Why Healthcare Practices Can’t Afford to Treat Cybersecurity Like a To-Do List
By Erik Eisen, President, CTI Technical Services
LinkedIn: Erik Eisen
LinkedIn: CTI Technical Services
There’s a quiet truth running beneath the flood of headlines about ransomware in healthcare: the breach isn’t always the worst part.
I’ve worked with healthcare and dental practices for more than two decades, from busy urban outpatient clinics to multi-site dental groups in rural towns. The story that rarely makes the news is what happens after a cyberattack: the calls from providers whose practices have come to a complete standstill, staff resorting to manually pulling paper charts, and owners left to calculate whether they’ll be able to reopen. I’ve heard the fear and anxiety in the wake of a cybersecurity incident, being told on more than one occasion, “I wasn’t scared when it happened. I was scared when I realized how long we’d ignored it.”
That’s the problem. “Cybersecurity” has become white noise. It’s part of the routine checklist, bundled into compliance audits, HIPAA training binders, or EHR and other vendor contracts. But it’s often not part of the culture of care. And until it is, many practices will continue to operate just secure enough to avoid panic but not secure enough to prevent collapsing when the worst-case scenario happens.
The “Cyber Hygiene” Model Doesn’t Work
There’s no shortage of guidance on how to stay protected – checklists, best practices, frameworks. But most small and mid-sized healthcare organizations don’t fail because they don’t know what to do. They fail because they treat cybersecurity as a scheduled task, not a living system.
Too many healthcare organizations, especially smaller entities, still adhere to an outmoded “cyber hygiene” model, a mindset rooted in periodic fixes: running antivirus scans, updating passwords every six months, completing an annual HIPAA security risk assessment, and relying on EHR vendors to handle the rest. On paper, these steps check all the boxes. But in practice, they leave healthcare environments exposed to real-world threats that don’t wait for the next compliance deadline.
Doing so leaves practices vulnerable to security gaps that show up in the same places again and again—unpatched software, outdated backup systems, vague vendor contracts, and networked devices with names like “Dr. Smith’s Laptop” still floating around years later.
The consequences aren’t theoretical. According to data from the U.S. Department of Health and Human Services (HHS), more than 133 million individuals were affected by healthcare data breaches in 2023 alone – more than triple the number just five years ago.
When something does go wrong, there’s a flurry of IT work, a few training sessions, maybe even a managed services contract – and then everything goes quiet again. Cybersecurity reverts to being a line item. Until the next breach.
The Myth of “Secure Enough”
Too many practice administrators have told me they’re “probably okay” when faced with the need to expand their cybersecurity budgets. They’ve got HIPAA-compliant IT policies. Their EHRs are cloud-based. They have a firewall.
They think they’re covered.
But here’s the uncomfortable truth: most attackers aren’t targeting you. They’re targeting anyone. And the smaller the organization, the more likely they are to succeed, not because you’re not smart or serious, but because your defenses can’t outpace today’s threats. They were designed to be “good enough.”
They aren’t.
That’s reflected in the data. According to the Ponemon Institute, nearly 60% of healthcare data breaches now stem from third-party vendors or system misconfigurations rather than complex zero-day exploits or elite hackers.
This “good enough” thinking has left countless small healthcare businesses exposed. It assumes that cybersecurity can be easily managed in-house or cheaply outsourced, that third-party vendors are airtight, and that EHR uptime and data security don’t compete for attention. It’s comforting, but it’s fiction.
A Patient Care Crisis
At its core, cybersecurity is no longer a technical or even operational issue. It’s a patient safety issue. When a system goes down from ransomware, patients don’t get called back. Lab results don’t get reviewed. Referrals stall. Diagnoses are delayed or missed entirely.
A recent joint advisory from the FBI, HHS, and CISA noted that ransomware attacks on healthcare facilities are increasingly timed to disrupt care, often hitting clinics overnight or on weekends when staffing is thin.
We’ve worked with a provider group whose systems were offline for days following a ransomware attack. They lost access to everything, from scheduling and billing to patient records and test results. What stood out while we met to discuss solutions wasn’t the chaos. It was the silence: phones weren’t ringing, patients weren’t checking in, staff sat idle.
The provision of care doesn’t stop, but the quality of what is provided is often impacted.
No amount of insurance can repair lost trust, and patients rarely wait for a practice to recover. They go elsewhere. The long tail of a breach isn’t just financial, it’s reputational. It’s existential.
Shifting from Reactive to Resilient
What we’ve learned through years of supporting medical and dental clients nationwide is that the most effective cybersecurity posture doesn’t start with technology. It starts with mindset.
The practices that weather cybersecurity storms best aren’t those with the fanciest tools or the largest IT teams. They’re the ones that approach security like they approach infection control – ongoing, embedded in workflow, and everyone’s responsibility. They expect things to go wrong. They test their recovery plans like fire drills. They look at vendors not as “trusted” but as “verified.” They implement protocols and best practices that hold every team member accountable. They hire managed services providers (MSPs) not just to respond, but also to warn.
Most importantly, they stop asking “Are we secure?” and start asking “How fast can we recover?”
What Healthcare Leaders Need to Hear
If I could share one key takeaway with every practice administrator reading this it would be that they cannot afford to be still playing catch up. The attack surface is too broad. The motives of the bad actors are too strong. The threats move too fast.
Healthcare is more connected than ever. That means a single missed configuration or forgotten laptop can lead to a six-figure loss–at minimum.
The average cost of a healthcare data breach now sits at $10.93 million, the highest across any industry, according to the IBM Cost of a Data Breach Report 2023.
You don’t need to become a cybersecurity expert. You just need to become cybersecurity fluent. Ask better questions of your vendors, challenge assumptions, test plans, and put measures in place to ensure your practice can keep running even if systems fail. Because one day, they will.
The Bottom Line
The healthcare organizations that survive this era aren’t the ones with the biggest budgets. They’re the ones that bake security into their culture, just like safety and care.
As providers, your mission is to heal. As a trusted technology partner, mine is to let you keep doing that regardless of what’s happening behind your firewall. That means not just preventing the worst from happening, but also preparing to work through it and come out stronger on the other side.
And that work starts now.