Healthcare advisors often tout the many benefits of preventative medicine — and with good reason. It helps catch disease and prevent illness early, when treatment is more effective.
Unfortunately, many healthcare pros rarely take the same proactive approach when it comes to planning their organizations’ cybersecurity. One of the most common regrets voiced by medical practice leaders after experiencing a cyber incident is, “I wish I’d known better what to do on Day Zero.”
The confusion of those first hours of a cyber attack — who to call, what to disconnect or shut down, and how to protect patient data — can turn an already stressful situation into a crisis that is riddled with significant legal, financial, and reputational consequences.
The Stark Trickle-Down Effect
Healthcare providers are no less immune to cyber attacks than other types of organizations. In the first half of 2025, U.S. healthcare organizations reported 444 breaches affecting over 36 million individuals, underscoring just how frequent, widespread, and damaging these incidents can be.(1)
Indeed, the prevailing view is not if a medical practice will suffer an incident, but when.
Just as they wouldn’t wait to treat a patient until symptoms turned severe, healthcare organizations shouldn’t wait idly for the inevitable cyber incident to happen. With a robust incident response plan in place, clinics attacked by threat actors have been shown to recover faster and return to caring for patients sooner.
Practical Ways to Prepare for the Likely Cyber Attack
Although there are many routes a medical business can take to develop an effective incident response plan, several best practices have emerged in recent years. Here are five practical steps to create a response strategy that not only addresses incidents for your own organization — but also incorporates proactive measures to help reduce risk across the board:
Identify and rank risks. Talk with internal stakeholders and third-party support experts (e.g., IT providers, regulators, and cyber insurance brokers) to understand your practice’s needs and main points of vulnerability, as well as the likely costs of recovery. Categorize vulnerabilities as critical, medium risk, or low risk.
Allocate resources. Outline the human and technical controls that will be deployed to secure each point of vulnerability. Start with the most critical risks, such as a breach of protected health information data or disruption of critical medical equipment.
Assign jobs to stakeholders. Using a three-person depth chart, detail clear roles and responsibilities in the event of a cyber incident. This will provide much-needed order in the case of such an attack, rather than the chaos that often is seen. Assigning the right people to the right jobs improves the chances that patient communication, EHR recovery, and stringent regulatory reporting will go more smoothly.
Pressure-test the plan. Run the incident response plan through tabletop exercises to identify gaps, clarify roles, and train each stakeholder on their individual duties. Pro tip: make sure to have paper copies of the incident response plan available for the pressure test and beyond. That way, if, for example, systems are encrypted and inaccessible during a ransomware attack, your team members still have access to the plan.
Debrief. Following a cyber incident, hold an after-action review that brings together internal and external stakeholders to assess and adjust the incident response plan for the inevitable next incident. Clinics struck once often are targeted again.
Evidence of Incident Response Planning’s Purpose
Developing an incident response plan forces a medical practice to think deeply about its readiness to operate in today’s high-stakes, high-speed threat environment. Examine this case of a small dental clinic that recently suffered a cyber attack.
The 10-person dental practice was one of at least 50 medical businesses impacted by a ransomware attack that originated at their shared managed services provider. Because the dental clinic had dedicated the time to develop a proactive incident response plan, the practice’s outcome was much different than others impacted by the incident. Of the seven practices our team helped recover from the ransomware attack, the dental clinic was the only one that didn’t have to resort to paying a ransom to get its systems back online in a timely manner. Meanwhile, some of the other clinics paid ransoms as high as $16,000.
The well-prepared dental clinic’s improved outcomes were realized largely due to a couple of highly effective prescriptions in the incident response plan. The first was the practice of regular, offsite backups not tied to the clinic’s managed services provider. The second was an established relationship with a secondary managed services provider. This gave the clinic nearly immediate access to loaner servers, which kept the dental practice operational while investigation and restoration initiatives were underway. The practice was back up and running in a single day, whereas most of the other clinics were down for as many as five days.
Exceeding Expectations of Patients and Examiners
Small medical businesses face much greater regulatory scrutiny than a small manufacturer or skilled trades company, for example. A clinic’s risk tolerance must align not only with what healthcare examiners expect but also with what patients demand. Consumers are increasingly aware of the vulnerabilities of their digital health footprints. As just one example illustrates, nearly half of patients who choose not to use patient portals said they lack confidence in the security of their data on such systems.(2)
Rather than treating incident response plan development as just another task on the to-do list, medical organization leaders should look at the initiative as an opportunity to better meet — or perhaps even exceed — regulator and patient expectations. The process of putting pen to paper allows practitioners to pause and contemplate the what-ifs. Going through the exercise of imagining a cybercrime thus becomes a thought experiment that yields much more than a plan of action. It identifies gaps in security, clarifies responsibilities, and highlights investments needed to build resilience against what has become a formidable, persistent, and anticipated threat.
References
Alder S. Healthcare Data Breach Report. The HIPAA Journal. August 25, 2025. www.hipaajournal.com/july-2025-healthcare-data-breach-report/ .
Olsen E. Data security concerns hamper patient portal uptake: survey. Healthcare Dive. May 29, 2025. www.healthcaredive.com/news/confidence-data-security-patient-portal-use-lexisnexis-survey/749206/ .