Health care remains one of the most targeted and vulnerable sectors when it comes to cyberattacks. In fact, a recent breach at a major health care analytics firm exposed the data of 5.4 million U.S. patients, making it one of the most significant breaches reported to federal regulators this year.
Legal protections for private health information have expanded, but the scale of recent incidents is staggering—affecting more than 31 million individuals in 2025 alone (according to the HIPAA Guide H1 2025).
Why health care is a prime target for cyberattacks
Health care organizations manage sensitive data, operate within highly complex digital ecosystems, and often struggle with aging infrastructure and limited budgets for information technology. Here are some examples:
- Ransomware and operational disruption. Ransomware can cripple hospital operations, triggering breach notifications required under the federal Health Insurance Portability and Accountability Act, regulatory scrutiny, and potential litigation.
- Phishing and social engineering. Health care staff are frequent targets of phishing attacks. Inadequate training increases the risks of a breach and also of legal exposure under HIPAA.
- Legacy systems and patch management challenges. Outdated technology and weak patching practices create vulnerabilities and may lead to noncompliance with security requirements.
- Third-party and vendor risks. Vendors with access to the health care provider’s system can introduce hidden vulnerabilities over which the health care provider exercises insufficient oversight.
- Regulatory complexity and evolving requirements. The legal obligations related to protection of individual health information and cybersecurity are changing constantly, making it difficult for health care providers to stay current and compliant.
- Increasing use of the Internet of Things and connected medical devices. Medical devices often lack strong security controls, and breaches can pose risks to data privacy and to patient safety.
These and other characteristics make health care a prime target for threat actors.
Best practices
Given these risks, here are four cybersecurity best practices for the health care industry:
No. 1: Involve legal counsel before there is a problem. Lawyers should be involved as early as the planning stage. Your counsel can review your security policies to ensure that they are comprehensive and compliant, and can also help the company’s leadership understand their obligations.
No. 2: Build and test an incident response plan. Every organization needs a clear and up-to-date plan for responding to a cyber attack. Your legal counsel can help ensure that your plan adequately addresses required notifications (such as those under HIPAA), conduct practice drills with your team. In the unfortunate event of an incident, your counsel can help to guide you while protecting sensitive communications.
No. 3: Assess your own risks and those created by your vendors. Health care providers must regularly assess security risks, including risks from third-party vendors. Your legal team can help to ensure that those assessments are adequately documented and that contracts with vendors clearly assign responsibility in the event of an incident.
No. 4: Follow trusted industry standards. The use of cybersecurity standards such as those issued by the National Institute of Standards and Technology, HITRUST, or the 405(d) program endorsed by the U.S. Department of Health and Human Services demonstrates that your organization is taking reasonable steps to protect its data. Your legal team can help you apply these standards and ensure that you are you are compliant and up-to-date.
