Navigating the crossroads of cybersecurity policy: Expert guidance for healthcare leaders

Dr. Sean Kelly, Chief Medical Officer and practicing Emergency Physician, Imprivata

As the threat environment intensifies, healthcare leaders must implement robust cybersecurity strategies tailored to the pace of modern healthcare.

With the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), healthcare delivery organizations (HDOs) now face new uncertainty in an already volatile threat landscape. For a decade, this law allowed hospitals to share cyber-threat intelligence with the federal government without risking HIPAA violations or legal exposure.

Now, the question isn’t if HDOs will be targeted, but how ready they will be when it happens. To navigate this security uncertainty, organizations must chart a strategic path that bolsters cyber resilience, streamlines operations, and adapts to shifting policy terrain.

Resource-strained cybersecurity for healthcare

Healthcare organizations are fighting sophisticated, well-funded adversaries with some of the leanest cybersecurity budgets in critical infrastructure. They also face the difficult balance of strengthening cybersecurity while supporting efficient, clinician-friendly workflows. Most hospitals operate on 1-2% margins, with many rural and community hospitals running at even smaller or negative margins. Every dollar spent on cybersecurity competes with frontline needs like staffing nurses or purchasing equipment.

These financial constraints translate directly into understaffed and overextended security teams. In fact, only 14% of organizations report that their security teams are fully staffed, and over half (57%) admit they lack sufficient resources to meet basic cybersecurity requirements. This leaves many to defend from a position of weakness, with a limited capacity for proactive threat monitoring, delayed technology patching, and inconsistent risk oversight of third parties.

Meanwhile, the complexity of digital transformation amplifies the challenge. Electronic health records, connected medical devices, and cloud-based systems expand the attack surface, but small and mid-sized providers often lack the personnel and tools to secure them. Third-party breaches have surged, as nearly half (47%) of organizations experienced a vendor-related breach last year, and most lack visibility into those dependencies.

Clinician burnout compounds the issue. With 65% of nurses reporting high stress and nearly 40% saying they wouldn’t choose the profession again, security controls cannot add friction. Yet, if security is too lax or obstructive, the risk of medical-record errors, overlays, treatment delays, or denial of service climbs. Recognizing that effective cybersecurity is crucial for patient safety means healthcare leaders must take a strategic approach by building effective, HIPAA-compliant cybersecurity programs that protect patients without slowing clinicians or straining already limited resources.

Policy shifts, uncertainty, and the urgency of alignment

The expiration of CISA 2015 has introduced a new layer of uncertainty. For nearly a decade, the law provided liability protection for hospitals sharing cyber-threat intelligence with the federal government. Without it, collaboration feels riskier, just as attacks are accelerating and supply chains are growing more complex. The 2024 Change Healthcare cyber incident served as a stark wake-up call by exposing how a single vendor outage can cascade across billing, prescriptions, and patient care nationwide. As healthcare faces structural headwinds with fewer resources, the urgency of alignment across the industry in defending against threats and sharing potential risks is growing every day.

To fill this gap, the Health Sector Coordinating Council (HSCC), an industry-led, public-private partnership with the Department of Health and Human Services, has stepped forward as a unifying force. Facing expanding digital footprints, limited budgets, and workforce shortages, HSCC developed the SMART (Sector Mapping and Risk Toolkit) framework to help organizations map dependencies, assess third-party risk, and plan for continuity by assessing the potential impact of disruption. The toolkit helps HDOs of all sizes chart vulnerabilities, quantify risk, and plan redundancies. By enabling transparency and collaboration, SMART transforms fragmented risk awareness into coordinated resilience while underscoring healthcare cybersecurity as an organizational imperative that spans policy, operations, supply chains, and digital identity management.

The role of identity, access, and zero-trust

In this evolving environment, healthcare organizations should anchor their strategy around three intertwined pillars: strong identity and access management (IAM); zero-trust architecture; and collaborative intelligence-sharing (even amid legal ambiguity).

1. Strengthen identity and access management (IAM):

These moves make it easier for organizations to meet compliance and reduce security friction.

2. Adopt zero-trust best practices:

As traditional perimeters disappear, identity is now the core of cybersecurity. By applying zero-trust principles of “never trust, always verify” healthcare organizations can segment access, enforce least privilege, and continuously validate identity and session context across users, devices, and sessions. With AI-driven Identity Threat Detection and Response (ITDR), organizations can spot unusual logins or privilege changes in real time, turning identity data into actionable risk intelligence. In healthcare, where shared mobile devices and workstations are common, sessions tied to verified identities reduce credential risk without slowing clinicians down. Imprivata research shows that 51% of healthcare leaders see shared mobile device use accelerating patient care. This is especially effective when integrated into a unified IAM strategy and zero-trust framework.

3. Foster collaboration and risk-mapping:

Collaboration is essential for resilience. The HSCC’s SMART Toolkit helps healthcare organizations map dependencies, identify vendor chokepoints, and plan for continuity. At the same time, maintaining strong information-sharing practices through ISACs, ISAOs, and internal intelligence programs ensures faster detection and coordinated response. Pairing this collaboration with robust IAM strategies, including identity-based monitoring, strengthens visibility, minimizes blind spots, and reinforces trust across the healthcare ecosystem.

How to get started today

As cyber threats intensify and liability protections disappear, healthcare leaders stand at a critical crossroads. Protecting patients, data, and trust is essential for the future. The organizations that act now will define the next era of healthcare resilience. Start today by identifying one area of weakness to pay closer attention to—whether it’s shared mobile device access, securing EHR access, or third-party risk—and commit to a measurable improvement in identity-driven security.

Learn how to advance secure access at your organization by downloading our whitepaper: The journey to passwordless for healthcare.