How to Build Resilience in Healthcare Cybersecurity
Post Summary
In an era where healthcare has become one of the most critical components of modern society, the mounting threat of cybersecurity risks cannot be overstated. The video discussion between Matthew Rosenquist, an industry cybersecurity strategist, and Jason Elron, CISO of Multicare Health System, illuminates the nuanced challenges and forward-thinking strategies for bolstering cybersecurity in healthcare. These insights are crucial for decision-makers and professionals seeking to secure their organizations in an ever-evolving threat landscape.
The Urgent Case for Cyber Resilience in Healthcare
The healthcare industry is uniquely positioned as a high-priority target for cybercriminals. Hospitals, clinics, and other healthcare delivery organizations (HDOs) house sensitive patient data, depend on uninterrupted services for life-critical functions, and are increasingly integrated with vulnerable supply chain systems. As Elron aptly points out, "Cyber incidents in healthcare aren’t abstract - they are life-impacting." Downtime or compromised systems can result in delayed care, patient harm, and, in some cases, fatalities.
Adding to the complexity is the role of adversarial nation-states and cybercriminals. From large-scale ransomware attacks to disruptions in hospital workflows, the consequences of inadequate cybersecurity measures are severe and far-reaching.
sbb-itb-535baee
The Current State of Healthcare Cybersecurity
Challenges with Prioritization
Elron emphasizes that awareness of cybersecurity risks has improved significantly over the past decade. Most HDO leadership now understands that cybersecurity events are directly tied to patient safety. However, the challenge today lies in prioritization. Healthcare leaders must make difficult trade-offs: choosing between cybersecurity investments and other critical needs, such as expanding medical services or opening clinics.
The Cost of "Invisible Success"
Cybersecurity often operates under "invisible success metrics", where effective defenses go unnoticed until they fail. This lack of visibility can make securing organizational buy-in a challenge. To address this, Elron advocates for a shift from traditional "return on investment" (ROI) metrics to a new concept: risk reduction on investment (ROI). By framing cybersecurity investments as both reducing risks and ensuring continuity of care, leaders are better able to appreciate their value.
The Rising Threat of AI
Artificial intelligence is now embedded in healthcare workflows, from diagnostics and imaging to scheduling and clinical decision-making. This integration brings undeniable benefits but also opens new avenues for exploitation. As Elron warns, "AI disruption is clinical disruption. An AI outage will soon be the new equivalent of EHR downtime." Attackers are already probing AI models, APIs, and data pipelines, leading to an entirely new category of cyber threats.
Strategies for Building Cyber Resilience
1. Focus on Resilience Over Perfection
Elron argues that healthcare organizations must accept that being entirely invulnerable to cyber threats is unrealistic. Instead, the focus should shift toward resilience - detecting, responding to, and recovering from incidents quickly and efficiently. The goal is to minimize the impact of inevitable attacks while maintaining continuity of care.
2. Tackle Legacy Systems and IoT Vulnerabilities
Many healthcare facilities operate with a mix of outdated and modern technologies. Legacy operational technology (OT) and medical IoT (MIoT) devices remain significant vulnerabilities as they were not designed to withstand modern threat profiles. Addressing these weaknesses requires innovative solutions, such as micro-segmentation and zero trust architectures, to secure these critical but aging systems.
3. Prepare for AI-Driven Threats
The rise of AI has introduced both opportunities and challenges. Threat actors increasingly use AI to automate and scale attacks, such as creating highly convincing phishing emails or tampering with AI-powered clinical systems. To counter this, organizations must adopt advanced monitoring and threat detection tools capable of operating at the speed and sophistication of AI-based attacks.
4. Strengthen Third-Party Risk Management
Healthcare has evolved into a complex ecosystem of interconnected vendors, suppliers, and service providers. Weaknesses in any part of this ecosystem can compromise the entire network. Comprehensive third-party risk management programs are essential to safeguard these extended partnerships.
5. Shift the Organizational Culture
One of the most critical steps in improving cybersecurity in healthcare is fostering a culture where security is viewed as a shared responsibility. As Elron states, "Doing modern healthcare means doing modern IT, and doing modern IT requires modern security." Leadership must emphasize that every employee, from clinicians to executives, plays a role in protecting the organization.
The Role of Metrics and Communication in Driving Change
Elron stresses the importance of using meaningful metrics to communicate cybersecurity priorities to executives and boards. Metrics such as mean time to response (MTTR) and risk reduction on investment can help frame discussions in terms of organizational impact rather than technical jargon.
Effective communication also requires transparency and intellectual humility. Cybersecurity professionals should acknowledge their expertise while also recognizing areas where collaboration with others (e.g., clinicians, administrators, or external experts) is necessary.
The Future Threat Landscape
Looking ahead, the healthcare industry must brace for a rapidly evolving threat landscape characterized by:
- AI-Driven Attacks: Automated spear-phishing, AI model corruption, and other advanced tactics will challenge traditional defenses.
- Care Disruption: Ransomware attacks will increasingly target clinical operations rather than just data, disrupting care delivery.
- Nation-State Attacks: These could aim to undermine societal trust by tampering with patient records, disrupting national healthcare systems, or manipulating supply chains.
Healthcare organizations must adopt a proactive approach, assuming that breaches will occur and focusing on minimizing their impact.
Key Takeaways
- Patient Safety is Cybersecurity: Cyber incidents in healthcare are life-impacting. Downtime and disruptions are patient safety events, not mere technical issues.
- Resilience is the New ROI: Shift from a focus on preventing all incidents to ensuring quick detection, response, and recovery when incidents occur.
- Address Legacy Vulnerabilities: Legacy OT and IoT devices are a significant attack surface and require immediate attention.
- Prepare for AI Risks: AI is integral to healthcare workflows, but its vulnerabilities must be secured as attackers increasingly exploit these systems.
- Strengthen Third-Party Risk Management: The interconnectedness of healthcare providers and vendors necessitates robust oversight of third-party risks.
- Embed Security into Culture: Security is not just the CISO’s job; everyone in the organization must understand and embrace their role in protecting patient care.
- Use Metrics to Drive Conversations: Communicate in terms of organizational impact (e.g., risk reduction) to secure buy-in from leadership.
- Anticipate Future Threats: Organizations must prepare for emerging risks, from AI-driven attacks to supply chain disruptions.
Conclusion
The healthcare sector stands at a critical juncture. As cyber threats grow more sophisticated and interconnected, the need for holistic, resilient cybersecurity strategies has never been greater. Professionals in both healthcare and cybersecurity must work collaboratively to protect patients, ensure continuity of care, and safeguard the trust that underpins the industry. By focusing on resilience, embracing innovative solutions, and fostering a culture of shared responsibility, the healthcare industry can rise to meet these challenges and build a safer, more secure future.
Source: "Challenges for Healthcare Cybersecurity" - Cybersecurity Insights, YouTube, Dec 2, 2025 - https://www.youtube.com/watch?v=oL5YwFOaO0A
