Select Page

Blog

Healthcare Cybersecurity Basics: What CISOs Worry About at 3 A.M.

Tom Bunger, Fronz Batot, Cary Brown

I was talking recently with the CISO of a large health system and I asked him: “What keeps you up at night?” His answer surprised me, not because it was shocking, but because it was refreshingly honest. It wasn’t the sophisticated AI-powered threats or zero-day exploits that haunted his 3 a.m. thoughts. It was the basics.

“It’s that system we knew was vulnerable and needed patching, but didn’t patch it and now it’s been compromised,” he explained. “It’s that laptop that was supposed to be encrypted but wasn’t, and now it’s lost with patient records on it. It’s the weak passwords on medical devices that we identified months ago but never fixed.”

These aren’t hypothetical scenarios. They’re the reality behind many of healthcare’s most devastating breaches.

The numbers paint a stark picture of what happens when we lose sight of fundamentals. Through September 2025, healthcare organizations reported approximately 508 large breaches affecting over 35 million records. While this represents a decrease from 2024’s record-breaking 725 breaches affecting 275 million records, the average cost per breach was 7.4 million (The 2024 breach totals were significantly higher due to the Change Healthcare breach, which affected 190 million records). Even more concerning, 70% of healthcare data breaches involved internal actors, significantly higher than other sectors, with many resulting from non-malicious human failures.

According to the 2025 Proofpoint/Ponemon Healthcare Cybersecurity Report, 96% of healthcare organizations experienced at least two incidents of data loss or exfiltration involving sensitive healthcare data over the past two years, with an average of 18 such incidents per organization. Most of these were caused by internal actors: not following policies (35%), privilege access abuse (25%), and emailing protected health information to unintended recipients (25%). Perhaps most alarming, 72% of organizations that experienced cyberattacks suffered disruption to patient care, directly impacting the clinical mission.

The Change Healthcare ransomware attack (one of the most catastrophic breaches in recent years) exposed the danger of overlooking fundamentals. In the 2024 attack, compromised credentials were used to access a Citrix portal that wasn’t protected by multifactor authentication. That single missing control resulted in 190 million patient records compromised and months of disruption across the entire U.S. healthcare system.

According to the 2025 Verizon Data Breach Investigations Report, phishing accounted for 16% of breaches, while compromised credentials were involved in 22% of all data breaches. Vulnerability exploitation increased by 34% year-over-year to 20% of all breaches, overtaking credential-based attacks as a top technical root cause in healthcare for the first time in three years.

In January 2025, Frederick Health Medical Group experienced a ransomware attack that affected 934,000 patients and forced the healthcare system to divert ambulances to other facilities. The attack disrupted patient care through delays to services, highlighting how basic security failures create real-world consequences for patient safety. In another 2025 incident, SimonMed Imaging disclosed that over 1.27 million patient records were compromised when attackers gained access through a third-party vendor. The breach, attributed to the Medusa ransomware group, began on January 21 and went undetected for a week. In response, SimonMed immediately began resetting passwords, implementing endpoint detection and response monitoring, removing third-party vendor direct access to systems, and improving multifactor authentication—all controls that should have been in place beforehand.

Addressing the Basics: Five Essential Controls

Addressing the basics is critical. Focusing on these five areas will help your organization protect against some of the most exploited weaknesses.

  1. Patch Management

Establish a documented patch management program that includes discovery, prioritization, testing, deployment, and verification. Aim to remediate critical vulnerabilities within days, not weeks. Create a complete inventory of all systems, applications, and medical devices. You can’t patch what you don’t know exists.

Making it operational: Assign clear ownership for each system. Automate wherever possible. Track the percentage of systems patched within SLA by severity level, and conduct quarterly audits through vulnerability scanning.

  1. Multi-Factor Authentication

MFA should be required everywhere, with no exceptions. This includes all remote access, privileged accounts, email, VPN, and cloud applications. The Change Healthcare breach proves the catastrophic cost of even one missing control. Consider implementing phishing-resistant MFA methods such as FIDO2 or hardware tokens, as traditional MFA can be bypassed through prompt bombing attacks.

Making it operational: Start with critical systems and expand systematically. Use push notifications or biometrics where possible. Automate user lifecycle management so access is adjusted when roles change. Document every exception and require executive approval. Many exceptions disappear under scrutiny.

  1. Encryption

Full disk encryption should be mandatory on all devices that could leave the facility: laptops, tablets, smartphones, portable hard drives, USB drives, and small-form-factor workstations. Lost or stolen devices with unencrypted patient data remain a leading cause of reportable breaches.

Making it operational: Use device management tools to enforce encryption automatically. Conduct quarterly spot checks across departments. Make findings visible to department leaders and hold them accountable. Build encryption status into your asset inventory with verification dates.

  1. Security Awareness Training

Research from UC San Diego Health found that traditional long-form annual training showed minimal benefit in preventing phishing attacks. Training should be ongoing. Short, frequent touchpoints (10-15 minutes monthly) work better than longer annual sessions.

Making it operational: Make content healthcare-specific and scenario-based. Supplement online training with department-specific in-person sessions. Conduct role-based phishing campaigns to train specific user groups (e.g., senior executives, privileged users) against attacks that target them specifically (e.g., whaling, spear-phishing). Create simple mechanisms for employees to report suspicious emails with immediate feedback.

  1. Medical Device Security

Medical devices often can’t be patched immediately, run outdated operating systems, and may have weak credentials. Yet they’re connected to networks processing patient data. With 89% of healthcare organizations operating risky medical IoT devices with known exploited vulnerabilities currently being used in ransomware campaigns, this represents a critical exposure.

Making it operational: Maintain a complete inventory integrated with vulnerability management. Implement network segmentation to isolate medical devices. Establish a medical device security committee including biomedical engineering, IT security, and clinical leadership. Build security requirements into procurement processes and create documented procedures for when devices reach end-of-support.

Making it Stick

Operational discipline is key to ensuring the basics get done, even when things get busy. To do this, clear ownership and accountability are crucial. Every system, device, and process should have a named owner accountable for maintaining security standards. Shared responsibility leads to no responsibility.

Create a culture where basics matter. Leadership must visibly prioritize foundational security. When executives demonstrate they care about patch status, MFA compliance, and encryption verification, the rest of the organization follows. Establish key metrics and report them regularly to leadership. Periodic audits (both manual verification and automated scans) will help identify gaps.

The Path Forward

Yes, emerging threats like AI-powered attacks and sophisticated ransomware groups deserve attention. But don’t let those headline-grabbing risks distract you from the unglamorous work of executing consistently on basic security controls.

At 3 a.m., when the CISO can’t sleep, it’s not because they are worried about what sophisticated threat actor might target the organization. It’s because they know somewhere in the environment, there’s probably a system that should have been patched, a device that should have been encrypted, or a credential that should have been strengthened, and they are wondering if today will be the day an attacker finds it.

The basics aren’t exciting. They don’t make headlines or win industry awards. But they prevent the vast majority of breaches that actually occur. A rigorous focus on executing fundamentals consistently, measured through metrics and validated through audits, will do more to protect your organization than any cutting-edge security tool.

The basics still matter. They always have.

 

References

2025 Healthcare Data Breach Statistics:

2025 Proofpoint/Ponemon Healthcare Cybersecurity Report:

2025 Verizon Data Breach Investigations Report:

Change Healthcare Breach:

Frederick Health Breach (2025):

SimonMed Imaging Breach (2025):

UC San Diego Health Security Awareness Training Study:

Healthcare Medical Device Vulnerability Data:

 

 

 

 

View All Resources

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

No results found.