Cybercrime now drains trillions of dollars from the global economy, and healthcare remains one of the most profitable targets. Ransomware attacks do more than lock systems. They destroy trust in data, backups, and identities. Once attackers gain administrative access, traditional disaster recovery plans often make matters worse by spreading the infection rather than containing it. A white paper by Rubrik and CHIME argues that prevention alone is failing and that resilience has become a clinical imperative.

Minimum Viable Hospital

Healthcare has long planned for physical disasters by separating data centers and failing over systems. Ransomware breaks that model. When malware contaminates backups, distance no longer matters. What matters is isolation.

Healthcare technology leaders described the move from standard disaster recovery to cyber recovery using isolated recovery environments. These environments create “security distance” so teams can restore systems without reintroducing malware.

Because building this capability is expensive, organizations must prioritize ruthlessly. That is where the concept of the “Minimum Viable Hospital” comes in. Instead of trying to recover hundreds of applications, CIOs must identify the small set that keeps patients safe and operations running. Labs, pharmacy, imaging, identity, and payroll rise to the top. Many systems people assume are critical simply are not.

This approach forces uncomfortable but necessary conversations. It also shortens downtime from weeks to days when an attack happens.

This is the same concept I mentioned in April, 2025, when I created this concept.

Identity Is the New Front Door

If resilience is the safety net, identity is the tightrope. Attackers no longer need to break in through the network when they can log in.

Healthcare leaders were blunt in the research interview: basic MFA is no longer enough. SMS codes, one-time passwords, and static credentials fail under social engineering, SIM swapping, and deepfake-assisted fraud. Identity verification must adapt.

Health systems are responding with higher-friction controls for high-risk actions. Video-based verification, badge checks, biometrics, and just-in-time access are becoming standard. Privileged Access Management and Privileged Identity Management are no longer “nice to have.” In many cases, they are required for cyber insurance.

The rise of non-human identities, including autonomous AI agents, only raises the stakes. Service accounts with passwords that never expire represent a silent but serious risk.

Zero Trust as a Culture, Not a Tool

Technology alone does not create resilience. Governance does.

Leaders shared how Zero Trust only works when security decisions move out of isolated IT committees and into everyday operational forums. Embedding security into clinical, architectural, and administrative discussions changes the tone from “no” to “how do we do this safely?”

Several organizations now run planned downtimes during business hours. These drills force teams to use paper workflows and manual processes while leadership watches. The goal is not disruption. It is muscle memory. When a real attack happens, clinicians already know what to do.

The Persistent Blind Spot: Medical Devices and IoT

Even as identity hardens, attackers look for softer targets. Medical devices and IoT systems remain a major gap. Many devices stay in service for decades and cannot be patched.

Visibility is the first step. Leaders emphasized the need for accurate inventories, software bills of materials, and network segmentation. If an infusion pump attempts to communicate with Active Directory, the breach has already begun. Segmentation limits blast radius and traps attackers before they pivot deeper into the network.

Next Steps for Healthcare CIOs

For healthcare CIOs, the path forward is clear:

1. Redefine recovery. Invest in isolated recovery environments and test them.

2. Define your Minimum Viable Hospital. Agree on what truly matters before an attack forces the decision.

3. Strengthen identity controls. Move beyond basic MFA and secure privileged access.

4. Practice under pressure. Replace tabletop exercises with real downtime drills.

5. Close the device gap. Demand visibility and segment what cannot be patched.

6. Reframe the board conversation. Talk about days of downtime, patient risk, and revenue loss, not firewall features.