Security

Why Clinical Care Resilience Is a Top Priority in Healthcare

Whether planned or unexpected, healthcare organizations need to tighten up support for continuous operations when downtime happens.

Mike Grisamore

Mike Grisamore is Senior Vice President of Vertical Markets at CDW.

Clinicians have been trained to handle unexpected medical situations, but what’s become clear in recent years is that entire organizations need to strengthen procedures for when an unexpected IT event happens.

If a critical application, such as an electronic health records system or an enterprise resource planning platform, goes dark, can care teams still operate? And even if clinicians can switch to paper charting, does everyone know where the paper supplies are and how much inventory is available for a three-hour outage? A three-day outage? What about a three-week outage?

This is why clinical care resilience should be a top priority for healthcare organizations. Myriad cyberthreats are the reality in this industry. Today, it’s not a question of if but when

Clinical care resilience requires a team effort that encompasses technical and nontechnical approaches. Yes, it’s helpful to have a fully outfitted security operations center that can monitor emerging threats and vulnerabilities in real time. But it’s also crucial for organizations to be prepared for different scenarios — from systems failure to ransomware attacks — through regular, adaptable training.

EXPLORE: Ensure healthcare business continuity when IT fails.

Experienced Perspectives From Healthcare Organizations

Healthcare organizations can learn a lot from their peers, especially from those who have had to work through the fire of a real-life cyberattack. During the 2026 ViVE conference in Los Angeles in February, healthcare leaders shared their first-hand insights.

Anika Gardenhire, chief digital and information officer at Michigan Medicine, shared her perspective from working for organization that had experienced a ransomware attack in 2023. She said that collaboration across all departments, from IT and general counsel to operations and clinical, helped the organization keep moving despite disrupted services.

Nate Couture, CISO at University of Vermont Health Network, also shared lessons from his organization’s 2020 ransomware attack.

“We did not have to stop care, but we had IT systems offline for four weeks,” Couture said. “We had done a lot of preparation, but that was based on either short-term IT outages or mass casualty events — those were the two flavors of downtime and emergency management planning. Neither of those actually applied to the problem we were having. The one thing that did apply, though, was that we did have the relationships built as part of doing that work, and we leaned into those relationships, and through that, we were able to get through it.”

Click the banner below for a cyber resilience strategy that supports success.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

One lesson that Children’s National Hospital Vice President and CISO Nate Lesser has taken from another organization has been to run more training exercises than what most providers typically do. When he learned that Intermountain Health underwent at least 24 security exercises in a year, rather than just one or two major exercises, he changed his approach.

“We still try to do at least one major exercise across a lot of departments and units, but now, we run mini-exercises on a monthly basis, sometimes more frequently with individual units,” Lesser said, adding that his team typically works more with nursing leadership.

All three leaders stressed that an organization’s cyber response plan may need to include nontechnical aspects; for example, how much cash on hand does the provider have access to if payroll is affected? What is the process to move information collected on paper charts into the EHR? What does “back to normal” even look like?

Emerging technologies represent another risk factor that more organizations must account for, especially as artificial intelligence continues to make headways in healthcare, Couture added.

“Every single one of those solutions that you put in that lets you do more with less on a day-to-day basis just made your resilience scenario that much harder. Because, while you can still do things the old way, you’ve now reset your staffing to expect to be able to get a certain amount of throughput,” Couture said. “Now, if that technology goes away, you don't have that staff to do it the old-fashioned way. So, that’s something you have to think about: How are you going to handle that as you’re implementing each one of these new solutions? It's great for what it is today, but also think about what this means for your resilience plan.”

Find the Right Industry Partners to Protect Your Environment

For healthcare organizations to improve their clinical care resilience, they should agree on some basic conditions. First, there should be an understanding about why it’s important and who will own it; fostering a sense of ownership will help crystalize its necessity to the organization. Next, seek advice and partnerships from experienced industry players.

As CDW Healthcare Strategist Eli Tarlow notes, if medical knowledge can be enthusiastically shared, so should information to improve clinical care resilience.

“Eventually, this resiliency approach should become second nature for healthcare organizations,” Tarlow wrote last year. “As an industry, we’re expected to always play catch-up when it comes to technology. Let’s not wait three years to meet a previous standard. Let’s make sure it's part of our governance processes now.”

Find an industry partner who can offer thorough assessments and recommendations, remediation, simulation and real-life scenarios that can test how ready your departments are for an unexpected event.

SDI Productions/Getty Images