Strengthening Healthcare Cybersecurity in 2021: Zero Trust, MFA, and Proactive Ransomware Defense

Strengthening Healthcare Cybersecurity in 2021: Zero Trust, MFA, and Proactive Ransomware Defense

Alphaanalytics

A shifting battleground in 2021 placed health care squarely in the crosshairs of cybercriminals, with breaches and ransomware campaigns becoming the dominant strategy for attackers. The sector’s perceived softness as a target, combined with the high willingness to pay ransoms and the inherent value of personal health information, created a perfect storm. In this landscape, malicious actors increasingly emphasized “big-game hunting” tactics, aiming to extract millions of PHI records in single, well-timed strikes. The economics of crime also favored ransomware operations through clear financial incentives, including affiliate programs that split payouts in favor of the attackers, making health care a magnet for recruitment and scale. This section unpacks the breadth and depth of the threat, the economic incentives driving it, and the observable patterns that defined 2021 for health care cybersecurity.

The Landscape of Healthcare Cybercrime in 2021

The year saw a pronounced shift toward high-impact breaches and ransomware campaigns as the preferred weaponry of cybercriminal groups targeting health care providers. The sector’s appeal as a soft target was underscored by the relatively high willingness to pay ransoms, a factor amplified by the lucrative opportunity to monetize stolen Personal Health Information (PHI) on illicit markets. Ransomware’s profitability surged, with average payouts rising sharply from roughly $15,000 two years earlier to around $250,000 in the 12-month window discussed by researchers. That average is heavily influenced by a handful of extreme multi-million-dollar settlements tied to notable incidents at large organizations; nonetheless, it signals an overall escalation in the financial impact of these attacks. The economics of the crime ecosystem further incentivized attackers to recruit through affiliate models, in which affiliated ransomware operators receive a substantial 80% of the ransom while the sponsoring gang garners the remaining 20%. This distribution created a compelling reason for criminal networks to recruit aggressively within the health care sector, whose vulnerabilities became a key selling point across affiliate recruitment programs.

Health care faced a sustained siege in 2021, with 67% of health care-delivery organizations reporting at least one ransomware incident and fully a third experiencing repeated intrusions—two or more breaches in some cases. This rate of recurrence highlighted a disturbing persistence of vulnerability across the sector and suggested persistent gaps in prevention, detection, and response capabilities. These figures emerged from a Ponemon Research Report, which examined the impact of ransomware on health care during COVID-19 and beyond. The data underscored not only the pervasiveness of cyber threats but also the range of consequences—from service disruption to elevated patient risk and financial strain—that ransomware could impose on organizations already navigating pandemic-related pressures.

The mechanics of intrusions were familiar to defenders: attackers typically exploited endpoint weaknesses or leveraged phishing to harvest privileged access credentials, enabling them to traverse networks and exfiltrate data. A briefing from the U.S. Health and Human Services (HHS) Cybersecurity Program earlier in the year reinforced that health care remains the most targeted sector for data breaches. The HHS Breach Portal, which tracks health care-related breaches and ransomware attempts, documented 472 health care breaches affecting 35.3 million patients from January through October of the year. The most consequential breaches—nine in total—impacted about 17 million patients, illustrating how attackers favor mega-breaches that maximize PHI exposure in a single event. The data also revealed an attack pattern: roughly one in three breaches originated with email-based phishing, while 52% stemmed from network-edge vulnerabilities that attackers exploited to gain footholds and move laterally across systems.

Idc’s annual review of ransomware payments provided a sobering context for risk planning, noting the average payment over the prior year stood at $250,000. Although this figure was inflated by several outsized incidents, it reflected a broader trajectory of rising costs and larger settlements. In the larger picture of threat activity, the health care sector’s attractiveness was underscored by the combination of high-value PHI and the criticality of health services, which, in many cases, left organizations with limited choice but to prioritize rapid containment and continuity of care when responding to an incident. The confluence of substantial payouts, big-game hunting patterns, and the ease of monetizing data on the dark web created a reinforcing cycle that kept health care in attackers’ sights throughout 2021.

The HHS analysis and related industry observations highlighted a growing trend toward “mega attacks” that deliver millions of PHI records in a single incident. This shift intensified the importance of incident response planning, data protection strategies, and rapid containment measures, as well as the necessity for robust identity and access management, endpoint security, and threat intelligence sharing. As health care organizations faced these pressures, cybersecurity leadership—CISOs, CIOs, and board members—grappled with how to translate defensive upgrades into sustainable risk reduction while maintaining patient care standards. In addition to the direct costs of breaches, organizations faced reputational risk, regulatory scrutiny, and potential downstream consequences for partner networks, supply chains, and patient trust.

A stark picture emerged from data on breach sources and initial access vectors. Approximately one-third of breaches began with email-based phishing campaigns, signaling that social engineering remains a potent attack vector alongside technical exploits. About half of the incidents, 52%, were tied to exploits targeting network-edge vulnerabilities—suggesting that perimeter defenses and network-layer protections were insufficient on their own to prevent intrusions and that attackers could effectively bypass or overwhelm these defenses in many cases. The convergence of these attack modes—phishing, endpoint compromise, and edge vulnerabilities—emphasized the need for layered security architectures that extend beyond traditional perimeter-centric approaches and prioritize identity, device health, and continuous trust assessment.

Looking ahead from 2021, health care CISOs and CIOs observed a notable shift in cyber defense thinking. The HHS and other industry sources reported a rising emphasis on zero-trust principles and security architectures that assume breach while continuously validating every access attempt. In practical terms, this translated into stronger investments in segmentation, continuous monitoring, and automated response capabilities—efforts designed to limit attacker movement within networks and to shorten dwell time. The countervailing pressure of mounting breaches also drove organizations to rethink incident response planning, data backup strategies, and the resilience of critical clinical operations in the face of sophisticated attacks. As the sector absorbed lessons from 2021, it began to reframe cybersecurity not merely as a defensive control set but as an ongoing organizational discipline integrated into governance, risk management, and strategic planning.

The Cybersecurity Focus for 2022 and the Zero-Trust Imperative

Driven by the lessons of 2021 and a growing recognition of systemic risk, health care boards increased cybersecurity spending in 2022, with projected increases typically forecast at 15% and some executives anticipating up to a 35% rise. This commitment reflected a broader understanding that preventive investments could reduce the likelihood and impact of costly breaches, while also enabling safer adoption of remote work, cloud services, and digital health initiatives that expanded access to care. In this budgeting environment, CISOs and CIOs prioritized several strategic initiatives designed to harden defenses and improve resilience against ransomware and data breaches.

A central strategic initiative underpinning these efforts is zero-trust network access (ZTNA). The premise of zero trust—removing implicit trust from network design and requiring continuous verification of identities and devices—was increasingly viewed as essential to safeguarding sensitive PHI and ensuring regulatory compliance. In parallel, unified endpoint management (UEM) and comprehensive security training were identified as critical components of a broader approach to reduce phishing susceptibility, monitor device health, and apply consistent security policies across disparate endpoints and environments. The strategic value of zero trust was reinforced by survey data showing strong momentum toward adoption: a significant majority of organizations anticipated implementing zero-trust measures within a year, and a large portion regarded zero trust as strategically necessary for business continuity and protection of patient data. Specifically, a large percentage of respondents—roughly eight in ten—expected to deploy zero-trust solutions within the next 12 months, while a substantial majority—about eight in ten—agreed that zero trust was vital to the enterprise’s long-term security posture.

How to Improve Healthcare Cybersecurity: Practical Frameworks and Recommendations

A central challenge for health care cybersecurity in the post-pandemic era has been the rapid proliferation of remote endpoints that connect to on-premises networks. The pandemic accelerated digital transformation and expanded the attack surface, as organizations deployed new devices, applications, and access paths with varying degrees of security rigor. This expansion underscored the risk associated with endpoints that are insufficiently secured or poorly managed, as well as those that become niches of misconfiguration or software bloat. Endpoints now represent critical points of failure and potential breach entry for cyber adversaries, and defenders must adopt comprehensive strategies that cover device health, identity, and access in a cohesive, scalable manner.

A revealing finding from endpoint risk research showed that typical endpoint devices host a surprising number of software clients. On average, an endpoint was found to run 11.7 different clients, a statistic that underscores the complexity and potential for software conflicts, misconfigurations, and vulnerabilities. When endpoints host many applications, the chances of software incompatibilities, insecure configurations, and unpatched components increase, creating pathways for attackers to exploit weaknesses. This reality helps explain why health care CISOs highlighted the importance of ongoing endpoint risk management and the exploration of innovative, self-healing endpoint technologies that can automatically correct misconfigurations and restore secure states after changes.

Health care leaders noted that the most dangerous endpoints are not always the least secure devices but rather those that are overconfigured with conflicting software stacks or those that fail to self-heal after changes or updates. In response to these concerns, there was growing interest in self-healing endpoints—an approach that combines automated troubleshooting, real-time health monitoring, and adaptive security controls to restore and maintain secure configurations with minimal human intervention. The idea is to reduce dwell time for attackers by ensuring endpoints can quickly recover from compromise and stay aligned with security baselines. As the pandemic pushed the expansion of remote work and telehealth, organizations considered pilots of self-healing endpoint capabilities in 2022 to determine their effectiveness, scalability, and return on investment.

Practical pathways to stronger endpoint and network security

To translate strategic intent into concrete improvements, several practical pathways were identified by CISOs and other security leaders:

  • Start by defining a scalable ZTNA framework that aligns with the organization’s operating model and regulatory obligations, with particular attention to HIPAA requirements. The critical nuance here is that simply purchasing a “HIPAA-compliant” bundle does not guarantee scalable, auditable protection. Data transparency about audits, the ability to automate end-to-end audit workflows, and the flexibility to adapt to evolving regulatory guidance are decisive factors. An effective ZTNA deployment must include comprehensive device and compliance auditing at the endpoint level, ensuring that patient data integrity can be validated through self-healing security technologies that restore or preserve secure states even during ongoing operations.

  • IAM must scale beyond a single facility to cover the entire supply chain and multiple treatment centers. The backbone of a successful ZTNA program is robust IAM, capable of rapidly provisioning and deprovisioning identities for both human users and machines. Standalone IAM solutions can be cost-prohibitive, so health care organizations should seek platforms where IAM is a core, integrated component rather than a bolt-on. Leading cybersecurity providers cited in industry discussions include a range of established players that offer integrated IAM, ZTNA, micro-segmentation, and secure access features. In particular, platforms that combine these capabilities with advanced analytics, machine learning, and threat intelligence can deliver more effective, scalable protection for complex health care networks.

  • Implement multi-factor authentication (MFA) across all accounts—patients, physicians, staff, suppliers, and providers. MFA remains one of the most effective barriers against credential theft and phishing-driven breaches, and its universal adoption across the spectrum of users and partners significantly compounds the cost and difficulty of attacker success. The goal is to elevate the security baseline so that even if credentials are compromised, unauthorized access remains highly unlikely.

  • Create incentives and allocate time for cybersecurity training. Beyond providing access to courses, leadership should design programs that actively engage employees and ensure practical understanding of how to identify phishing and social engineering attempts. Platforms with expansive catalogs of cybersecurity training materials can support ongoing education, but training alone cannot fully prevent breaches. A mature program combines training with technical controls such as RBI to reduce the risk associated with phishing links and credential theft. RBI helps by presenting potential phishing or malicious sites in read-only mode, preventing data entry and reducing the likelihood that attackers succeed when users click malicious links or open compromised sites.

  • Recognize the growing importance of mergers and acquisitions (M&A) in health care and ensure that cybersecurity planning is embedded from the outset of any transition. In the rush to consolidate organizations, security considerations are sometimes treated as a late-stage afterthought, creating integration gaps that insiders could exploit. A robust M&A strategy treats cybersecurity as a core component of deal structures, allocating budget for security integration, training, and ongoing maintenance as part of the transaction itself. This approach minimizes the risk of inheriting incompatible security architectures and reduces the likelihood of insider threats originating from cultural or operational misalignments during integrations.

  • The broader landscape calls for a layered strategy that extends beyond technology alone. While technologies like RBI, IAM, and ZTNA form the foundation, organizations must also invest in data loss prevention, segmentation, robust backup strategies, and well-rehearsed incident response plans. Regular tabletop exercises that simulate ransomware scenarios can reveal gaps in processes and enable teams to practice coordinated responses before real incidents occur. The ultimate objective is to reduce dwell time, limit attacker movement, and restore normal operations with minimal disruption to patient care.

The role of training, culture, and leadership

Leaders in health care cybersecurity emphasized that technology alone cannot deter determined attackers. A strong security culture, driven by ongoing education and clear accountability, is essential to transforming defensive capabilities from a capability into a sustainable practice. Training must be practical, relevant, and continuously refreshed to reflect evolving attack patterns. The best training programs blend theoretical learning with hands-on simulations, enabling staff to experience a realistic sense of threat and to respond promptly and correctly when confronted with suspicious emails, unusual prompts, or unexpected login attempts. In parallel, leadership must endorse and support security initiatives with clear budgets, transparent governance structures, and a demonstrated commitment to protecting patient data integrity and overall clinical operations.

Takeaways and Roadmaps: Building a Resilient Healthcare Cybersecurity Posture

The overarching takeaway from 2021 into 2022 is that zero-trust network access should form the foundational architecture for any healthcare cybersecurity strategy. A properly designed ZTNA framework enables secure access across diverse endpoints and treatment locations, ensuring that every user and device is continuously evaluated for compliance, identity integrity, and risk posture. The five recommendations from healthcare CISOs and CIOs presented here serve as a practical starting point for organizations seeking to establish a robust ZTNA-driven security program, with the understanding that additional layers of protection will be required to address evolving threats.

  • Establish a scalable ZTNA framework that scales with the business model and supports HIPAA requirements in a way that is auditable, transparent, and automatable. Avoid dependency on bundled solutions that pose audit complexities or rigid workflows. A modern framework should incorporate automated audit workflows and enable validation of patient data integrity through self-healing endpoint security technologies. The goal is to create a secure foundation that can expand as the organization grows and evolves.

  • Build a robust IAM strategy that extends beyond a single facility to encompass the entire network of facilities, partners, and suppliers. Seek integrated IAM options that come with ZTNA and endpoint security features rather than treating IAM as a separate, expensive add-on. In choosing a platform, look for capabilities that support rapid onboarding of new identities—human and machine alike—and that can adapt to the complex realities of healthcare networks, including cross-organization collaboration, telehealth workflows, and remote care models.

  • Deploy MFA across all accounts relevant to patient care and organization operations. MFA isn’t optional; it is a foundational control that significantly raises the bar against credential-based breaches. Ensure MFA coverage includes patients who access patient portals, clinicians who interact with clinical systems, staff who manage patient information, and external partners who have access to critical data.

  • Invest in practical training and user-focused security education. Recognize that training alone cannot stop breaches, but it remains a critical component of a multi-layered defense. Combine training with technical controls like RBI and strong IAM practices to close gaps that others might overlook. The training should be pragmatic, scenario-driven, and aligned with real-world phishing and social engineering tactics that attackers are likely to deploy against healthcare organizations.

  • Integrate cybersecurity into the M&A lifecycle from the outset. Security due diligence should be a core component of deal structuring, and post-merger integration plans should explicitly allocate resources for secure consolidation, risk remediation, and workforce training. By weaving cybersecurity into the fabric of mergers and acquisitions, organizations can prevent the emergence of blind spots and reduce the risk of insider threats during transitions.

  • Embrace a multi-layered security approach that extends beyond people and processes to include advanced technology. RBI, IAM, ZTNA, network segmentation, and continuous monitoring should be implemented in a cohesive manner so that the organization benefits from a defense-in-depth posture. Regular risk assessments, threat intelligence feeds, and proactive vulnerability management will support faster detection, containment, and recovery when incidents occur, enabling health care providers to maintain patient safety and care continuity.

A practical note on implementation and governance

Implementing these recommendations requires careful governance, resource planning, and a clear schedule. Organizations should begin with a risk-based prioritization exercise to identify the most critical assets, data flows, and access paths. This prioritization informs the design of the ZTNA framework, IAM roles, and MFA rollout plan to maximize impact while minimizing disruption to patient care. A phased, measurable approach—coupled with executive sponsorship and cross-functional collaboration—helps ensure that security improvements translate into tangible reductions in risk and more resilient clinical operations.

Mergers, Acquisitions, and Cybersecurity: Coordinating Transitions for Safer Outcomes

Healthcare mergers and acquisitions are accelerating, driven by the desire to expand capabilities, broaden patient access, and achieve operational efficiencies. In this context, cybersecurity planning cannot be treated as an afterthought or a mere compliance exercise. Instead, it must be embedded into every phase of the merger or acquisition lifecycle—from due diligence through integration to post-closure optimization. Without proactive cybersecurity alignment, mergers can create structural vulnerabilities, expose sensitive data to new risk surfaces, and introduce governance gaps that increase the likelihood of insider threats or misconfigurations.

A well-structured integration plan prioritizes security architecture standardization, identity federation, and the harmonization of endpoint management policies across the merged entities. It also emphasizes cross-organizational incident response readiness, shared threat intelligence, and consistent backup and disaster recovery strategies. When cybersecurity planning is funded as part of the transaction, organizations are better positioned to manage the cost of security upgrades, ensure adequate staffing, and maintain ongoing training for staff across the combined enterprise.

In practice, this means establishing common security baselines, aligning data governance practices, and implementing unified access controls that reflect the merged organization’s risk tolerance and regulatory obligations. It also means conducting comprehensive risk assessments to identify potential insider risk scenarios and ensuring that governance structures support rapid decision-making in the event of a breach. By integrating security considerations at every step of the M&A process, health care organizations can reduce exposure to cyber threats and safeguard patient data across evolving organizational boundaries.

The Takeaways: Building a Resilient, Future-Ready Healthcare Cybersecurity Program

From the experiences of 2021 and the strategic priorities anticipated for 2022 and beyond, several core themes define a resilient healthcare cybersecurity program:

  • Zero-trust network access should serve as the foundation for securing every endpoint, regardless of location or device type. A true zero-trust approach requires continuous verification of identities, conditional access policies, and robust device health checks that travel with users across the network to uphold a consistent security posture.

  • A comprehensive, multi-layered security strategy must combine technical controls with human factors. RBI, IAM, ZTNA, MFA, endpoint protection, and secure by design application architectures should be integrated and aligned with a mature training program that evolves with threat intelligence and user behavior.

  • Mergers and acquisitions require proactive cybersecurity planning and budget allocation. Security considerations should be embedded in the deal framework, ensuring ongoing risk remediation and workforce training as a core component of post-merger integration, not a later add-on.

  • The threat landscape is dynamic, and defense strategies must evolve accordingly. Organizations should establish ongoing risk assessments, incident response drills, and continuous improvements to architectures and processes. This includes maintaining awareness of new attack vectors, such as targeted phishing campaigns, supply chain compromises, and the abuse of legitimate remote access channels.

  • Data protection remains essential. Protecting PHI and patient data integrity requires strong identity and access controls, encryption where appropriate, robust data loss prevention measures, and secure backup strategies designed to withstand ransomware scenarios. Ensuring data availability and recoverability is a critical component of patient safety and clinical operations continuity.

  • Training and culture are inseparable from technology. A security-aware workforce reduces risk by recognizing phishing attempts, suspicious activity, and social engineering cues. This requires ongoing engagement, practical training, and leadership commitment to embedding security into daily workflows.

  • Continuous improvement and measurement are essential. Organizations should establish clear metrics for security program maturity, such as the rate of MFA adoption, the percentage of devices enrolled in UEM, incident response containment times, and the success rate of phishing simulations. These metrics guide governance decisions and justify security investments to executives and boards.

The Road Ahead: Outlook for Healthcare Cybersecurity

Looking forward, the healthcare sector is likely to continue its trajectory toward more sophisticated, integrated defense ecosystems. The expansion of remote care, telemedicine, and cloud-based health platforms will necessitate stronger identity management, more granular access controls, and more resilient data protection strategies. The zero-trust paradigm will become not simply a best practice but a foundational architectural principle that shapes the design, deployment, and operation of health information systems. In parallel, healthcare organizations will need to balance the demands of security with the imperative to deliver safe, timely, patient-centered care, particularly in the context of ongoing public health challenges and resource constraints.

The collaboration between clinical leadership and cybersecurity teams will be pivotal for translating technical measures into practical protections that support patient outcomes. As threat actors continue to refine their tools and tactics, health care providers must maintain a vigilant posture—investing in people, processes, and technologies that align with regulatory requirements, clinical workflows, and the realities of modern care delivery. The lessons of 2021, reinforced by forward-looking plans for 2022 and beyond, point to a disciplined approach that emphasizes prevention, rapid detection, and effective response as the cornerstones of a safer health care ecosystem.

Conclusion

In 2021, health care emerged as a prime target for cybercrime, with breaches and ransomware campaigns reshaping the risk landscape for the sector. The allure of high-value PHI, the appeal of affiliate-driven ransomware networks, and the growing sophistication of attack techniques combined to push health care cybersecurity to the forefront of boardroom conversations and strategic planning. The observed patterns—phishing-driven initial access, magnitude-focused mega-breaches, and the outsized financial consequences—highlighted the critical need for comprehensive, scalable security architectures that can withstand both current threats and evolving future risks.

Looking ahead, the emphasis on zero-trust principles, strengthened IAM, MFA deployment, and robust endpoint strategies formed the backbone of a more resilient defense posture. Health care organizations recognized that technology alone cannot shield them from risk; a culture of security, proactive governance, and careful integration of cybersecurity into strategic initiatives—especially during mergers and acquisitions—are essential to sustaining patient safety, trust, and continuity of care. As the sector continues its transformation, the cadence of risk management must rise in tandem with the pace of innovation, ensuring that the benefits of digital health initiatives are not overshadowed by the consequences of cyber threats. The path forward requires unwavering leadership, disciplined planning, and a relentless commitment to protecting the integrity and confidentiality of health information across the entire care delivery ecosystem.

Tennis