Who should do what to help mitigate cyber threats in health care: narrative review of practical approaches and actionable recommendations Open Access

Cyber attacks on health care are a growing threat globally (Lancet, 2024), causing operational and financial difficulties but also threatening patients’ safety and well-being. Attackers’ motivations include financial or political gain and the potential to take lives in a form of cyber warfare (Coventry and Branley, 2018). Materialised threats have affected hospitals, insurance companies, information technology (IT) vendors and others (Ghafur et al., 2019; Daly, 2022; Antoniuk, 2024; Reuters, 2025), resulting in postponed or cancelled appointments, shutdown networks and information systems, patient transfers to other facilities and processes reverted to paper-based mode. Attacks vary, from phishing (sending false e-mails containing malicious content) through malware (malicious software capable of spreading and causing harm to computing and data resources) to ransomware (blackmailing malware that cryptographically locks-out access to resources and data, asking for ransom, usually in cryptocurrency).

Many cyber attacks manifest as “advanced persistent threats”, conducted by organised groups using sophisticated techniques (OCIO, 2023). A targeted entity is attacked persistently until the group’s goal is achieved, which can last months (CW Jobs, 2016). Health care is increasingly targeted because of growing vulnerabilities, caused by burgeoning applications and services, interconnected and used by numerous users (Lancet, 2024). Widespread are outdated and legacy technologies that do not support novel protection approaches. A sizable increase in threats was seen during the COVID-19 pandemic, prompting the WHO to call for (mondiale de la Santé, 2024) improved efforts in the prevention and detection of threats, which however can only be mitigated rather than prevented entirely. Data breaches are a matter of “when” rather than “if” for health care organisations (Lancet, 2024). It has become necessary for cybersecurity to be incorporated into business strategies (Zerlang, 2022). For over a decade, the average cost of data breaches globally has been higher in health care than in any other industry (Ukyab and Beato, 2024).

Cybersecurity in health care organisations is often viewed as the responsibility of IT departments; however, other stakeholders have key roles to play (WHO, 2024). Preventing and mitigating threats is the proverbial cat-and-mouse game, with the system as secure as its weakest link. We have therefore set out to review available literature for practical approaches and actionable recommendations to mitigating cybersecurity threats in health care.

We have conducted comprehensive literature searches from database inception to 30th April 2025 of PubMed, Web of Science, Scopus, IEEE Xplore and the EBM Reviews via Ovid (including the American College of Physicians (ACP) Journal Club, Database of Abstracts of Reviews of Effects, Cochrane Central Register of Controlled Trials, Health Technology Assessment, Cochrane Database of Systematic Reviews, National Health Service Economic Evaluation and Cochrane Methodology Register), without language or geographical restrictions. Search strings were tailored to the distinctive search structures of the included databases (see Appendix, Supplementary data S1: Search strategy), comprising the terms cybersecurity, data security, information security, security vulnerability, data breach, cyberattack, ransomware; hospital, health system, health care organisation, health information system, patient privacy, electronic health record; best practice, risk management, strategy, recommendation, technology, framework. This was supplemented by non-systematic reference and citation searches.

We included journal articles that described practical approaches and actionable recommendations to improving cybersecurity in health care. Excluded were articles that reported on specific settings, such as field hospitals or organ donation procurement, or specific technologies such as mHealth and wearables aimed solely at patients and the public, telemedicine, telemonitoring and telemetry, as well as clinical photographs and other images, biomedical signals, production of biopharmaceuticals and drug development, storage of genomic sequence data and secondary data use infrastructures. Conference papers, patents and retracted articles were also excluded.

We used Rayyan (Ouzzani et al., 2016) for handling the search results, detecting duplicates and screening articles for relevance based on titles and abstracts, followed by a full-text screening of selected studies. One reviewer with a Master of Science degree in information sciences (KF) conducted the searches and screening of the articles, with the other reviewer (HB) checking this work and both initiating discussions as deemed needed. We synthesised the studies according to major stakeholders responsible for cybersecurity in health care. Given the narrative review design and the characteristics of the available evidence, a formal quality appraisal of the included studies was not performed. No written protocol existed for this narrative review. In choosing the optimal type of knowledge synthesis method most suitable for the purpose of this review, we consulted Right Review, a web-based decision support tool (Amog et al., 2022). We are unaware of formal reporting guidelines or checklists for narrative, traditional literature reviews, so have conducted and reported the study in line with the best available resources (Booth et al., 2021; Gasparyan et al., 2011; Parker and Sikora, 2022) and broadly followed the PRISMA guideline for systematic reviews where considered relevant (Page et al., 2021). The PRISMA flowchart and a glossary of technical terms are available in the Appendix as Supplementary data S2 and S3, respectively.

Our initial search returned 720 articles, of which 67 were deleted as duplicates and 144 were selected for full-text retrieval and screening. Of these, 27 were included in the review. Through supplemental searches, we identified 18 additional relevant documents for inclusion. There were no disagreements between the reviewers that would require adjudication by a third party.

In the first overview of the state of cybersecurity in the European Union (ENISA, 2024), the European Union Agency for Cybersecurity called for policymakers to enhance the understanding of sectorial specificities and needs, as well as improve the level of cybersecurity maturity, in the health care sector inter alia and in line with relevant legislation such as the NIS2 Directive (EUR-Lex, 2022), the Cyber Resilience Act (EUR-Lex, 2024) and the Cyber Solidarity Act (EUR-Lex, 2025). It is up to governments and lawmakers to develop and implement national cybersecurity strategies, policies and frameworks, including for health care.

A cybersecurity framework is a set of guidelines for enterprises to follow to better identify, detect and respond to cyber-attacks (Syafrizal et al., 2020; Adnan et al., 2024). It includes guidance on how to prevent or recover from attacks through a set of standards, methodologies, procedures and processes. The United States of America’s National Institute of Standards and Technology (NIST) Cybersecurity Framework is often used, which has been developed following President Barack Obama’s executive order (NIST, 2013), together with other available frameworks such as the International Organization for Standardization and the International Electrotechnical Commissions (ISO/IEC) 27001, Health Information Trust Alliance - Common Security Framework (HITRUST), European Union’s General Data Protection Regulation (GDPR), United States’ Health Insurance Portability and Accountability Act (HIPAA), Control Objectives for Information and Related Technologies from ISACA^® (COBIT^®), NIST’s National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE), Committee of Sponsoring Organizations – the Treadways Commissions (COSO) and others (Syafrizal et al., 2020).

It is up to policymakers to ensure that all stakeholders work towards the common goal of data protection (Pool et al., 2024). This can be facilitated by establishing appropriate communication channels and collaborations between IT departments, health executives, providers of clinical care, vendors and other technology providers, insurers and patient groups, as well as by providing adequate funding for these activities. Information sharing between stakeholders has been recommended in order to build resilience (Argaw et al., 2020). Patients and the public must be engaged and informed about their rights and the measures that have been put in place to protect their data (Pool et al., 2024). Continued monitoring to detect and respond to incidents in a coordinated way, including ransomware attacks and data breaches, can be set up at the national level (CISA, 2025).

Educational programs must be created and funded to train the medical informatics workforce (Fišter et al., 2019), including specialists in cybersecurity, who are in growing demand. Finally, health care reform has been proposed as a means to curb cyber attacks (Farringer, 2019). Governments have been warned that, until there are changes to the health care infrastructure, there is a danger that security measures will be applied piecemeal, with the most vexing challenges left inadequately addressed. Therefore, a “comprehensive health care reform that includes cybersecurity not just as a thought, but as a purpose and goal of system redesign” has been called for to most efficiently and effectively address cybersecurity risk (Farringer, 2019).

Health care executives are responsible for fostering a positive and inclusive workplace culture, prioritising the work-life balance of employees, as well as for fostering a strong cybersecurity culture that holds security a top priority (Subramanian et al., 2024). It is up to institutional leaders to develop fair and accessible policies, regularly update them and design frameworks for keeping patients and employees informed, ensure quality internal and external communications, as well as compliance with data protection laws.

Organisation top executives must prioritise the strengthening of IT and security departments (Pool et al., 2024), addressing cybersecurity in a preventative and proactive way, with strong IT infrastructure as the foundation (Argaw et al., 2020). It is important to have a designated cybersecurity team, led by a Chief Information Security Officer (Kruse et al., 2017b) or another designated person if this role does not exist in the organisation, such as the chief of IT. The roles and responsibilities should be clearly assigned within the team. In addition, there should be a clear agreement at the organisation level on what constitutes a reportable incident and when to escalate (Argaw et al., 2020).

Executives and board members should implement comprehensive data protection strategies and allocate sufficient resources to IT and security departments; this includes ensuring adequate education and training for all staff, as well as promoting a culture of responsible use of data (Pool et al., 2024; Farringer, 2019; Kruse et al., 2017a). Oversight of cybersecurity risk management must be incorporated into governance and a risk communication plan developed as part of incident response support in case of realised data breaches or cyber attacks (Subramanian et al., 2024).

IT leaders, in roles such as chief information officers, chief information security officers, data protection officers and IT/security managers, together with IT staff should prioritise fostering a culture of data security and shared responsibility within the organisation (Pool et al., 2024; Clarke and Martin, 2024). This includes advocating for education and training programs, with an aim to prevent health care workers’ noncompliant behaviour and lack of awareness, which facilitates data breaches (Arafa et al., 2023). Scenario-based training and periodic assessments can facilitate compliance (Pool et al., 2024).

Beyond ensuring compliance with existing regulations, standards and frameworks, IT leaders must create and implement cybersecurity strategies that encompass well-considered solutions for the variety of potential threats, including prevention, detection, response and recovery mechanisms (Zandona and Thompson, 2017; Arafa et al., 2023). Taken into account when formulating information security policies should be organisational characteristics, such as its size as well as the size of the IT department, and security resources (Pool et al., 2024). This should include the development of incident response protocols and business continuity plans, to promptly address and manage data breaches or realised threats; these protocols should be regularly tested, exercised and stored offline (Argaw et al., 2020).

Protocols also need to be put in place to address data protection failures in third-party sources, which includes the establishment of robust business associates’ assessment and monitoring processes (Pool et al., 2024). Data protection officers, together with IT leaders and staff, should assess and enhance data protection measures in third-party sources by establishing reasonable criteria for external partners and business associates. Cloud service providers, for example, must be compliant with relevant certifications and requirements, with solid approaches to role-based access, network security mechanisms, data encryption, digital signatures and access monitoring (Rodrigues et al., 2013). mHealth app developers should contribute to the prevention of breaches by ensuring adequate data protection while presenting the apps in mobile app markets (Pool et al., 2024).

The IT/security department should implement effective access controls and monitoring mechanisms to mitigate noncompliant behaviour among health care workers (Pool et al., 2024). Techniques to protect electronic health records from unauthorised access and use of data span technical, physical and administrative safeguards, although no approach will thwart spurious or accidental breaches with absolute certainty (Kruse et al., 2017b). Technical access control (synonymous with media controls, entity authentication, encryption, firewall, audit trails, virus checking, or packet filtering), whether role-based, attribute-based, or identity-based, aims to enable user access to the patient information only as needed. A provider only has access to the patient data for those patients they are caring for. Another example is clerks only having access to administrative data.

Firewalls are considered essential, but each organisation must assess its needs, budget and potential threats, both internal and external, before deciding which type of firewall to opt for (Sichkar and Pavlova, 2023). A four-phase firewall security strategy has been described, encompassing service control, direction control, user control and behaviour control (Wikina, 2014). Failure to follow these best practices has been associated with a number of reported cases of data breaches (Kruse et al., 2017b).

Use of cryptography is another essential method of technical access control. Encryption must be used while data are in transit, at rest on storage devices and during backups (Arafa et al., 2023; Subramanian et al., 2024). Cloud computing can be a solution for some organisations to keep costs at bay while maintaining cryptography protections (Kruse et al., 2017b), yet cloud-based electronic health record solutions may also aggravate security concerns, for which various remedies have been proposed (Sahi et al., 2021; Alenoghena et al., 2022; Wang et al., 2019; Gupta et al., 2024); therefore, it is important that IT staff ensure that best security practices are followed by the technology providers, in order to mitigate potential threats. In addition, some settings report use of tokens (Wang et al., 2022) or masking of data (Martínez et al., 2013).

Best practice procedures must ensure updating all systems, including devices and medical equipment, patching vulnerabilities, use of a product stewardship framework to continually improve and innovate procedures (Lewis, 2019), and implementing secure communication technologies such as Internet Relay Chat channels. Installation and regular updating of antivirus software are used successfully in most settings (Kruse et al., 2017b). It is possible to implement tools for continuous security monitoring, whereby threats are identified and reported as they happen, enabling a response to potential incidents in real-time (Naghib et al., 2025; Harris, 2024; Arafa et al., 2023). Some also use radio frequency identification to control access, by storing data within tags or restricting access to tags to specific devices. When patients access their data, digital signatures coupled with decryption ensure privacy, with some emerging solutions available for safe delegated authorisation, important in cases of patient incapacitation (Joshi et al., 2021). Furthermore, usernames and passwords assigned by a system administrator can be used to establish role-based access controls, which protect from internal breaches or threats. Multi-factor authentication is increasingly used to control access and is considered best practice (Subramanian et al., 2024; Arafa et al., 2023) for all administrative and privileged users, and preferably for all users (Argaw et al., 2020). To implement multi-factor authentication while preserving minimally disturbed workflow, the use of one-time passwords, biometrics, or smart cards has been suggested (Moriarty, 2021).

Physical access control (synonymous with physical security, workstation security, assigned security responsibility, media controls/access cards, or physical safeguard) is a technique that controls physical access to resources to ensure that only authorised people can physically enter appropriate parts of premises (Kruse et al., 2017b). For example, patients only have access to those clinics or wards where they are seen; or, clinical providers do not have access to the server room, i.e. their access cards do not open those doors. Finally, administrative safeguards (synonymous with risk analysis and management, system security evaluation, personnel chosen for certain roles, contingency, business continuity and disaster recovery planning) are policies, practices and procedures put in place to regularly check for vulnerabilities and continually improve security in an organisation.

IT departments will make sure to follow and implement relevant standards and ensure the use of secure networks like virtual local area networks; also, to regularly back up data in order to ensure continuity and recovery from potential ransomware attacks or data loss incidents, organise ongoing employee security awareness training and phishing simulations, carry out routine internal audits and risk assessments, conduct privacy impact assessments and ensure transparency in data processing, as well as keep abreast of mature and emerging technologies (Alenoghena et al., 2022; Arafa et al., 2023), such as zero trust architecture or tools based on artificial intelligence, applying them as appropriate (Subramanian et al., 2024; Williams et al., 2020). Zero trust is increasingly used for the superior security it affords, as it denies access to applications and data by default, as well as for its potential to prevent medical errors (Sood et al., 2024). Best practices also include network segmentation, with hospital networks separated into different areas and strict access controls between them, which helps contain potential breaches and limit the lateral movement of attackers, reducing the impact of a realised cyber attack (Arafa et al., 2023).

Artificial intelligence has been viewed as a major threat (Mohsin Khan et al., 2025), as illustrated by the chatbot WotNot data breach (Cluley, 2024), but also as a major potential contributor to making health information systems more secure (Messinis et al., 2024; Shankar et al., 2024; Ali et al., 2025; Seh et al., 2021). One approach has been user and entity behaviour analytics (Shashanka et al., 2016), which offers automated detection of anomalous behaviour utilising machine learning. Other cybersecurity technologies, all with their advantages and disadvantages, include blockchain, authentication schemes, federated learning, differential privacy and homomorphic encryption (Messinis et al., 2024).

In the age of Internet-of-medical-things, bring-your-own-device, increasingly remote physicians’ work and patient-collected data through monitoring and other devices, managing endpoint security has become the factor that most contributes to an organisation’s overall cybersecurity (Clarke and Martin, 2024). The IT staff must ensure regular updates and patches for the devices that connect to health care networks, as well as the application of endpoint detection and response technologies, from diversified vendors if possible (Hira, 2025). As new devices are added, IT staff should ensure integration with current systems and cybersecurity plans; related protocols should be easily accessible to staff responsible for procurement of the devices, so they can determine whether prospective vendors will meet the requirements (Clarke and Martin, 2024).

Information sharing and collaboration with industry peers, government agencies and cybersecurity organisations enhance the collective ability to defend against cyber threats (Arafa et al., 2023).

Ensuring system security and data privacy is a shared responsibility, which includes clinical end-users of IT technology (Clarke and Martin, 2024). Security measures can be disruptive to clinical workflows, therefore balancing risks and functionality is a key challenge. Clinicians should participate in making decisions about cybersecurity solutions, which must be user-centric. Security breaches can compromise the quality of care, therefore clinicians should treat protection of patient data as an integral part of providing high-quality care (Pool et al., 2024).

Regular training of all clinical staff has often been emphasised as one of the most important security measures to implement (Ewoh and Vartiainen, 2024; Kruse et al., 2017a; Clarke and Martin, 2024). In such programs, covered are topics like strong password management, recognising phishing attempts, secure data handling and device security (Clarke and Martin, 2024). An employee falling for a phishing scam has been among the most common methods of realised threats (Yeo and Banfield, 2022). Good practices include requiring users to frequently change personal passwords and passwords not including meaningful names or dates to the individual (Kruse et al., 2017b). Users should also remember to log out of the system after each use.

Physicians and other clinical staff must strictly adhere to data access protocols, ensuring that only authorised people have access to patient data (Pool et al., 2024). Full compliance with security policies and conscientious attending of regular training is vital for mitigating cyber threats. Active engagement in cybersecurity awareness programs helps to stay updated on protection measures and best practices. Any witnessed privacy violation, suspicious security activity, or behaviour noncompliant with the organisation’s security policies should be vigilantly reported to IT staff. A curious sneak peek into a record of a patient for whom the clinician has not provided care constitutes a data breach; about half of all data breaches are internal (Coventry and Branley, 2018). In addition to following best practices as outlined above, providers of clinical care can also be leaders in their professional societies and in their communities, supporting calls for legislative and other actions to improve cyber protection (Rizzoli, 2021).

Health care cybersecurity is a shared responsibility. We have outlined the expected roles of key stakeholders, from governments and lawmakers to health care managers, IT experts and clinical providers. Awareness and acceptance of own responsibilities, diligent following of the best practices, as well as awareness of other stakeholders’ actions towards the shared goal of a secure system is of key importance. With ‘advanced persistent threats’ ubiquitous, prevention of cyber threats has become synonymous with mitigating the consequences of realised attacks, while internal breaches remain the target of ethical, legal and technical safeguards.

As a paramount, health care must step up investments in cybersecurity as well as sharing of information and international cooperation. Each organisation must develop and implement a strong cybersecurity strategy, considering its vulnerabilities, capacity for resilience and readiness. Even organisations with limited resources can and should implement well-equipped dedicated cyber incident response teams (DeVoe and Rahman, 2015). State-of-the-art approaches include building capacity for resisting phishing attempts throughout the organisation, as well as using the principle of least privilege for user and administrative access, traffic monitoring tools and endpoint detection and response technologies, along with timely security patching. Zero trust architecture is gaining in relevance and use (Kindervag, 2010; Bradley, 2023; NSA, 2024). Best approaches to balancing cybersecurity with minimal disruption to workflows include user-centric solutions that utilise multi-factor authentication combined with one-time passwords, biometrics, or smart cards. With growing requirements for secondary use and data sharing, novel approaches will be needed to keep the data safe (Riou et al., 2025).

Due to the wide scope and limited space, in this review, we could not delve deeper into individual approaches and technologies, especially emerging ones. Some principles are only briefly mentioned, such as the use of a product stewardship framework (3M, 2025), therefore readers are encouraged to explore further. In addition, a large proportion of our search results (102/720) were articles addressing blockchain. While the recent proliferation of the literature on this technology is a clear testament to an upsurge in interest and optimism (Alshar’e et al., 2024), at times seemingly pedestalling it as a silver-bullet panacea, future work is needed to critically explore the advantages and drawbacks of blockchain as well as its utility in health care cybersecurity, beyond ensuring nonrepudiation. Another limitation of our review is that we have not included other stakeholders that have roles to play in contributing to cybersecurity in health care, such as organisational legal and human resources departments, insurers, media, patients, visitors and the public.

The supplementary material for this article can be found online.