What recent cyber events reveal about risk and resilience in health care
For hospital leadership, cybersecurity is no longer a background risk managed by IT teams behind closed walls. Recent events make clear that cyber incidents are now board-level discussions with immediate implications for patient safety, staff operations, financial performance and community trust.
American Hospital Association data shows that more than 70% of hospitals experienced a significant cyber or vendor-related disruption in the past year, and that the typical health care ransomware incident now results in more than three weeks of operational disruption—extending beyond system restoration.
Across the country, hospitals and health care vendors continue to experience cyber events that disrupt care delivery and expose sensitive information.
Cyber risk increasingly manifests as operational downtime, not limiting itself to data loss.
From IT Incident to impacting patient access
Historically, cybersecurity was often framed as a compliance or technology problem—focused on HIPAA penalties, breach notifications or reputational fallout. That limited scope no longer applies.
When a health care provider is impacted by a cyber event, it can mean significant changes to its operations. Immediately following an event, providers must react, implementing less practiced procedures such as the use of paper medical records, diversion of care to other providers and even considering delaying treatments. Depending upon severity and impact, physicians may not have necessary access to historical patient information.
Regulators and plaintiffs increasingly evaluate cyber incidents through a patient harm lens, particularly when care is disrupted. The takeaway is clear: cyber incidents now serve as enterprise-level threats to care delivery.
Why are hospitals targets?
Hospitals remain high-value targets because clinical downtime creates immediate pressure, patient records are irreplaceable and thin margins leave little tolerance for extended disruption.
Industry analysis consistently shows that ransomware incidents affecting clinical environments drive emergency department diversion and canceled care, directly influencing quality outcomes, patient satisfaction and financial performance. Unlike other sectors, health care has little ability to delay service without consequence.
Many large-scale breaches have shifted beyond hospitals themselves. Third-party vendors, including business associates, billing platforms, imaging systems and electronic health record adjacent tools, now account for a substantial share of health care cyber exposure.
As Lenny Levy, health care cybersecurity leader at RSM US LLP, notes, “Based on Office for Civil Rights data, third parties were involved in over a third of health care cyber breaches since 2020. Given the increasing complexity of organizations and the growing sophistication of tools used by bad actors, we expect this trend to continue in the future.”
What does this mean?
For hospital and provider leaders, the implications are practical, immediate and enterprise-wide. Key considerations include:
Operational resilience – When systems are down, technology alone is not enough. Hospitals must establish and rehearse downtime procedures, clinical contingency plans and determine executive decision authority because clear procedures and speed of decision-making are critical to maintaining care.
Third-party risk – Many of the most disruptive health care cyber incidents in recent years originated with external vendors, not hospitals themselves. Hospital leadership should ensure vendor risk oversight, contracting and contingency planning receive the same scrutiny as internal controls.
Reputation and trust – Communities understand and accept inconvenience during natural disasters, but cyber incidents include a different level of scrutiny—prompting scrutiny of preparedness, stewardship of data and organizational competence.
Financial impact – The average cost in 2025 of a health care breach in the U.S. was $9.8 million. This figure exceeds other industries as the costs include downtime, recovery and operational disruption.
The takeaway
Cybersecurity is no longer a technical discussion reserved for IT leadership. Involvement at the highest leadership levels is key to building a resilient organization with minimal distribution to patient safety, financial stability and organizational reputation.
Recent events send a consistent message: hospitals that treat cyber preparedness as an enterprise priority—embedded in governance, operations and emergency response—are better equipped to withstand disruption when the next incident occurs.
The question is no longer whether cyber risks deserve the attention of the CEO and board, but how prepared is an organization to react and mitigate a cyber risk immediately.
Shelby Burghardt
Shelby Burghardt is a senior manager for audit services and a health care senior analyst for RSM US LLP. With over 17 years of experience, she provides financial statement audit, single audit and agreed-upon procedures services for clients in the health care and nonprofit industries. Shelby has served a variety of health care and nonprofit organizations, including academic medical centers, hospitals and health systems, behavioral health organizations, as well as private equity-backed health care companies. In addition, as a member of the firm’s Industry Eminence Program, Shelby works alongside the firm’s chief economist and her fellow senior analysts to understand, forecast and communicate economic, business and technology trends affecting middle market businesses.
