked. Fifty-six percent reported poor patient outcomes due to delays, 53 percent saw medical complications, and 28 percent reported increased mortality rates during cyber disruptions.  

Communication is often the deciding factor in whether these risks escalate. Clear communication protocols ensure that staff know exactly whom to notify, what information to share and when to escalate decisions. Without that structure, uncertainty eats away at precious minutes. 

Making communication part of the cyber playbook requires preparation. Hospitals should designate specific people to serve as communication leads, create response templates for internal staff and external partners and train clinical teams on ways to raise issues quickly when systems fail. These steps give staff the clarity to act without hesitation, keeping care moving even when digital systems are down. 

Building a readiness culture 

For too long, cybersecurity in healthcare organizations has been defined by quick fixes —patching systems after a breach, restoring access after downtime and hoping disruption will not repeat. But that approach is untenable. At rural hospitals, the average ransomware attack leaves systems offline for nearly 19 days, and clinical, financial and reputational costs linger long after access is restored. 

A readiness culture looks very different from the patch-and-recover mindset that dominates healthcare organizations. It starts with visible support from leadership and the board, treating cyber risk as a systemwide responsibility. It extends to frontline staff, who receive training in cybersecurity hygiene and incident response. It builds through repetition, where every drill or real event feeds back into updated playbooks and stronger defenses. 

The payoff is practical. Quicker containment reduces losses. Demonstrated preparedness strengthens the confidence of regulators and insurers. Most importantly, patients know their care can continue safely even under attack. Crucially, hospitals must never treat readiness as a finished project. They need to measure, review and reinforce it continuously. 

In healthcare cybersecurity, the stakes are patient safety and trust. Every disruption, from delayed lab results to locked medical records, carries the potential to compromise care. The way forward is not one tool or a quick fix but a playbook that hospitals live by — drills that test plans against real scenarios, communication protocols that eliminate confusion and a culture that assumes disruption is always possible. 

What sets healthcare organizations apart is the way they act on this playbook. Those that build proactive defense into daily routines and practice the playbook through regular drills will limit the damage of an attack and earn the confidence of regulators, insurers and most importantly, patients. In a sector in which digital disruption is inevitable, the real measure of strength is the ability to deliver safe, reliable care no matter what. 

Errol Weiss is chief security officer with the Health Information Sharing and Analysis Center, which provides resources to prevent, detect and respond to cybersecurity and physical security events.