Understanding the shift from compliance to continuity in healthcare

This is the first in a three-part series sponsored by Zscaler and focused on the evolving role of cybersecurity in healthcare. The series explores the industry’s shift from compliance-driven security toward operational resilience, examines why growing cyber investments do not always translate into effective protection, and outlines how healthcare organizations can define and build a “minimum viable hospital” capable of sustaining safe patient care during disruption.

It was just about a decade ago when the vast majority of healthcare delivery organizations made the transition from paper records to electronic health records (EHRs) under Meaningful Use. With these new technologies, healthcare quickly became a leading target for cyberattacks given their vast troves of patient data.

The primary concern for healthcare network defenders at the time was to keep attackers out by hardening defenses and the outer network, often focusing on compliance with federal and state regulation, especially the Health Insurance Portability and Accountability Act.

But as the healthcare sector rapidly adopted patient monitoring tools, telehealth, and other technology amid the global pandemic, compliance and protecting patient data were no longer the primary concern. Patient safety and network resilience became the primary goals, as attackers gained access to networks and shut down systems in hopes of a ransom payment.

In the age of AI and other digital innovations, cybersecurity is no longer about passing audits or preventing data breaches. The massive tech disruptions in recent years have demonstrated the need to not only focus on foundational controls and regulatory requirements but to keep the lights on in the event of the inevitable bad day.

Setting the stage

Over 750 healthcare delivery organizations reported falling victim to ransomware in just 2019 alone, which became a preview for the cyberattacks faced by providers over the next two years. The second half of 2020 saw a resurgence of cyberattacks, with nation-state actors preying on the healthcare sector in record droves, and by 2021, threat actors targeted healthcare and its supply chain in force leading to some of the largest outages to ever face the healthcare sector.

By May 2021, the rate of ransomware attacks seen across the globe increased by 102 percent, according to research data. And with the increase in successful attacks came a rise in the length of the resulting downtime: from about 15 days in previous years to at least four weeks. The scope of attacks seen in 2021 had a chilling effect on just how bad these outages could be for healthcare and the patients they serve.

The cyberattack on Scripps Health of 2021 was the first of many cyberattacks that year to provide real world evidence of patient impacts, not only on the victim organization, but on the area hospitals as well.

The ransomware attack caused more than four weeks of EHR downtime procedures, the theft of some patient data, and resulted in $112.7 million in estimated revenue losses and incremental expenses. The Aug. 10 financial report revealed the estimated lost revenues were $91.6 million, and incremental costs totaled an estimated $21.1 million: both of which were tied to addressing the incident and recovery costs. A later study published in JAMA highlighted the patient impacts at nearby hospitals: increased wait times due to unexpected patient volumes.

Around the same period, the Ireland Health Service Executive was also hit by a ransomware attack and forced into downtime for nearly six months, causing delayed surgeries, patient appointments, and wait times across the country. In subsequent years, other attacks would show similar outages and service disruptions including SolarWinds, Colonial Pipeline, and Kroll Payroll Services.

The most memorable in recent years, the cyberattack on Change Healthcare that has changed the way cyber-induced downtimes are discussed across the country. In that 2024 cyberattack and downtime, patients struggled to access prescriptions, health systems could not bill for services rendered, some small providers were unable to pay employees, and other widespread impacts across the country.

The Change Healthcare incident confirmed that even the largest, well-resourced organizations are not immune to cyberattacks, and compliance-based cyber can no longer be the standard. As confirmed by the recent Digital Health Most Wired survey, cybersecurity is now tied to patient safety and operational continuity. And the best positioned care delivery organizations are now focusing on the adoption rate of these critical controls to bolster resilience.

Why it matters

Awareness of the need for better cybersecurity in healthcare is at an all-time high, with many industry stakeholder groups calling for additional support for HIPAA and/or from other sources. HIPAA compliance only focuses on about 42 controls, for example, while NIST, the standard used in most other industries, has hundreds of controls routinely reviewed and updated.

There’s a consensus that HIPAA alone is not enough for the current state of tactics and technology, particularly as the scope of technology, remote patient monitoring, and AI have expanded the attack surface while reducing visibility.

For example, the previous success of a healthcare security program focused on the three pillars of people, process, and technology. The Most Wired survey confirmed healthcare has achieved remarkable consensus on foundational controls, which created a security baseline unheard of 10 years ago. Multi-factor authentication (MFA) is healthcare’s first universally implemented security control, reaching 100% adoption, according to the report. Privileged access management and data encryption are reaching similar maturity, while encryption at rest (98.5%) and in motion (98.9%) are now nearly universal.

But with AI adoption and related tools, the path forward is much more complex. The evolution of technology requires organizations to adapt to better understand blind spots and complications tied to advanced technology. The DHMW report confirms true resilience remains uneven: High adoption rates conceal a 21.5% integration gap (where tools are in place but disconnected, limiting the visibility and coordination needed to contain threats). The report also found a 15.8% adoption gap, which represents missing security controls across the surveyed providers.

What comes next

The good news is that healthcare has already done the hard work of building the foundation. The 84.2% control adoption rate represents years of disciplined investment. That foundation is real, and it matters. But it is not the finish line. The organizations that will weather the next Change Healthcare type of cyber incident — and there will be a next one — are shifting their focus right now from what they have deployed to how it all works together under stress.

Closing the integration gap, mapping where sensitive data actually flows, and testing recovery, not as an annual checkbox but as a clinical-grade discipline, are the defining characteristics separating organizations that survive incidents from those that are defined by them.

The mandate from the 2025 Digital Health Most Wired survey is clear: The industry has earned the right to stop talking about compliance and start proving resilience. Not in the next planning cycle. Now.

A breach is inevitable. Sustained survival is not.

About Zscaler

Zscaler, a leader in cloud security, helps healthcare organizations protect patient data and critical systems with its Zero Trust platform. As the healthcare landscape becomes increasingly digital, Zscaler understands the importance of robust cybersecurity measures in ensuring secure and compliant operations.