Healthcare workers may be last line of defense for cyberattacks

Humans are the weakest link in cybersecurity, and the healthcare industry is no exception.

Healthcare workers may not think of themselves as part of the cybersecurity team, but they’re often the last line of defense for facilities when cyberattackers take aim, primarily because they’re often making decisions related to access and identity.

A common way for hackers to access health networks is to steal clinicians’ credentials through social engineering techniques like phishing—whether via emails, calls, or texts—John Riggi, national advisor for cybersecurity and risk at trade and lobbying group the American Hospital Association (AHA), told us.

“Cyber hygiene is as important as medical hygiene to help protect patients from harm,” Riggi said.

Clear and present danger. In 2024, the healthcare industry suffered the most breaches in its history, with 184,111,469 records exposed, impacting 81% of the US population, per the HIPAA Journal.

In 2025, attacks on the sector have continued. About 33 million patients have had their health records hacked as of Oct. 3, according to the AHA. And federal cuts affecting healthcare organizations for rural and lower-income communities have cybersecurity pros warning that threats and extortion may increase.

“We are going to start seeing some ransomware or other kinds of extortion events that ultimately end up putting these hospitals out of business or forcing them into a fire sale,” Michael Hamilton, field CISO of Lumifi Cyber, told IT Brew this summer.

It’s impractical to put the onus for defending against cyberattacks in practice on non-tech personnel like doctors and nurses. One way to manage the threat more realistically is to use clinicians as an early warning system, Phil Englert, VP of medical device security at Health-ISAC (Information Sharing and Analysis Center), said.

“Their primary job is patient care; it’s not cybersecurity,” Englert said. “Asking them to identify when things are not right, and then getting the experts or the IT analysts or security analysts involved in actually evaluating that device or that technology…is how we would best utilize clinicians.”

Big guns. Ransomware could lock up a system, a device shutdown could leave an operation in crisis, and hacking could delay imaging critical to making clinical decisions. If a device or system fails in the course of healthcare operations, the consequences could be catastrophic.

During a 2024 ransomware attack on the UK’s National Health Service systems in London, for instance, a patient died in part because the hack delayed a necessary blood test result. Jon Miller, CEO of cyber resilience firm Halcyon, is pushing to classify ransomware attacks as terrorism, he told us, a process that requires working with the federal government.

“Hopefully, it would make the attackers never attack them again, because if you can attack everything else and get away with it and walk away with your money, why wouldn’t you do that?” Miller said. He added it would be different “if you attack a hospital,” because “you end up with the US’s counterterrorism apparatus going after you.”

Training days. Most hospitals give annual cybersecurity training to their employees, Riggi said.

He added that clinicians who help decide purchases should “demand” that all medical devices be created with “secure by design” principles. The AHA also advises clinicians to develop a plan to ensure they can continue to care for patients for at least 30 days without network or internet-dependent services.

Another option, Miller said, is for healthcare organizations to invest in outside security firms that can manage threats. This would presumably allow hospital workers to focus more fully on patients—and make the organization a less attractive target to threat actors.

“If you can increase the cost and the pain that it takes them to carry something out, they’ll move along and hack someone that’s more vulnerable,” Miller said.

At the more basic end of things, integrating cybersecurity principles into clinician training is a good start. That clinicians know the basics, like spotting phishing emails and using multi-factor authentication, is a reasonable expectation and will allow them to focus on what really matters: helping patients. Englert said the right move is making sure the person who knows how to fix the problem is taking care of it.

“As a truck driver, it’d be like, ‘Something’s not right with my transmission or my engine, let’s get it to the experts that can fix it,’” Englert said. “That’s the right focus.”