Cybersecurity is patient safety: Security best practices for healthcare
Data breaches and supply chain attacks are just some of the security challenges healthcare organizations face. Reduce risk with these best practices.
Oct 1, 2025 • 5 Minute Read

Electronic health records and increased use of the Internet of Medical Things (IoMT) streamlines patient care, accessibility, and recordkeeping. But it also comes with greater cybersecurity risk.
Nine in 10 healthcare organizations experienced a cyber attack last year, with those attacks disrupting patient care at seven out of 10 organizations.
To keep your patients safe, you have to keep your organization safe, too. Let’s break down some of the biggest security challenges facing healthcare organizations and how to implement cybersecurity best practices.
Security threats in healthcare organizations
Healthcare organizations make a compelling target for bad actors thanks to the vast amount of personally identifiable information (PII), medical records, and credit card numbers they hold. Here are some of the biggest threats to the healthcare industry.
Data breaches
In 2024 alone, 275 million healthcare records were breached. And in 2025, the average cost of a data breach is $4.44 million. Bad actors hacking into your systems, insider threats, or honest mistakes can cause data breaches.
To prevent these costly attacks, implement robust access control and the principle of least privilege. Employees should only be able to access data relevant to their role. This way, even if a bad actor gains access to an employee's account, they won’t be able to access every piece of information in your organization.
Human error and social engineering tactics like phishing also contribute to data breaches. Educating employees to spot these attacks is critical to preventing bad actors from gaining a foothold in your organization.
Supply chain attacks
Even if your healthcare organization’s security is strong, your vendors’ might not be. Supply chain attacks target organizations through third-party vendors.
When the healthcare industry is as interconnected as it is, supply chain attacks pose a real risk, especially when bad actors bring ransomware into the equation.
To reduce the risk of a supply chain attack hitting your organization, make a list of all of the vendors in your supply chain. Assess their security posture, note vulnerabilities, and then implement real-time event monitoring to protect against new risks.
Legacy systems and new technology
According to one survey, 73% of healthcare organizations still use legacy systems. And because these systems no longer receive maintenance and support, organizations struggle to secure and integrate them with newer technologies.
At the same time, some healthcare organizations adopt new technologies without considering the security measures they need to protect them. And if they focus too much on adopting new technologies instead of maintaining their existing systems, that can also create new security risks.
Modernizing legacy healthcare systems is a process, not a one-and-done project. To get started, conduct a risk assessment to understand potential vulnerabilities. Adopt new technologies strategically and make sure team members have the skills to secure them.
The same is true for maintaining outdated systems—securing these solutions may require niche skill sets.
Cybersecurity best practices for healthcare
While we don’t see data breaches, supply chain attacks, or issues with legacy systems diminishing anytime soon, the most pressing threats may change over time.
Cybersecurity best practices will help you defend your healthcare organization even when the threat landscape changes.
Prioritize security risks
You can’t secure everything—and you shouldn’t try to. There are some threats that aren’t worth your limited resources.
A risk analysis will help you identify the most important threats to guard against. Consider:
- Probability: How likely is it for an attack to happen?
- Impact: If the risk happens, how severe will it be? How much will it cost your organization?
In most cases, you’ll want to prioritize risks that have a high probability of happening and would severely impact your organization.
Keep an eye on compliance with HIPAA and other regulations
Let’s say your organization was the target of a data breach. In addition to the cost of the attack itself, your organization may owe settlement fees or fines for violating regulations like HIPAA or GDPR.
Non-compliance can be costly. Understand your responsibilities under these laws to protect and secure patient data in compliance with their rules. Lack of real-time alerts, multi-factor authentication, and ongoing audits are all ways hackers have exploited healthcare organizations in the past.
It’s also worth keeping a pulse on new bills like the Healthcare Cybersecurity Act of 2025. If passed, this upcoming bipartisan bill would require the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) to work together to identify and mitigate cybersecurity threats to the healthcare and public health sectors. Efforts like this can help you identify risks specific to your organization.
Provide security skills training
The technology and threat landscape is always changing, and your teams’ skills will need to keep up.
Make sure everyone, including those in non-IT roles, is well-versed in phishing, vishing, deepfakes, and other common attacks. Security professionals will need deeper expertise in areas such as risk management and incident response depending on their specialization.
Certifications are also a great way to build your team’s skills. These are some of the best certificates for cybersecurity:
Uncover the 4 key components of successful security skill development in our guide.
Follow the NIST Cybersecurity Framework
The NIST Cybersecurity Framework works well for organizations deploying and designing their own controls. It’s less effective for healthcare organizations that need to comply with external controls.
That’s why they created the NIST Cybersecurity Framework for Healthcare. This framework provides a step-by-step plan to manage cybersecurity risk in healthcare organizations specifically.
At a high-level, this includes:
Prioritize and scope: Create a strategy to assess, respond to, and monitor risk
Orient: Identify the systems, tools, compliance, and best practices that fall within the scope of your strategy
Create a target profile: Determine how you’ll evaluate your current security posture and outline your goals or where you want to be after implementation
Conduct a risk assessment: Identify and evaluate risks
Create a current profile: Identify the state of your organization’s current security posture
Determine, analyze, and prioritize gaps: Compare your current profile to your target profile
- Implement your action plan: Create an implementation plan to improve your security stance and track your progress against key risks with metrics and performance indicators
Secure patient data starts with secure teams
Build the cybersecurity skills your tech team needs to stay on top of compliance regulations and the latest threats.
Learn more about Pluralsight’s hands-on learning platform for healthcare IT teams.
Advance your tech skills today
Access courses on AI, cloud, data, security, and more—all led by industry experts.