What Healthcare Leaders Need to Know About Cybersecurity in 2026-2027

Cyberwarfare knows no borders. Hospitals and other healthcare organizations are on the front line. In March 2026, a major cyberattack disabled cellphones and laptops at Stryker, a medical devices company. The perpetrators were Handala, an Iranian-linked group, and the attack was claimed to be a response to American and Israeli bombing campaigns in Iran. Disruptions from the Stryker outage were relatively minor—other attacks have done far worse—but a reminder of the healthcare sector’s multivariate vulnerability to cyberthreats. 

Healthcare is the top target for ransomware and other cyberattacks. In 2025, there were approximately 460 ransomware attacks and 182 data breaches in the healthcare industry, for a total of 642 total cyber events—more than experienced by the financial services industry (AHA 2026). The trend will likely continue. Healthcare organizations are high-value, under-resourced targets, and their cyber defenses lag behind other critical national infrastructure.

In February 2026, the Health Care Cybersecurity and Resiliency Act passed through the Senate Health, Education, and Labor Committee on a 22-to-1 vote. If passed, it would require the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate to improve cybersecurity in the healthcare and public health sectors. Its strong support shows that cybersecurity in healthcare is a national priority. But healthcare leaders at every level need to make it a priority, too.

Greg Garcia

Greg Garcia is the executive director for cybersecurity of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. He was appointed by President George W. Bush as the nation’s first Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security from 2006-2009, where he led the National Cyber Security Division, the National Communications System, and the Office of Emergency Communications.

After DHS, Garcia led Bank of America’s external partnership strategy for cybersecurity and identity management, then served as executive director of the Financial Services Sector Coordinating Council (FSSCC). Earlier in his career, he served as professional staff for the U.S. House of Representatives Committee on Science, and as a public policy executive for the Information Technology Association of America, American Electronics Association, and 3Com Corporation.

Errol Weiss

Errol Weiss is the chief security officer (CSO) at the Health Information Sharing & Analysis Center (Health-ISAC). He began his career as a cryptologic engineer at the National Security Agency (NSA), where he conducted vulnerability analyses and penetration tests of classified US government systems.

After NSA, Weiss created and ran Citigroup’s Cyber Intelligence Center and served as a senior vice president executive on Bank of America’s Global Information Security team. He was a key member of the team responsible for creating the world’s first ISAC: the Financial Services ISAC. Weiss joined Health-ISAC in 2019 and created Health-ISAC’s Threat Operations Center, which provides nearly 1,200 health organizations worldwide with actionable threat intelligence.

“Cybersecurity is patient safety, and that is our ground truth,” Garcia says. “We’re seeing cyberattacks and ransomware attacks increasingly disrupt patient care.”

Cyberattacks in healthcare cause all the usual chaos—financial loss, data breaches, service disruption—but under conditions where lives are at stake. A single outage can have enormous ripple effects. In 2021, a ransomware attack on Scripps Health knocked out its EHRs, imaging, and telemedicine systems, forcing clinicians to revert to manual processes. Operational disruptions lingered for a month. And it wasn’t only Scripps that was affected: ED waiting room times increased by a third in surrounding facilities, while admitted patients increased by a fourth. Healthcare leaders need systems, processes, and individuals who are aware of, and prepared for, cyberattacks. 

“The tricky part for healthcare leaders is in balancing the finance, staff, and resources they have available, plus the regulatory pressures they face,” Weiss says. “But the question isn’t, ‘Do I buy the latest MRI machine or the latest cybersecurity product?’ The balance needs to be: ‘How do we secure the systems that patient care depends on?’ When EHRs or lab systems go down, that slows care, and ultimately impacts patient outcomes.”

If a hospital or clinic was stocked with dull scalpels, an administrator would be derelict in their duty if they didn’t replace them. Similarly, if an infection risk was present in a hospital or clinic, neutralizing it would hardly be dismissed due to cost. But while the threat of cyberattack is clear and present, its symptoms may not show until it’s too late: everything works fine until it doesn’t. 

“The problem with cyber is that you don’t see it,” Weiss says. “But nobody’s thinking about what could be going on under the hood.”

Once a healthcare facility is under cyberattack, it’s largely too late: care will be disrupted. Prevention is the best medicine. Health-ISAC produces daily reports that look at recent breaches and cyber incidents to analyze how they could be prevented in the future. HSCC publishes extensively on healthcare cybersecurity topics, such as third-party risk from AI. The cyber threat is still clear and present, but awareness has shifted: as ransomware and malware attacks have increased over the last decade, organizations are beginning to justify a bigger cybersecurity budget. 

“In the eight years since I’ve been Executive Director of the Cybersecurity Working Group, the level of awareness has grown exponentially,” Garcia says. “We now have around 500 members in public-private partnership. The awareness is there, and so is the motivation and energy.”

Healthcare is critical infrastructure, but its cybersecurity budgets lag behind those of other critical infrastructure sectors. When health records began to be digitized in the mid-1990s, healthcare IT budgets focused more on HIPAA compliance and patient privacy than on network cybersecurity. That’s started to change over the last ten years, as attacks have proliferated and awareness has grown. Budgets are moving in the right direction now, with more investment, more technology, and more talent being shifted towards cybersecurity, but the industry is still playing catch-up.

“Healthcare is a perfect target for cyberattacks,” Weiss says. “They’ve got life-critical systems, highly-sensitive patient data, and possibly valuable clinical research. And they’re all running on incredibly complex, fragile networks, operating in under-resourced environments.”

In 2025, Dr. Christian Dameff, Co-Director of the Center for Healthcare Cybersecurity at UC San Diego, testified before the US House Energy & Commerce Committee’s Subcommittee on Oversight & Investigations on cybersecurity vulnerabilities in legacy medical devices. As both a frontline clinician and security researcher, he described how healthcare’s system of aging, unpatchable devices—combined with chronically under-resourced healthcare environments—created patient-safety risk and made quick fixes next to impossible.

“The attack surface is broad,” Garcia says. “A hospital is connected to a medical device manufacturer, an insurance company, a pharmacy benefits manager, and all these IT and communication pathways carrying data and imaging and electronic transactions. Each one of those is a possible attack vector. That creates an ecosystem of distributed vulnerability.” 

But it’s not only about keeping systems up and running and secure. When electronic systems fail during a cyberattack, healthcare facilities still need to function as best they can. That can mean shifting from EHRs to paper and pen, instituting manual workflows, and shifting to backup providers. Those backup plans require development, preparation, testing, and training, but the investment is well worth it when one considers the costs of a cyberattack.

The healthcare organizations that do cybersecurity best are generally the larger hospital systems that have mature, centralized, well-funded information security departments that can rival the cyber resilience of the banking and finance sector’s major players. Inversely, smaller hospitals in rural areas will have difficulty recruiting the right talent and amassing the proper resources to adequately protect their networks. But there are still things that can be done.

“The highest-impact, lowest-cost thing you can do is probably hire a managed security service,” Garcia says. “Get someone who does this at scale, and pay for some basic expertise.”

Phishing remains the primary attack vector in healthcare cybersecurity. Instead of exploiting a technical vulnerability, someone unwittingly hands over their keys and gives malicious actors access to critical systems. Lamentable as that is, it’s also one of the easiest things to fix, not unlike how washing one’s hands drastically reduces the rate of infection.

“I encourage everyone in the category of smaller healthcare organizations to focus on solid cybersecurity hygiene and the basics of what they should be doing,” Weiss says. “And if they can do those well, then they can look into getting a virtual or part-time CISO who can come in and provide some strategic direction, ensuring the organization is moving in the right direction.”

In December 2023, the US Department of Health and Human Services (HHS) published its Healthcare Sector Cybersecurity Strategy, which included voluntary cyber performance goals (CPGs) for the healthcare and public health (HPH) sector. Those CPGs aim to help healthcare leaders prioritize their organizations’ implementation of high-impact cybersecurity practices that will improve resilience to the most common attack vectors. The CPGs come in two tiers: essential and enhanced. Essential CPGs are relatively low-cost practices that boost cybersecurity, while enhanced CPGs aim to encourage adoption of more advanced cybersecurity practices.

“The CPGs are a good place to start,” Weiss says. “It’s a comprehensive list, and a really good set of controls to aspire to.”

To narrow it down even further, Weiss identifies a few key areas of specific focus. First is identity and access: ensuring multi-factor authentication (MFA) for all remote access and any internal access to sensitive systems, then regularly auditing adherence. Second is ensuring that all critical systems are backed up, and that those backups and recovery systems are tested regularly before there’s downtime. Third is staying up to date on patches. New vulnerabilities and exploits are coming out quickly, and they’re expected to increase even more rapidly. 

“With the rapid advances we’re seeing with AI, the timeline between when a vulnerability is discovered and the time when the exploits start happening is going to compress,” Weiss says. “We need to be on top of vulnerability management and patching much faster than we’ve ever done in the past.”

The best defense is awareness, and organizations like Health-ISAC and HSCC are built on the power of information sharing. Healthcare leaders can benefit from participating in a trusted community where people collaborate, learn best practices, receive practical guidance, and stay up to date on emerging threats and vulnerabilities. When one hospital is attacked, that information can be quickly shared with the rest of the community to help them protect themselves, turning cyberdefense into a team sport.

“When it comes to cyberattacks on healthcare, it’s a matter of when, not if,” Garcia says. “Forewarned is forearmed. The culture of leadership in cybersecurity gives me a lot of hope and pride, but my optimism is tempered by my fear, and my fear is tempered by my optimism. It’s a game of chess with no checkmate.”

Things might get worse before they get better. Attackers have the initiative, and are growing increasingly sophisticated. This year, Anthropic’s Mythos AI model was deemed too dangerous for wide release due to its ability to find working exploits for serious software vulnerabilities. 

Anthropic pivoted Mythos into a defensive effort—Project Glasswing—that works with security experts to find and patch vulnerabilities in critical software before they’re exploited. But Mythos’s existence presages similar AI models, which could fall into the wrong hands.

“AI is going to move the needle, fast,” Weiss says. “In cybersecurity, we’re using it in so many ways to help us do our jobs better. But on the flip side, the bad guys are using it to create better attacks, develop more innovative scams, and discover new vulnerabilities. It’s going to be hard to keep up, but hopefully we can leverage many of those same AI tools to even out the game.”

Healthcare is critical infrastructure. Its vulnerability to cyberattack can and should unsettle the industry. But if healthcare leaders make cybersecurity a priority—and commit to seeing cybersecurity as patient safety—then they’ll be aligned with a difficult yet righteous mission.

“What makes this job and this environment so exciting and rewarding is that people here believe in the mission,” Weiss says. “Hospital CISOs, medical device manufacturers, health IT organizations, insurance companies—they all believe in protecting the patient and improving people’s lives. It’s such a motivating factor in everything we do, and it’s what gives me hope in this industry.”