Skip to content

Where hospital cyber defenses fall short

10/17/2025|Source Author|

Cyberattacks on hospitals are becoming more frequent, more sophisticated and more disruptive. They can paralyze EHRs, delay surgeries and force ambulances to divert. Yet many of the most persistent vulnerabilities aren’t buried deep in code — they sit at the messy intersection of technology and clinical practice.

Chief medical information officers say that blind spots in governance, aging infrastructure and everyday clinical workarounds leave hospitals exposed, and they argue that clinical leaders need to take a more active role in addressing them.

“Healthcare’s major cybersecurity vulnerabilities include unprotected legacy medical devices, shadow IT from tools adopted by clinicians, weak identity management and risks from third-party vendors — all of which directly jeopardize patient safety,” said Usman Akhtar, MD, CMIO of Virginia Hospital Center. These issues, he said, persist because they straddle IT and clinical operations, creating gaps in accountability and underinvestment. 

“Clinical leaders need to prioritize cybersecurity as a matter of patient safety and care continuity,” he added.

Among the most difficult challenges to control are the apps and digital tools that quietly make their way into clinical workflows. Elie Razzouk, MD, CMIO for AdventHealth’s Central Florida Division, said he understands why it happens: clinicians are problem solvers and when “official” technology lags behind patient needs, the clinicians find ways to fill the gap. But every unvetted app and unsecured data connection, he said, “creates unseen vulnerabilities, slowly eroding the trust that underpins patient safety. The real risk isn’t malicious intent — it’s the quiet acceleration of convenience outpacing governance.”

Others pointed to third-party vendors and outdated systems as major sources of risk. John (Clay) Callison, MD, CMIO at Knoxville, Tenn.-based University Family Physicians, said clinicians often underestimate how much exposure can come from external partners that handle sensitive data, or from older critical systems that are difficult to patch. 

“IT leaders are usually very savvy when it comes to these security issues, but clinical leaders — and all clinicians in general — need education and reminders,” he said.

At Norfolk, Va.-based Sentara Health, Joshua Evans, MD, CMIO, and Chief Information Security Officer Zishan Siddiqui said third-party vendor risk, human error and inadequate technical defenses remain the primary blind spots. They urged clinical leaders to champion staff training, advocate for system upgrades and take part in incident response planning, including tabletop exercises that simulate cyberattacks. Such involvement, they said, is critical to building a culture of security that protects both infrastructure and patient safety.

Together, these leaders paint a picture of cybersecurity not as a technical silo, but as a shared responsibility — one that requires clinical voices at the table. The blind spots may be familiar, but their consequences are growing harder to ignore.

The post Where hospital cyber defenses fall short appeared first on Becker’s Hospital Review | Healthcare News & Analysis.

Scroll To Top