Are You Ready for the Next Healthcare Cyber Attack?

What healthcare and med tech companies do now to prepare for future breaches — while also building long-term resilience 

Cyber threats are evolving. From compromised credentials and phishing to systems vulnerabilities and supply chain attacks, 2025 saw a reported 30% rise in healthcare cyberattacks and a new average high of over $10M USD per incident. As a result, many organizations are treating the next cyberattack as less a matter of "if" than "when." Even Hollywood is zeroing in on the impacts cyber incidents could have on healthcare systems, including disruptions to critical care as depicted in HBO's "The Pitt."  

A cyber event in the healthcare or med tech sector can create significant operational, regulatory, and litigation risk — highlighting best practices for organizations that extend beyond the scope of any single incident. A strong defense for healthcare and med tech companies can be built on a two-pronged approach: preparing now for the next disruptive cyber event; and building long-term resilience by embedding cybersecurity across the total product lifecycle. 

After an attack, regulators, insurers, customers, and litigation teams are likely to scrutinize preparedness and response, with a focus on preserving evidence while keeping operations running. Product cybersecurity belongs much earlier in this conversation. Long-term resilience is not only about investigating the latest breach or compromise — it's about designing systems and components of systems so they can be understood, trusted, updated, defended, and safely restored over time. In practice, that means building security into products and systems early, not treating it as a downstream compliance task or a post-incident exercise.

What to do now 

A disruptive cyber event does not need to involve ransomware to cause serious business impacts. Organizations can be significantly impaired by the loss of email, collaboration tools, remote access, identity services, endpoint availability, or system trust — regardless of root cause. 

From both an engineering and litigation perspective, early discipline matters. Initial steps after an attack can include distinguishing confirmed facts from assumptions, recording the chronology of decisions, and avoiding restoring systems so quickly that logs, volatile data, or evidence of the threat actor's activity is overwritten. Regulatory agencies are also evolving in their best practices.

FDA's medical device cybersecurity guidance is focused on device submission and clearance, and it's a good source of useful action items following a threat, too: protect critical functionality even during anomalous conditions, provide secure backup and restore capabilities, log security events, require strong authentication and authorization, apply least privilege, and avoid default or easily guessed passwords. 

While specific actions and goals will look different for different organizations, the following steps can support preparedness, resilience, and recovery for healthcare and med tech companies in advance of a breach. 

Ideally, immediate response and longer-term product cybersecurity strategies will reinforce each other. The same principles that support readiness after an incident — protecting critical functionality, enabling secure backup and restore, logging security events, enforcing strong authentication and authorization, applying least privilege, and avoiding weak default credentials — are also foundational to building resilient products and connected systems in the first place.

Addressing Product Cybersecurity

For long-term resilience, healthcare and med tech companies can build security into their products and operating environments by using a secure product development framework (SPDF) — and requiring vendors to do the same. In practice, there are five key things to address over the total product lifecycle, beginning with early concepting:

1. Perform system-level threat modeling and security risk management so cybersecurity threats are analyzed alongside safety and operational impacts. 
2. Design for the core security objectives FDA highlights — authenticity/integrity, authorization, availability, confidentiality, and timely updateability/patchability. 
3. Maintain strong software transparency and dependency management, including SBOM discipline and ongoing review of third-party components. 
4. Validate resilience through independent testing such as vulnerability and penetration testing. 
5. Ensure the organization can sustain the device or system after deployment through postmarket monitoring, coordinated vulnerability disclosure, patch planning, and clear recovery processes.