What Your Chief Information Security Officer Wants You to Know: Healthcare Needs Cyber Backup

Key Takeaways:

• Cyber threats against healthcare providers are becoming more sophisticated, with attackers increasingly targeting supply chain partners to maximize the impact of breaches.
• Implementing strong cybersecurity frameworks and layered defenses can significantly enhance resilience against evolving threats.
• Government support, public-private collaboration and shared accountability are essential to combat cyberattacks and ensure that healthcare providers have the tools to protect patients and critical infrastructure.

Healthcare cybersecurity threats are escalating at an alarming rate, putting patient safety, sensitive data and critical systems at risk. To support informed policymaking, healthcare cybersecurity experts convened on Capitol Hill to highlight industry efforts, regulatory challenges and opportunities for collaboration. The discussion reinforced the shared responsibility between Congress, the Administration and the private sector to strengthen system resilience and protect patients.

In partnership with Premier’s advocacy office in Washington DC, I recently joined cybersecurity leaders from Baxter, Mount Sinai Health System, Blue Cross Blue Shield Association and Johnson & Johnson at a Capitol Hill briefing hosted by the Healthcare Leadership Council. We told lawmakers something you already know: healthcare needs new partnerships to keep our systems secure from evolving cyber threats.

Healthcare Providers and Cyberattacks: “Outmatched and Outgunned”

Hospitals and healthcare providers face increasingly complex threats from nation-states and international criminal organizations. But attackers are no longer targeting healthcare systems one by one – they are launching strategic assaults on business associates and software vendors to maximize impact.

Cybersecurity is a pressing threat to hospital operations, health data – and most importantly – patient lives. In the past year, 92 percent of healthcare organizations experienced at least one cyberattack. Downtime from ransomware attacks has cost healthcare organizations an average of $1.9 million per day, and healthcare has the highest average cost of a data breach of any sector, coming in at $9.77 million.

The reality is that healthcare providers are outmatched and outgunned. Cyber attackers are highly motivated and very well-funded, often through nation-states, whether overtly or not. This mismatch of resources has fueled a dramatic escalation in the sophistication and scale of cyberattacks. Rather than targeting individual hospitals one by one, today’s attackers exploit vulnerabilities in third-party vendors or widely used healthcare software platforms. With a single breach, they can infiltrate dozens, hundreds or even thousands of healthcare organizations simultaneously – turning a once-linear threat into a devastatingly asymmetrical one.

Supply chain vulnerabilities have also become a critical concern. Recent attacks have exposed weaknesses in file transfer services, consulting firms and other business process operations – demonstrating the far-reaching consequences of a single security breach to the healthcare supply chain.

Cybersecurity Standards: The Foundation of Resilience

Healthcare providers must take a proactive approach to cybersecurity by adopting robust defense frameworks and best practices. In the U.S., the National Institute of Standards and Technology (NIST) framework is widely used, including at Premier. Another valuable resource is the Health Industry Cybersecurity Practices (HICP) guide, developed by HHS and the Health Sector Coordinating Council Cybersecurity Working Group. Unlike the lengthy technical regulations of NIST, HICP offers a more practical, step-by-step approach, helping healthcare organizations strengthen their security posture effectively.

These standards work in concert with each other, providing healthcare organizations with cybersecurity defense in depth. If a single security measure fails due to a zero-day vulnerability, compensating protections such as firewalls, multi-factor authentication and strong identity access controls can prevent attackers from gaining deeper access.

However, these investments take resources – and not all hospitals have the capital to immediately invest in a complete cybersecurity refresh. A 2025 report found that over 62 percent of rural hospitals faced challenges implementing basic email security, multifactor authentication and network segmentation, and only 43 percent had a timely patching process. Even cyber-mature hospitals aren’t always able to defend against nation-state attacks.

By focusing on foundational cybersecurity practices, such as vulnerability management, timely patching and privileged access management, healthcare organizations can build resilience against emerging threats. The federal government can help strengthen the sector by fostering two-way intelligence sharing, ensuring that cybersecurity regulations are aligned with industry standards, and by providing the support necessary to stand up to sophisticated bad actors.

Combating Cyber Criminals: The Need for Shared Accountability and Public-Private Partnerships

Current regulations leave hospitals open to potential litigation if they share critical, real-time threat intelligence, which amounts to forcing healthcare to fight threats with both hands tied behind our backs. Some reporting requirements even pull incident response teams away from managing a crisis to check burdensome regulatory boxes.

Premier supports a risk-focused approach to cybersecurity, with streamlined reporting requirements to ensure cyber professionals can focus on mitigating attacks rather than navigating excessive bureaucracy during critical recovery periods.

Additionally, collaboration between government and the private sector is essential to protecting healthcare systems and patients.

Premier advocates for a shared accountability model between healthcare providers and their business partners. Too often, hospitals bear the disproportionate burden of cyber incidents, even when breaches originate from third-party vendors. A shared accountability model would align incentives and get everyone in healthcare working together against threat actors instead of litigating liability against each other.

Expecting providers to dictate tougher security terms to billion-dollar technology firms isn’t realistic. Small regional hospitals or medium-sized regional hospitals just don’t have the necessary leverage when negotiating with massive technology players. Government assistance is needed to balance the scales and ensure fair accountability – the government cannot expect private contracts to fairly adjudicate cyber risk and responsibility.

By fostering information-sharing, reducing litigation risks, and encouraging cross-sector collaboration, policymakers can help healthcare providers strengthen their cybersecurity defenses and mitigate future attacks.

Strengthening Healthcare Cybersecurity Through Collective Action

Cyber threats in healthcare continue to evolve, but with strategic action, collaboration and proactive security measures and solutions, the industry can stay ahead of adversaries.

To help safeguard our members against cybersecurity threats, the Premier group purchasing organization (GPO) portfolio includes contracts for cybersecurity services, and we provide robust cybersecurity alerts, news and resources within our Disaster Preparedness community (available to Premier GPO members with log in).

Strengthening cybersecurity frameworks, adopting a risk-based approach and fostering shared accountability between healthcare providers, business partners and the federal government will be essential to defending healthcare providers and protecting patient data.

Premier remains committed to working alongside policymakers, industry leaders and other cybersecurity experts to fortify healthcare’s digital ecosystem. Through continued advocacy and innovation, we can enhance resilience, protect critical infrastructure and ensure the safety of patients nationwide.