Hospitals and health systems are under unusual strain. Attacks that begin with a single phished account often jump into poorly segmented clinical networks or third‑party services that touch billing, imaging, or patient engagement. The impact is no longer theoretical. It shows up as canceled procedures, delayed results, diversion in emergency departments, and higher insurance scrutiny after every major incident. Security leaders need a short list of steps that reduce risk this quarter, not an endless platform search.
Recent reporting from Netwrix, summarized by Cybersecurity Dive, captures the pattern providers keep seeing: credential abuse and third‑party access are the most common routes in, and recovery costs are rising. The numbers match what clinicians feel on the floor. Once an attacker obtains a privileged token or gets into a vendor account with broad access, the path from email to care‑critical systems is short.
Policy tailwinds are building. A bipartisan Healthcare Cybersecurity Act of 2025 in Congress would expand support for hospitals and public health entities, formalize HHS–CISA coordination, and encourage concrete safeguards such as multifactor authentication and encryption for systems that store or transmit protected health information. Combined with the proposed updates to the HIPAA Security Rule that emphasize asset inventories, contingency planning, and risk analysis, the direction of travel is clear. The sector is moving from broad guidance to specific expectations.
Identity is the fastest lever to pull. Many provider networks still carry long‑lived service accounts and daily‑use admin privileges. The fix is not glamorous, but it works: vault and rotate service credentials, use just‑in‑time elevation with session recording for high‑risk tasks, and enforce phishing‑resistant MFA anywhere a privileged session can start. When you reduce standing privilege, a stolen password becomes a noisy failed attempt instead of a silent breach.
The next pressure point is the equipment and middleware that knit clinical workflows together. Internet‑connected medical devices often run legacy operating systems and cannot be patched on demand. If those devices sit on the same VLANs as user endpoints, a routine compromise can turn into an outage. A better pattern is a clinical enclave. Put the EHR, lab systems, and device gateways behind firm boundaries. Allow only brokered protocols across those boundaries and force vendors through identity‑aware remote access. It is not micro segmentation in week one; it is creating a choke point that stops opportunistic lateral movement.
Preparedness matters as much as prevention. Backups should be both immutable and recoverable. It is worth testing restores of three systems every quarter—EHR, imaging/PACS, and revenue cycle—on non‑production hardware. Measure the time to cleanly restore, not just the existence of a backup file. Pair those tests with short “downtime drills” that include nursing leadership and lab directors. Two hours spent walking through manual workflows will expose gaps that a tabletop will miss.
Vendors need sharper obligations. Business associate agreements should require MFA, device posture checks for remote access, evidence sharing within hours of detection, and a named incident‑response contact. For your top suppliers, schedule a joint exercise at least once a year. If a partner cannot commit to basic hygiene or to a restoration service level objective, the risk belongs on the board agenda.
Quarter‑by‑quarter priorities:
- Remove standing privileges, vault service accounts, and move admins to just‑in‑time elevation.
- Build a simple clinical enclave and require identity‑aware vendor access into it.
- Run quarterly restore tests for EHR, imaging, and revenue cycle systems on non‑production gear.
- Update BAAs to include MFA, device posture, breach‑notification SLAs, and IR contacts.
- Conduct a two‑hour clinical “downtime drill” each quarter with nursing and lab leaders.
Reporting improves when it uses clinical and financial language. Track dwell time inside clinical networks, the age of privileged access, restoration time for lab and imaging systems, and vendor patch latency. Tie those metrics to patient diversion minutes, procedure backlogs, and claim delays. The case for investment is strongest when it is expressed in the outcomes clinicians and executives already manage.
The next few quarters will bring more policy activity, pressure from payers, and greater board attention. None of that changes the essentials. Limit standing privilege, enforce MFA where it matters, segment anything that touches care, and prove recovery on the systems that keep the hospital moving. The organizations that do these basics consistently have shorter outages and fewer surprises.
References:
- HIPAA Journal, “Healthcare Cybersecurity Act of 2025” (overview and status): https://www.hipaajournal.com/healthcare-cybersecurity-act-of-2025/
- Cybersecurity Dive, coverage of Netwrix 2025 healthcare findings: https://www.cybersecuritydive.com/news/healthcare-cyberattacks-report-netwrix/760507/
- Forbes, “Healthcare Cybersecurity: The Urgency of Now” (Sept. 23, 2025): https://www.forbes.com/sites/chuckbrooks/2025/09/23/healthcare-cybersecurity-the-urgency-of-now/