Protecting Healthcare from Cyber Threats

Original broadcast 10/1/25

Presented by Carahsoft

At the Billington CyberSecurity Conference in Washington, DC, Brian Mazanec, PhD, Deputy Assistant Secretary and Director of H-CORE at the Department of Health and Human Services (HHS), offered a sobering assessment of the cybersecurity landscape in the healthcare sector. His remarks underscored the growing urgency of protecting hospitals, medical devices, and patient care systems from cyberattacks that not only disrupt operations but also pose direct risks to human health and safety.

Mazanec began by framing the scale of the problem. Year over year, he explained, the volume and sophistication of cyberattacks targeting healthcare continues to rise. Among the most troubling trends is the surge in ransomware, which has increasingly locked down critical hospital systems. Unlike in other sectors, the consequences of ransomware in healthcare are not confined to financial losses or reputational damage. They can directly impact patient care, delaying diagnostic scans, disrupting treatment, and in extreme cases, threatening lives.

He described scenarios where attacks on radiology departments or CT scanners could prevent emergency rooms from delivering timely care. In such cases, the difference between life and death can hinge on whether doctors can access their tools. This urgency, Mazanec argued, makes healthcare cybersecurity distinct from other critical infrastructure sectors. While every sector is important, only healthcare intersects so directly with patient safety on a nationwide scale.

One factor fueling the problem is the persistence of legacy medical devices, which remain widely deployed across the healthcare system. These devices often lack modern security controls and are attractive targets for adversaries. Attackers know that healthcare organizations are under pressure to restore services quickly and may be more likely to pay ransoms. In fact, Mazanec noted that attackers often set ransom demands at amounts aligned with the victim’s insurance coverage, ensuring they get paid while hospitals struggle to recover. These perverse incentives make healthcare a particularly lucrative target.

To counter this threat, HHS has developed sector-specific cybersecurity performance goals, or CPGs. Modeled after broader guidance from the Cybersecurity and Infrastructure Security Agency (CISA), these tailored goals identify the ten most impactful practices that healthcare organizations can implement to harden their systems. By focusing on practical, high-yield measures, HHS hopes to raise the baseline resilience of the sector and change the adversary’s calculus. If hospitals and clinics are harder targets, attackers may think twice before striking.

Mazanec emphasized that HHS cannot tackle this problem alone. Partnerships across government and with the private sector are essential. Within HHS itself, multiple components play critical roles: the Office of the Chief Information Officer provides technical leadership, the Food and Drug Administration regulates medical device cybersecurity, and the Centers for Medicare and Medicaid Services influence security practices across the healthcare ecosystem. His own office, the Administration for Strategic Preparedness and Response (ASPR), serves as a coordination hub, particularly for incident response.

Beyond HHS, collaboration with the FBI and CISA is central to the federal approach. The FBI brings law enforcement tools to pursue adversaries and respond to incidents, while CISA contributes technical expertise and cross-sector coordination. Together with HHS, these agencies form a unified response capability, ensuring that victims receive both immediate assistance and long-term support. Mazanec stressed that this “team sport” approach is essential given the scale and complexity of the threat.

He also highlighted the importance of addressing cross-sector dependencies. Hospitals cannot operate without electricity, clean water, and wastewater services, making the healthcare sector deeply intertwined with energy and environmental infrastructure. Recognizing these dependencies, HHS works closely with counterparts in the Department of Energy and the Environmental Protection Agency to ensure that sector-wide resilience efforts take these critical connections into account.

Looking to the future, Mazanec acknowledged that artificial intelligence will be a defining factor in both the threat landscape and the defense of healthcare systems. On one hand, adversaries are already leveraging AI to automate and accelerate their attacks. On the other, healthcare organizations and their government partners are exploring how AI can strengthen defenses, from predictive analytics to automated detection and response. The rapid pace of change, however, also requires new workforce skills. Ensuring that healthcare cybersecurity professionals are trained to operate in an AI-driven environment will be vital.

Mazanec closed on a note of cautious optimism. While the challenges are daunting, he pointed to the growing recognition of cybersecurity as a patient safety issue. This reframing, he argued, is critical. Protecting networks and devices is not just about compliance or technology; it is about safeguarding lives. By making cybersecurity a core part of healthcare resilience, HHS and its partners are working to ensure that hospitals can deliver care even in the face of sophisticated and persistent cyber threats.

Key Takeaways

• Ransomware in healthcare is especially dangerous because it can disrupt patient care and endanger lives.

• HHS has introduced sector-specific cybersecurity performance goals to harden healthcare systems quickly.

• Strong partnerships across government, the private sector, and other critical infrastructure sectors are essential to protecting healthcare from cyber threats.