TRIMEDX Senior Vice President of Cybersecurity Scott Trevino contributed an article to 24x7 Magazine, outlining why incident response planning must be a top priority for health care organizations, and how proactive preparation can reduce risk, strengthen resilience, and protect patient care in an increasingly complex threat landscape.
Despite the rising number of cyberattacks on health systems, too many organizations remain unprepared for cyber incidents, with 37% lacking an cybersecurity incident response playbook. Without clear reporting structures or regularly reviewed plans, hospitals risk confusion and costly delays when an attack occurs.
Developing and rehearsing an incident response plan tailored to the individual health system can dramatically reduce the financial and operational impact of a breach. As cyberthreats grow more frequent and more disruptive, the absence of proactive planning puts operations, finances, and patient safety at risk.
Health care is uniquely vulnerable to cyber incidents
Health care has seen a 164% increase in cyberattacks since 2021, with organizations facing more than 2,000 each week. Bad actors focus on the healthcare industry for a variety of reasons, including its high-value data, operational urgency, large attack surfaces, and legacy IT systems.
The cyber-risk is amplified by increasingly connected technologies that enable modern care delivery. More than half of connected medical devices have known critical vulnerabilities. While health systems rely on these devices to provide care, they are operating with limited cybersecurity staffing, fragmented ownership between IT and clinical engineering, and constant pressure to keep systems online for patient care.
Without a clear cybersecurity incident response plan, even a localized event can quickly escalate into a broader, costly operational disruption.
The cost of being unprepared when an incident occurs
The difference between a contained incident and a prolonged crisis often comes down to preparation. A well-designed incident response plan gives healthcare organizations a clear path forward when a breach occurs. This ensures IT, clinical engineering, security, and leadership teams can quickly coordinate containment and recovery efforts without compromising patient care. Instead of reacting in real time, which creates confusion and delays, health systems with a rehearsed response plan can act decisively—limiting disruption, speeding up recovery, and reducing overall impact. When systems go offline, the financial impact extends beyond remediation costs to lost procedures, delayed services, reduced throughput, and reputational damage. Health systems with an incident response plan and team in place can reduce the cost of a security incident by nearly $1 million per breach.
Key elements of an incident response plan
Incident response planning is most effective when it is treated not as a standalone document, but as a core component of the broader cybersecurity strategy. Preparation and planning set the foundation. Organizations should focus on training, obtaining the right tools, and gathering resources to prevent incidents through risk assessments and implementing risk treatment plans. Health systems should consider working with a partner who offers specialized response teams and tailored strategies to fit the unique organization’s needs. It’s also critical for health systems to monitor networks, connected medical devices, and IoT devices using both technology and well-defined processes. This will strengthen the effectiveness of their incident response plan.
A well-designed incident response plan clearly defines escalation paths, decision-making authority, and cross-functional coordination among IT, security, clinical engineering, clinical teams, and leadership. This plan should focus on containment, eradication, and recovery, aiming to prevent the incident from spreading and causing further damage. Best practices include timely response, detailed analysis, effective patch management, and continuous monitoring to ensure threats are fully eliminated.
Rehearsal and ongoing review are critical
Even the most thoughtfully designed incident response plan will fall short if it is not regularly reviewed and rehearsed. Healthcare environments change constantly through staff turnover, technology upgrades, new medical devices, and evolving threats—including artificial intelligence tools making it faster and easier for cybercriminals to launch attacks. These changes can render an outdated plan ineffective. Regular reviews and scenario-based exercises help ensure everyone understands their role, allowing organizations to respond with confidence rather than hesitation when a real incident occurs.
Sustained incident response readiness also requires strong leadership and governance. Too often, cybersecurity responsibilities are fragmented across IT, clinical engineering, and security teams, with limited executive‑level oversight. Incident response planning must be treated as an enterprise priority—owned, supported, and reinforced by leadership—to ensure accountability and alignment across the organization. When executives are engaged and response ownership is clearly defined, health systems are better positioned to close preparedness gaps, coordinate effectively during an incident, and strengthen resilience over time.
• • •
Cyber threats in health care will continue to evolve, but the damage they cause is not inevitable. When cyber incidents are met with confusion and delay, the ripple effects include canceled procedures, diverted patients, and prolonged system outages. Health systems that invest in building, reviewing, and rehearsing incident response plans are far better positioned to protect patient care, maintain operations, and preserve revenue during disruptive events. While preparation does not eliminate risk, it significantly limits both operational and financial harm.