It will be a surprise to no one that cybersecurity remains a top priority for healthcare IT systems. As the number of data breaches and ransomware attacks continues to skyrocket, everyone is well aware that you need to make sure that your organization has a solid defense system in place. However, talking about needing to be prepared is very different from actually making the call on what security measures you’ll adopt and where to place said measures. To help better inform you on areas to consider when making those decisions, we reached out to our incredible Healthcare IT Today Community to ask — What are the most common cybersecurity threats facing healthcare IT systems, and how can organizations proactively address them? The following are their answers.
Adam Hesse, CEO at Full Spectrum
As more and more medical devices become connected IoT devices, the number of points of potential vulnerability are multiplying and increasingly difficult to control, monitor, and manage. In response to growing cybersecurity risks, the FDA has issued guidance for medical device manufacturers, which has spurred improvements in the security of products. However, effective cybersecurity also requires a balanced approach to device design, addressing both the remote management needs of manufacturers and the operational security requirements of healthcare facilities. Therefore, it is essential for healthcare IT departments to be actively involved in defining product requirements for device manufacturers. This ensures that devices can be properly managed and maintained securely throughout their lifecycle.
Lesley Berkeyheiser, Senior Director of Accreditation Strategy and Development, CCSFP at DirectTrust
Healthcare IT systems face constant threats such as phishing, ransomware, and supply chain vulnerabilities, yet most breaches stem from preventable gaps in basic security practices. Common missteps in our industry include failing to establish a formal role or resource to lead and promote cybersecurity hygiene, lacking understanding or documentation of the data that is created, received, maintained, and transmitted, missing a complete inventory of all hardware, software, media, and other technical equipment, weak controls over access to data, incomplete or absent incident response plans, and an inability to restore data and systems from backup.
To address these issues, organizations should view cybersecurity resilience as a tripod: know your data, know your workforce (anyone under your direct control who handles sensitive information), and know your technology through current inventories monitored in real time. Use practical resources from the U.S. Department of Health and Human Services (HHS) 405(d) Program, HHS Administration for Strategic Preparedness and Response (ASPR), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). Gaining leadership buy-in starts with showing the real-world consequences of inaction. Point to the $9.7M average cost of a healthcare breach, as noted by Charlee Hess of HHS ASPR, and share OCR Corrective Action Plans that outline penalties for failing to assess risk, train staff, and monitor threats.
Kory Daniels, CISO at Trustwave
Many of the cybersecurity threats facing healthcare are the same as those seen across other industries. However, healthcare has unique attributes that create additional challenges on top of enterprise-wide threats such as ransomware, phishing, social engineering, and insider risks. The stakes are far higher: disruptions to healthcare operations and patient care can directly impact human safety, and in the worst cases, result in loss of life. Hospitals and patient care technologies have drastically expanded the attack surface. Criminals are increasingly targeting Internet of Things (IoT) devices and medical technologies that were never originally designed to be network-connected. These devices often lack strong built-in security controls and frequently run on legacy hardware and software, making it extremely difficult for security teams to identify and patch vulnerabilities. To defend against both known and unknown threats, healthcare leadership must set the tone from the top down, fostering a digitally aware and threat-conscious culture.
Extending security behavior and governance across staff and into the supply chain can make a monumental difference for cyber defense and network operations teams. People, process, and technology controls should focus on elevating monitoring, triage, and response maturity, ideally through the implementation of a fusion center. The good news is that regulators are very clear about expectations for patient data privacy and the controls required to maintain HIPAA compliance. The challenge lies in the maturity of data governance programs: ensuring effective data quality hygiene, enforcing policies around where data should reside, and monitoring how it moves internally and externally. Data is the fuel that powers hospital operations and patient experiences, but the growing speed and variety of use cases will continue to strain governance, risk, compliance, and privacy teams as they work to balance policy, technology, and enforcement.
A strong cyber defense program, powered by skilled professionals and purpose-built detection and response technologies, is essential to maintaining public trust in how confidentiality, integrity, and availability are safeguarded. You cannot defend what you cannot see, which is why operational technologies (OT) must increasingly fall under the scope of cyber defenders. Healthcare organizations must also decide how best to scale their programs: fully in-house, outsourced through managed detection and response (MDR) or managed security service providers (MSSPs), or a hybrid model that blends internal talent with top-tier service providers.
Finally, lowering complexity is key. Healthcare organizations often already have crisis management playbooks that security leaders can build upon, aligning with established programs familiar to leadership and business stakeholders. Promoting ‘security branding’ through awareness and education, backed by senior leadership, encourages broad ownership of the security strategy. Because the scope of these programs is so vast, success depends on federating security responsibilities across leadership and embedding a culture of security throughout the organization.
Jason Z. Rose, CEO at Clearsense
Zombie apps are one of the most underestimated threats to healthcare security and privacy. These forgotten legacy systems quietly hold sensitive data in outdated, unmonitored environments, making them prime targets for breaches and ransomware. At the same time, they siphon millions in licensing and maintenance costs that health systems can no longer afford to waste. With more than a trillion dollars in Medicaid and ACA funding cuts creating immense economic headwinds, reducing bloated IT spend has become urgent. Addressing zombie apps isn’t a one-time cleanup; it’s an ongoing discipline that requires a repeatable, assembly line process and technology that enables active archiving so data remains accessible and secure. By making decommissioning a strategic priority, health systems can strengthen compliance, reduce risk at scale, and redirect resources toward cybersecurity and innovation.
Scott Mattila, Product Strategy, SVP at Health Catalyst
Managing third-party risk remains a significant challenge for both healthcare organizations and the broader security sector. Effectively overseeing and enforcing robust security standards with partners and vendors is complex. Traditional point-in-time assessments implemented by other companies are insufficient for our needs; consistent accountability among vendors and partners is essential. Much like the importance of each contractor in building infrastructure, every stakeholder within the healthcare ecosystem must fulfill their responsibilities to ensure that expectations are being mutually met. Failure to do so renders contractual agreements ineffective.
Asset management is a prevalent issue across the healthcare industry, persisting for more than two decades. Despite technological advancements and AI solutions, many organizations continue to grapple with legacy infrastructures, budget constraints, incomplete understanding of technology stacks, accumulated technical debt, and inherited systems across diverse operational environments. The integration of IoT through medical devices has added further complexity, placing additional strain on already burdened technology teams. Threat and vulnerability management are closely linked, each presenting unique risks and potential impacts to organizations. Addressing these challenges requires careful handling of threat intelligence, particularly for teams managing substantial workloads.
Conflicts arise when IT departments delay patching vulnerabilities due to concerns about disrupting provider operations or claims processing. Security teams face daily pressures and burnout, like those experienced by clinical staff. Resolving these issues is crucial to maintaining organizational efficiency and satisfaction. CISOs and CIOs continue to collaborate in navigating this delicate balance to enhance the overall security posture.
Lance Reid, Founder and CEO at Telcion
Cybersecurity in healthcare is no longer just about meeting compliance requirements. It is about building resilience in the face of increasingly sophisticated threats. One of the most effective ways to strengthen defenses is through penetration testing, often called ethical hacking. Unlike automated vulnerability scans that only flag potential issues, penetration testing simulates real-world attacks to reveal how an adversary could actually exploit a weakness.
In healthcare, these insights are critical because the risks extend beyond data loss to directly impacting patient safety and care delivery. Many of the common problems uncovered during testing (e.g., misconfigured access controls and improperly secured cloud storage) are preventable, yet they remain some of the most frequent entry points for attackers.
Penetration testing provides organizations with actionable intelligence to remediate vulnerabilities before they can be exploited, while also supporting regulatory frameworks like HIPAA and NIST CSF. In an industry where operational continuity is essential, proactive testing is no longer optional. It is a necessary step in building a security posture that can adapt to evolving threats and protect both patients and data.
Brian Liddell, President and CFO at Harmony Healthcare IT
One of the most overlooked cybersecurity threats in healthcare isn’t always the latest breach tactic, but it is the unmanaged sprawl of legacy systems and outdated data sitting outside the security perimeter. Every extra copy of patient data is another door left unlocked. Archiving solves two problems at once. It reduces the attack surface by decommissioning vulnerable systems, and it ensures providers can still access the information they need in a compliant, patient-first way. Done right, archiving isn’t just a defensive move, but instead it is a strategy for balancing privacy, compliance, and accessibility in a sustainable way.
Rick Focke, Director of Product and Market Development, Johnson Controls Sec at Johnson Controls, Inc.
Integrating health care IT systems with physical access control establishes a critical safeguard against cyber-physical threats that target PHI and hospital data. By ensuring networks and physical IT systems are only accessible to authorized personnel, health care organizations can strengthen their layered defense and significantly reduce the risk of access from intruders or data theft by malicious insiders.
Hospitals are defining granular permission control rules for staff access and visitor verification, combining role-based permissions with real-time monitoring of patient areas. We’re already seeing more alignment between access control data and video feeds to catch anomalies, and this is becoming table stakes for compliance.
We are headed towards a future in which a fully connected security system across physical and digital territories will automatically trigger notifications to security and IT platforms. When the two worlds converge, checks and balances improve, and response times are reduced.
There are so many great insights to consider here! Huge thank you to everyone who took the time out of their day to submit a quote to us! And thank you to all of you for taking the time out of your day to read this article! We could not do this without all of your support.
What do you think are the most common cybersecurity threats facing healthcare IT systems, and how do you think organizations can proactively address them? Let us know over on social media, we’d love to hear from all of you!
