Through preparedness and response planning, leaders give their organizations a better chance of withstanding and recovering from cyberattacks.
One of the last problems a hospital or health system CEO wants to run into is a data breach capable of compromising an entire organization. And yet, cyberattacks against hospitals are becoming more frequent, more sophisticated, and more disruptive.
What were once isolated incidents have evolved into organized, well-funded attacks that are increasingly exploitative. At the same time, AI and widely available attack tools have lowered the barrier to entry, making phishing and social engineering harder to detect.
In HealthLeaders’ The Winning Edge for Cybersecurity this week, Grande Ronde Hospital president and CEO Jeremy Davis spoke on the evolution of cyber threats on hospitals and how it’s putting the onus on leaders to adapt.
“We operate complex, interconnected networks and environments, oftentimes with legacy systems and medical devices that often can't be patched quickly,” Davis said. “And in healthcare, we have a pretty low tolerance for downtime, patients don't stop showing up, births still happen, emergencies still happen. So there's a real urgency placed on healthcare providers, given that we have a data-rich environment that makes us very attractive to threat actors.”
That reality makes the risk of a cyber incident a matter of when, not if, necessitating that hospital CEOs rethink their defenses.
Shift from prevention to recovery
While prevention remains critical, Davis said leaders must accept that attacks are inevitable, which will allow them to prioritize the areas where attention is most needed.
“No organization can block every attack,” Davis said. “Recovery is the most critical piece.”
For CEOs, that means reframing cybersecurity as an enterprise-wide resilience issue rather than a technical one. Instead of focusing solely on how to stop threats, leaders must think about how quickly operations can be restored, how care can continue safely during disruptions, and how to limit long-term damage.
“The mindset for CEOs and administrators isn’t so much how do we prevent attacks,” Davis said. “It’s how do we get back up quickly and continue to fulfill our mission and take care of our patients and our staff and our community.”
Cyber incidents, he highlighted, have far-reaching consequences, affecting clinical workflows and public trust. “This really isn’t just an IT issue,” Davis said. “It impacts the entire organization and the community and the broader public.”
Start with governance and executive alignment
Effective response begins long before a cyber incident occurs, Davis stated, and it starts at the governance level. CEOs must ensure boards understand cyber risk and are prepared to support investments and preparedness efforts, even as many organizations operate under financial strain.
“It really starts at your board of trustees,” Davis said. “Making sure that your board is well informed and is willing to support the efforts, both administratively and financially.”
That includes difficult conversations about technology upgrades and vulnerabilities, particularly for rural hospitals and smaller systems with limited resources. “The reality is, I don’t think you can avoid investing,” Davis said. “If these systems aren’t functioning, you’re just not going to exist.”
Regular communication with CIOs, informatics leaders, and security professionals is critical, as is bringing in outside experts to identify blind spots. “You can get comfortable with your own processes,” Davis said. “It’s always nice to have somebody from the outside that can come take a look.”
Lead decisively in the first 48 hours
When a cyber incident occurs, Davis said the CEO’s initial responsibility in the first 24 to 48 hours is to protect patients and staff while ensuring continuity of care.
“Our mission doesn’t change during an incident or an emergency,” he said. “We’re still a hospital.”
That means quickly activating business continuity plans, downtime workflows, and manual processes, especially in departments that don’t routinely operate without electronic systems.
“When it comes to preparing for a cyberattack and recovery, it’s those departments that don’t deal with downtimes as frequently that you want to especially focus your attention on,” Davis said.
The CEO’s role during this period, he added, is to coordinate leadership, support decision-making under pressure, and engage external partners as needed.
Communicate early and clearly
During a cyber incident, how leaders communicate can either stabilize an organization or deepen confusion and mistrust. Davis emphasized that clear, consistent messaging, both internally and externally, is essential, particularly in the earliest hours of a breach.
“Leadership’s focus [needs] to be on simple, honest, and empathetic messaging,” Davis said, noting that inconsistent or conflicting information can quickly undermine confidence. While details may still be emerging, CEOs should reinforce that preparedness plans are in place and that the organization is actively responding.
He also stressed the importance of structure. Activating an incident command system and leveraging public information officers can help organizations manage media inquiries and external scrutiny while keeping staff and patients informed.
“Designating a single spokesperson is critical in that situation,” Davis said. “That’s the beauty of the command structure… to help that communication not erode trust and build that confidence.”
Use tabletop exercises to build muscle memory
Tabletop exercises are increasingly central to building cyber resilience, Davis noted, particularly as hospitals shift preparedness efforts away from rare disaster scenarios and toward routine cybersecurity planning.
“We’re finding that more and more of our tabletops and planning exercises are around cybersecurity and downtime procedures,” he said.
Davis pointed to growing collaboration among hospitals, including virtual participation in other organizations’ tabletop exercises, as a way to share ideas and improve readiness across the industry. That kind of cross-pollination is especially valuable for rural hospitals, which face different constraints than large urban systems.
“Organizations that practice their incident response, test their disaster recovery, train their staff, and understand their own weaknesses are going to be able to recover faster,” Davis said. “You have to practice. You have to have that muscle memory.”
Are you an executive leader interested in attending an upcoming event? To inquire about attending the HealthLeaders Exchange event, email us at exchange@healthleadersmedia.com.
The HealthLeaders Exchange is an executive community for sharing ideas, solutions, and insights. Please join the community at the LinkedIn page.
Jay Asser is the CEO editor for HealthLeaders.
KEY TAKEAWAYS
Hospital CEOs must move beyond prevention and focus on recovery to ensure continuity of care and minimize long-term operational impacts when cyberattacks inevitably occur.
Board engagement, executive alignment, and regular communication with IT and security leaders are essential to closing gaps before a crisis hits.
Clear messaging and frequent tabletop exercises help organizations respond faster and recover more effectively.