Cybersecurity is patient safety: Security best practices for healthcare

Electronic health records and increased use of the Internet of Medical Things (IoMT) streamlines patient care, accessibility, and recordkeeping. But it also comes with greater cybersecurity risk.

Nine in 10 healthcare organizations experienced a cyber attack last year, with those attacks disrupting patient care at seven out of 10 organizations. 

To keep your patients safe, you have to keep your organization safe, too. Let’s break down some of the biggest security challenges facing healthcare organizations and how to implement cybersecurity best practices.

Healthcare organizations make a compelling target for bad actors thanks to the vast amount of personally identifiable information (PII), medical records, and credit card numbers they hold. Here are some of the biggest threats to the healthcare industry.

In 2024 alone, 275 million healthcare records were breached. And in 2025, the average cost of a data breach is $4.44 million. Bad actors hacking into your systems, insider threats, or honest mistakes can cause data breaches.

To prevent these costly attacks, implement robust access control and the principle of least privilege. Employees should only be able to access data relevant to their role. This way, even if a bad actor gains access to an employee's account, they won’t be able to access every piece of information in your organization.

Human error and social engineering tactics like phishing also contribute to data breaches. Educating employees to spot these attacks is critical to preventing bad actors from gaining a foothold in your organization.

Even if your healthcare organization’s security is strong, your vendors’ might not be. Supply chain attacks target organizations through third-party vendors. 

When the healthcare industry is as interconnected as it is, supply chain attacks pose a real risk, especially when bad actors bring ransomware into the equation.

To reduce the risk of a supply chain attack hitting your organization, make a list of all of the vendors in your supply chain. Assess their security posture, note vulnerabilities, and then implement real-time event monitoring to protect against new risks.

According to one survey, 73% of healthcare organizations still use legacy systems. And because these systems no longer receive maintenance and support, organizations struggle to secure and integrate them with newer technologies.

At the same time, some healthcare organizations adopt new technologies without considering the security measures they need to protect them. And if they focus too much on adopting new technologies instead of maintaining their existing systems, that can also create new security risks.

Modernizing legacy healthcare systems is a process, not a one-and-done project. To get started, conduct a risk assessment to understand potential vulnerabilities. Adopt new technologies strategically and make sure team members have the skills to secure them. 

The same is true for maintaining outdated systems—securing these solutions may require niche skill sets.

While we don’t see data breaches, supply chain attacks, or issues with legacy systems diminishing anytime soon, the most pressing threats may change over time. 

Cybersecurity best practices will help you defend your healthcare organization even when the threat landscape changes.

You can’t secure everything—and you shouldn’t try to. There are some threats that aren’t worth your limited resources.

A risk analysis will help you identify the most important threats to guard against. Consider:

• Probability: How likely is it for an attack to happen?
• Impact: If the risk happens, how severe will it be? How much will it cost your organization?

In most cases, you’ll want to prioritize risks that have a high probability of happening and would severely impact your organization.

Let’s say your organization was the target of a data breach. In addition to the cost of the attack itself, your organization may owe settlement fees or fines for violating regulations like HIPAA or GDPR.

Non-compliance can be costly. Understand your responsibilities under these laws to protect and secure patient data in compliance with their rules. Lack of real-time alerts, multi-factor authentication, and ongoing audits are all ways hackers have exploited healthcare organizations in the past.

It’s also worth keeping a pulse on new bills like the Healthcare Cybersecurity Act of 2025. If passed, this upcoming bipartisan bill would require the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) to work together to identify and mitigate cybersecurity threats to the healthcare and public health sectors. Efforts like this can help you identify risks specific to your organization.

The technology and threat landscape is always changing, and your teams’ skills will need to keep up.

Make sure everyone, including those in non-IT roles, is well-versed in phishing, vishing, deepfakes, and other common attacks. Security professionals will need deeper expertise in areas such as risk management and incident response depending on their specialization.

Certifications are also a great way to build your team’s skills. These are some of the best certificates for cybersecurity:

• CompTIA Security+

• Certified Information Systems Security Professional (CISSP)

• AWS Certified Security – Specialty

Uncover the 4 key components of successful security skill development in our guide.

The NIST Cybersecurity Framework works well for organizations deploying and designing their own controls. It’s less effective for healthcare organizations that need to comply with external controls.

That’s why they created the NIST Cybersecurity Framework for Healthcare. This framework provides a step-by-step plan to manage cybersecurity risk in healthcare organizations specifically.

At a high-level, this includes: 

1. Prioritize and scope: Create a strategy to assess, respond to, and monitor risk

2. Orient: Identify the systems, tools, compliance, and best practices that fall within the scope of your strategy

3. Create a target profile: Determine how you’ll evaluate your current security posture and outline your goals or where you want to be after implementation

4. Conduct a risk assessment: Identify and evaluate risks

5. Create a current profile: Identify the state of your organization’s current security posture

6. Determine, analyze, and prioritize gaps: Compare your current profile to your target profile

7. Implement your action plan: Create an implementation plan to improve your security stance and track your progress against key risks with metrics and performance indicators

Build the cybersecurity skills your tech team needs to stay on top of compliance regulations and the latest threats.

Learn more about Pluralsight’s hands-on learning platform for healthcare IT teams.