Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Mar 26 2026
Security

Healthcare Cyber Resilience: A Comprehensive Security and Recovery Guide

Cyber resilience in healthcare is evolving beyond uptime, focusing on ensuring clinicians can safely deliver care even when critical systems fail.
nathan eddy
by

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism. 

Health systems face the growing risk of IT outages caused by ransomware and other cyber-attacks, forcing healthcare leaders to rethink how care continues after critical systems go offline.

For CISOs, IT directors and clinical operations leaders, the priority must be ensuring clinicians can safely treat patients without access to electronic health records, diagnostic systems and other core platforms.

This is driving organizations to adopt cyber resilience strategies combining prevention, rapid recovery, business continuity planning and automation to maintain clinical operations during downtime.

DISCOVER: This five-step action plan can help healthcare organizations achieve clinical care resilience.

Why Healthcare Is the Top Ransomware Target, and What’s at Stake for Patient Safety

Ryan Witt, vice president of industry solutions at Proofpoint, explains that healthcare is a prime ransomware target because it holds high-value data and cannot tolerate downtime.

“Attackers know hospitals face intense pressure to restore systems quickly when patient care is disrupted,” he says.

When critical systems such as EHRs or imaging go offline, the impact is immediate, increasing the risk of care delays, medical errors and patient safety incidents.

Cindi Carter, global CISO at Check Point, notes that hospitals cannot simply pause operations while systems are restored. When ransomware disrupts clinical environments, it impacts lab turnaround times, imaging access, medication verification, surgical scheduling, patient throughput and safety.

“Cognitive load increases as clinicians shift to manual processes, and that increases risk,” she says.

From her perspective, ransomware in a hospital is not an IT event — it is a patient safety event.

“Cyber resilience in healthcare must be measured not just in uptime percentages but also in sustained safe care delivery,” Carter says.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03 x_security_q325_animated_click_mobile_03

 

Layered Defense: Building a Prevention-First Security Posture for Healthcare IT

Witt says a prevention-first strategy in healthcare begins with protecting the human layer: the clinicians, staff and now AI-assisted workflows that attackers target most frequently.

“That means securing email and collaboration channels, strengthening identity protections and continuously monitoring for credential misuse and impersonation across cloud platforms,” he says.

It also requires visibility into how sensitive data is accessed and shared, both intentionally and accidentally.

By focusing on identity, behavior and data protection together, healthcare security providers can strengthen their organization’s defense posture and stop threats before they disrupt clinical operations.

Carter recommends a zero-trust architecture across clinical, administrative and third-party access and segmentation between EHR platforms, imaging systems, Internet of Medical Things devices and corporate networks.

Other measures include advanced threat prevention across email, endpoint, network and cloud layers and AI-driven detection and automated containment capabilities.

READ MORE: Here is a cyber resilience strategy that supports success.

Clinical Continuity Planning: Keeping Care Workflows Running Without EHR Access

Carter explains that clinical continuity planning must be treated with the same rigor as emergency preparedness planning.

Organizations should maintain clearly defined and regularly updated downtime procedures; practiced paper documentation workflows; redundant communication pathways; defined escalation protocols between IT, clinical leadership and executive teams; and pharmacy, lab and imaging fallback processes.

“A downtime binder that has never been drilled is not a resilience strategy,” Carter cautions.

Healthcare leaders should conduct realistic downtime simulations in which clinicians operate without EHR access for several hours.

These exercises reveal workflow friction, documentation gaps and communication breakdowns before a real incident occurs.

“Clinical resilience is choreography under pressure,” Carter says. “Manual workflows should be rehearsed so patients remain safe even when digital systems are unavailable.”

Cindi Carter
Cyber resilience in healthcare must be measured not just in uptime percentages but also in sustained safe care delivery.”

Cindi Carter Global CISO, Check Point

Rapid Recovery Frameworks: Immutable Backups and RTO vs. RPO Benchmarks for Hospitals

Rapid recovery frameworks that incorporate immutable backups, recovery time objectives (RTOs) and recovery point objectives (RPOs) are essential to ensuring healthcare organizations can restore clinical systems quickly and avoid prolonged care disruptions. RTOs and RPOs measure different aspects of business continuity. According to SentinelOne, your RTO is the maximum time your systems can be down before reaching an unacceptable level of business impact, while your RPO is the amount of tolerable data loss, measured from your organization’s last viable backup to the point of system disruption.

Cristian Rodriguez, Americas field CTO at CrowdStrike, says these frameworks must be embedded into business continuity planning, particularly for hospitals managing their own infrastructure or relying on complex hybrid environments.

“If you haven’t done a full business continuity exercise, you’re setting yourself up for failure if you don’t know how long it’s going to take you to get back up online,” he says.

Healthcare organizations must regularly test recovery procedures and validate their ability to restore systems during simulated outages, Rodriguez notes, adding that “practice is an absolute must.”

He also stresses the importance of auditing third-party providers to ensure they can meet recovery and availability commitments, including clear service-level agreements that define how data is protected and how quickly systems can be restored following a disruption.

EXPLORE: Why is a good cyber resilience strategy essential to business success?

Testing Your Plan: Tabletop Exercises and Downtime Drills for Clinical Teams

Witt says tabletop exercises that are structured and mirror real clinical pressure can effectively expose gaps in decision-making, communication and clinical coordination before a real attack occurs.

He recommends that organizations run scenario-based sessions that simulate a ransomware attack — from initial detection through EHR outage and recovery — requiring leaders to make real-time decisions about patient triage, diversion, communications and regulatory response.

Downtime drills should then operationalize those decisions by having front-line staff practice manual documentation, medication reconciliation and critical-result reporting under realistic time constraints. 

“The most resilient healthcare organizations treat these exercises as governance reviews,” he adds. “They identify gaps in human decision-making, communication flow and access control, concluding with the assignment of clear accountability for remediation.”

Hiraman/Getty Images

More On

Related Articles